Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implementing SSL certificate validation for LDAP authentication. #8569

Merged
merged 5 commits into from
Jul 23, 2020

Conversation

dennisoelkers
Copy link
Member

@dennisoelkers dennisoelkers commented Jul 17, 2020

Description

Motivation and Context

Note: This needs a backport to v3.3.x

Before this change, SSL certificates used to secure the connection between Graylog and an LDAP server used for authentication over a SSL/TLS-secured connection were not validated, even if the Allow self-signed certificates option was left unchecked.

This change is implementing SSL certificate validation by configuring a trust manager that uses the default keystore to validate certificates against. In addition, it consolidates different places where the LdapConnectionConfig was created.

Fixes #5906.

How Has This Been Tested?

Screenshots (if appropriate):

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Refactoring (non-breaking change)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have read the CONTRIBUTING document.
  • I have added tests to cover my changes.

@dennisoelkers dennisoelkers marked this pull request as ready for review July 17, 2020 11:28
@mpfz0r mpfz0r self-assigned this Jul 23, 2020
Copy link
Contributor

@mpfz0r mpfz0r left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.
Tested with https://github.com/Fmstrat/samba-domain and importing the self signed cert into the jks keystore.

@mpfz0r mpfz0r merged commit bdd0808 into master Jul 23, 2020
@mpfz0r mpfz0r deleted the issue-5906 branch July 23, 2020 16:16
@mpfz0r
Copy link
Contributor

mpfz0r commented Jul 23, 2020

@bernd This change should be mentioned in the release notes, as this might break customer setups

@bernd bernd added this to the 3.3.3 milestone Jul 23, 2020
@bernd
Copy link
Member

bernd commented Jul 24, 2020

@mpfz0r @dennisoelkers Thanks for the heads-up. Can one of you create an update for the UPGRADING.rst file for 4.0?

@fadenb
Copy link

fadenb commented Jul 27, 2020

Will this be part of 3.3.3 release?

As I know of several setups that will break when this behavior is changed I hope it will not be part of a minor release without some highly visible warning and/or opt-in.

@dennisoelkers
Copy link
Member Author

dennisoelkers commented Jul 27, 2020

@fadenb: We do not include breaking changes in minor/patch releases. In this case we do, as it is a security-related bugfix. We are aware that it might break setups which were configured incorrectly before this change, but do consider it to be required for secure operations. The upgrade notes for 3.3.3 and 4.0 will both include an entry about this being a breaking change.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

LDAP connector does not verify TLS certificates
4 participants