TLS_Call home display secure information like serverkey,certificate ,

[manmohanpatel2005]

hi,

We upgraded netopeer2 from 1.1.77 to 2.2.28.

We observed that

nc_server_tls_set_server_cert_clb(np2srv_cs_dev_cert_cb, NULL, NULL);
nc_server_tls_set_trusted_cert_list_clb(np2srv_cs_dev_cert_list_cb, NULL, NULL);

1. the above CLB are removed, so now latest version is expecting these values to be inserted to NC and TLS stack through tls_keystore and key_truststore XML files.

2. In old version dummy value of keys and certificate were being inserted in NC and TLS stack and the above CLB were caring about the certficate pointers during TLS connection establishment.

3. Sysrepocfg -X ,, display these secure information, we need to avoid from display.

4. Tried to add in NC TLSstack through below code
   /* new truststore client CA cert */
   ret = nc_server_config_add_truststore_cert(ctx, "cacerts", "rootcacert", RU_CONF_KEYCERT_FILE_DEVICE_ROOT_CA_CERT, &data);
   if(ret != 0) VRB("FAIL:%s:line:%d",FUNCTION,LINE);

   ret = nc_server_config_add_truststore_cert(ctx, "cacerts", "subcacert", RU_CONF_KEYCERT_FILE_DEVICE_SUB_CA_CERT, &data);
   if(ret != 0) VRB("FAIL:%s:line:%d",FUNCTION,LINE);

   ret = nc_server_config_add_truststore_cert(ctx, "cacerts", "ln2examplecert", "/etc/Netopeer2/netopeer2-dev-tls-config/serverca.pem", &data);
   if(ret != 0) VRB("FAIL:%s:line:%d",FUNCTION,LINE);

   ret = nc_server_config_add_truststore_cert(ctx, "cacerts", "np2examplecert", "/etc/Netopeer2/netopeer2-dev-tls-config/Neto2ca.pem", &data);
   if(ret != 0) VRB("FAIL:%s:line:%d",FUNCTION,LINE);

   /* new keystore ref for the TLS server cert */
   ret = nc_server_config_add_ch_tls_keystore_ref(ctx, client_name, endpt_name, "serverkey", "servercert", &data);
   if(ret != 0) VRB("FAIL:%s:line:%d",FUNCTION,LINE);

   /* new truststore ref for the client CA cert /
   ret = nc_server_config_add_ch_tls_ca_cert_truststore_ref(ctx, client_name, endpt_name, "cacerts", &data);
   if(ret != 0) VRB("FAIL:%s:line:%d",FUNCTION,LINE);
   / configure the server based on the data */
   ret = nc_server_config_setup_data(data);
   if(ret != 0) VRB("FAIL:%s:line:%d",FUNCTION,LINE);

5. but this "data" is not part of dispatch ctx_cb_data, so looks NC and TLS stakc is using the keystore certificate XML values.
   nc_connect_ch_client_dispatch(client_name,np2srv_acquire_ctx_cb, np2srv_release_ctx_cb, np2srv.sr_conn, np2srv_new_session_cb, NULL);

can someone suggest how to achieve in this version ?

[manmohanpatel2005]

NC TLS stack means server_opts. memory chunk

[michalvasko]

3. If you care about what sysrepoctl prints locally, you need to set up its security properly.