Add ability to further limit which client certificates to trust for incoming mTLS connections #181
Labels
scheduled
We agree this change makes sense and plan to work on it ourselves at some point.
Issue
There is no way to limit the what client certificates are trusted only to those one configures.
Currently, when validating client connections to the Gorouter, the Gorouter always trusts all the system certs installed on the stemcell, in addition to those certificates configured by the operator. The certificates the operator configures are also used for connections to backends and route services.
Affected Versions
All current versions of routing-release
Context
When the Gorouter is configured to request or require client certificates by setting the
router.client_cert_validation
spec property torequest
orrequire
, it currently trusts the union of the CA certs configured inrouter.ca_certs
along with the certs loaded from the system that are installed on the stemcell, per the logic here in router/router.go (which also looks like it may be duplicated here in config/config.go).The certs on the stemcells are numerous, and arguably mainly intended to establish what servers to trust for outbound connections.
Similary, the
router.ca_certs
property is used not only for adding certs to the list of client certs to trust, per the above, but also to the list of what certs to trust for outbound connections to route services in this tlsConfig.The same pool is also used to configure what certs to trust for connections to other backends (application instances and platform components) in the backendTlsConfig.
While separating all these concerns may ultimately be desirable, the main request here is to limit which certificates that are trusted for incoming client connections.
Possible Fixes
Option 1: Add
router.client_ca_certs
propertyrouter.client_ca_certs
propertyrouter.ca_certs
as it does now.router.ca_certs
in all cases.Option 2: Add
router.trust_well_known_ca_certs
propertyrouter.trust_well_known_ca_certs
property (default: true
)true
, behavior is the same as it is today.false
, only the certs configured inrouter.ca_certs
are loaded as trusted client certsrouter.ca_certs
in all cases.Option 3: Add
router.client_ca_certs
property androuter.only_trust_client_ca_certs
router.client_ca_certs
propertyrouter.ca_certs
and system certificates are still trusted for client requests with a newrouter.only_trust_client_ca_certs
property (default: false
)false
, all the certs inrouter.ca_certs
,router.client_ca_certs
, plus the local system store are trusted client certificates. This maintains backward compatibility.true
, only the certs configured inrouter.client_ca_certs
are loaded as trusted client certsrouter.ca_certs
in all cases.Examples:
With
only_trust_client_ca_certs: false
, all the certs inrouter.ca_certs
,router.client_ca_certs
, plus the local system store are trusted client certificates.With
only_trust_client_ca_certs: true
, only the certs configured inrouter.client_ca_certs
are loaded as trusted client certsThe text was updated successfully, but these errors were encountered: