wip rsa-ecc proxy

cluster/prod/app/email/integration/README.md

@@ -0,0 +1,23 @@
+# Email
+
+## TLS TLS Proxy
+
+Required for Android 7.0 that does not support elliptic curves.
+
+Generate a key:
+
+```bash
+openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout rsa.key -out rsa.crt -subj "/CN=imap.deuxfleurs.fr" -addext "subjectAltName=DNS:smtp.deuxfleurs.fr"
+```
+
+Run the command:
+
+```bash
+./integration/proxy.sh imap.deuxfleurs.fr:993 1993
+```
+
+Test it:
+
+```bash
+openssl s_client localhost:1993
+```

cluster/prod/app/email/integration/tls-tls-proxy.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+UPSTREAM=$1
+PROXY_PORT=$2
+socat -dd \
+"openssl-listen:${PROXY_PORT},\
+reuseaddr,\
+fork,\
+cert=/tmp/tls-tls-proxy/rsa.crt,\
+key=/tmp/tls-tls-proxy/rsa.key,\
+verify=0,\
+bind=0.0.0.0" \
+"openssl:${UPSTREAM},\
+verify=0"

cluster/prod/app/email/secrets.toml

@@ -21,3 +21,12 @@ password_secret = "email/sogo/ldap_bindpw"
 type = 'user'
 description = 'SoGo postgres auth (format: sogo:<password>) (TODO: replace this with two separate files and change template)'
 
+# ---- TLS TLS PROXY ---
+
+[secrets."email/tls-tls-proxy/rsa.crt"]
+type="user"
+description="PEM encoded file containing the RSA certificate"
+
+[secrets."email/tls-tls-proxy/rsa.key"]
+type="user"
+description="PEM encoded file containing the RSA key"

cluster/staging/app/core/deploy/core-system.hcl

@@ -121,7 +121,7 @@ EOH
         data = <<EOH
 TRICOT_NODE_NAME={{ env "attr.unique.consul.name" }}
 TRICOT_LETSENCRYPT_EMAIL=alex@adnab.me
-TRICOT_ENABLE_COMPRESSION=true
+#TRICOT_ENABLE_COMPRESSION=true
 TRICOT_CONSUL_HOST=https://localhost:8501
 TRICOT_CONSUL_CA_CERT=/etc/tricot/consul-ca.crt
 TRICOT_CONSUL_CLIENT_CERT=/etc/tricot/consul-client.crt