@oleorhagen also note PKCS11 not working on mender client with TPM - #4 by sandevins
I dont think you can override your API direct provider from a cnf definition. But then, I dont know that with certainty; maybe we need to do a bit of verification?
I would note a couple things that are specific to our use, and may not perturb anyone else’s deployments: in the implementation you have described, if one of our installations requires proxy without passthrough, then we’re out of luck, because the mender client cant be dynamically configured to use our customers provider(s). This is particularly finicky with our FIPS/gov clients.
Further, if a critical vulnerability is discovered in a suite, there is no remediation I can perform. This has a direct impact on our published business continuity and disaster recovery plans.
At any rate, I feel like the missions of v3 was flexibility, as long as that intention isnt crippled by your implementation ¯_(ツ)_/¯
To be honest, Im mostly happy to see someone is digging into this at all
Thanks, great feedback! I have changed it to do implicit loading of the providers now, so that the providers will have to be loaded through the cnf, same as for the Engines.
It even seems to be working But one never really knows until it goes through battle I guess
Hmm, why not? Can you not give a custom ssl cnf to the client?