Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ability to further limit which client certificates to trust for incoming mTLS connections #181

Closed
mcwumbly opened this issue Sep 15, 2020 · 2 comments
Closed

Add ability to further limit which client certificates to trust for incoming mTLS connections #181

mcwumbly opened this issue Sep 15, 2020 · 2 comments
Labels
scheduled We agree this change makes sense and plan to work on it ourselves at some point.

Comments

@mcwumbly
Copy link
Contributor

mcwumbly commented Sep 15, 2020
edited

Issue

There is no way to limit the what client certificates are trusted only to those one configures.

Currently, when validating client connections to the Gorouter, the Gorouter always trusts all the system certs installed on the stemcell, in addition to those certificates configured by the operator. The certificates the operator configures are also used for connections to backends and route services.

Affected Versions

All current versions of routing-release

Context

When the Gorouter is configured to request or require client certificates by setting the router.client_cert_validation spec property to request or require, it currently trusts the union of the CA certs configured in router.ca_certs along with the certs loaded from the system that are installed on the stemcell, per the logic here in router/router.go (which also looks like it may be duplicated here in config/config.go).

The certs on the stemcells are numerous, and arguably mainly intended to establish what servers to trust for outbound connections.

Similary, the router.ca_certs property is used not only for adding certs to the list of client certs to trust, per the above, but also to the list of what certs to trust for outbound connections to route services in this tlsConfig.

The same pool is also used to configure what certs to trust for connections to other backends (application instances and platform components) in the backendTlsConfig.

While separating all these concerns may ultimately be desirable, the main request here is to limit which certificates that are trusted for incoming client connections.

Possible Fixes

Option 1: Add router.client_ca_certs property

  1. Operators can configure which client certificates Gorouter trusts with a new router.client_ca_certs property
  2. If set, Gorouter only trusts these client certificates; do not load system certs for the TLS config used for incoming client connections.
  3. If not set, Gorouter trusts union of system certs and router.ca_certs as it does now.
  4. Route services continue to trust certs based on union of system certs and router.ca_certs in all cases.

Option 2: Add router.trust_well_known_ca_certs property

  1. Operators can configure whether system certificates are trusted with a new router.trust_well_known_ca_certs property (default: true)
  2. When true, behavior is the same as it is today.
  3. When false, only the certs configured in router.ca_certs are loaded as trusted client certs
  4. Route services continue to trust certs based on union of system certs and router.ca_certs in all cases.

Option 3: Add router.client_ca_certs property and router.only_trust_client_ca_certs

  1. Operators can configure which client certificates Gorouter trusts with a new router.client_ca_certs property
  2. Operators can also configure whether the existing router.ca_certs and system certificates are still trusted for client requests with a new router.only_trust_client_ca_certs property (default: false)
  3. When false, all the certs in router.ca_certs, router.client_ca_certs, plus the local system store are trusted client certificates. This maintains backward compatibility.
  4. When true, only the certs configured in router.client_ca_certs are loaded as trusted client certs
  5. Route services continue to trust certs based on union of system certs and router.ca_certs in all cases.

Examples:

With only_trust_client_ca_certs: false, all the certs in router.ca_certs, router.client_ca_certs, plus the local system store are trusted client certificates.

router:
  ca_certs: |
   a-cert-named-apple
   a-cert-named-banana
  client_ca_certs: |
   a-cert-named-cucumber
  only_trust_client_ca_certs: false

curl --cert apple.crt --key apple.key https://dora.example.com/
# OK

curl --cert some-stemcell-trusted-cert.crt --key some-stemcell-trusted-cert.key https://dora.example.com/
# OK

curl --cert cucumber.crt --key cucumber.key https://dora.example.com/
# OK

With only_trust_client_ca_certs: true, only the certs configured in router.client_ca_certs are loaded as trusted client certs

router:
  ca_certs: |
   a-cert-named-apple
   a-cert-named-banana
  client_ca_certs: |
   a-cert-named-cucumber
  only_trust_client_ca_certs: true

curl --cert apple.crt --key apple.key https://dora.example.com/
# FAIL

curl --cert some-stemcell-trusted-cert.crt --key some-stemcell-trusted-cert.key https://dora.example.com/
# FAIL

curl --cert cucumber.crt --key cucumber.key https://dora.example.com/
# OK
@rhall-pivotal rhall-pivotal added the scheduled We agree this change makes sense and plan to work on it ourselves at some point. label Sep 21, 2020
@mcwumbly
Copy link
Contributor Author

We added another option above (Option 3), which is what we're currently planning to do.

jrussett added a commit that referenced this issue Dec 7, 2020
@jrussett
Update Limiting Trusted CAs for Gorouter
d4797d1 
- Marks that this feature was released in `0.210.0`

see #181
[#175826409](https://www.pivotaltracker.com/story/show/175826409)
@jrussett
Copy link
Contributor

jrussett commented Dec 7, 2020

This issue was addressed and released in routing-release 0.210.0.

@jrussett jrussett closed this as completed Dec 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
scheduled We agree this change makes sense and plan to work on it ourselves at some point.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mcwumbly @rhall-pivotal @jrussett