New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Separate TLS config for AcraConnector and DB #419
Conversation
We are going to need more values from ProxySetting so instead of accepting additional arguments for them, take ProxySetting directly in constructors.
It is a reasonable option for AcraConnector and database to have different TLS configurations. Instead of using a single one, teach proxies to use two independent configurations from settings.
Now, actually accept and store separate configurations in settings used by connection proxies.
In addition to common "--tls_ca" option, accept "--tls_ca_client" and "--tls_ca_database" options to configure individual sides of the proxied connection. If new options are specified, they take priority. This makes it possible for AcraConnector and database to have completely separate private CAs issue their certificates.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks inspiring
Great, thanks! Will it be too complex to add a separate configuration for |
Will do, refactoring should |
In addition to CA options, add "tls_auth_client" and "tls_auth_database" which override the common "tls_auth" option, setting the level of TLS connection authentication.
@shadinua, here you go. There are now new options For example, you might leave the default value of The common option is still there in case we'd need to add more TLS configs later, like with CA. Right now it can make more sense to configure client and database explicitly, rather than configuring this, say, for the client and for everyone else. |
Suggested-by: vixentael <vixentael@users.noreply.github.com>
Use common "tls_client" and "tls_database" namespaces for new specific TLS options.
The old option is still accepted but deprecated. The new "tls_database_sni" option will override "tls_db_sni".
Instead of using database hostname or SNI, just skip the server name entirely. AcraConnector's TLS configuration is used to accept connections from AcraConnectors, so ServerName is irrelevant there.
Introduce "tls_{client,database}_{cert,key}" options too, allowing AcraServer to use different certifcates for AcraConnector and database connections. With this, TLS configurataion is now completely separated. It is possible to configure AcraConnector and database TLS connections separately if necessary, but there is also a common option set if that is more convenient.
After some discussion we have decided to split the remaining options as well. That is, it is possible to set the keys and certificates independently as well. That way we can have different AcraConnector and database TLS configurations if necessary (and there are still common options in case the configuration can be shared). Given that, the original names for new options were suboptimal. They have been updated for better namespacing:
The |
I don't quite like that |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot from infrastructure team! :)
Co-authored-by: vixentael <vixentael@users.noreply.github.com>
Looks amazing, let's merge and use! |
Suggested-by: Anatolii Lishchynskyi <anatolii.lishchynskyi@cossacklabs.com>
Currently AcraServer uses only one TLS configuration for everything. This means, in particular, that both AcraConnector and DB are expected to use the same private CA, if root certificates are not available in the system certificate store. This is not always the case, and it would be nice to allow separate TLS configurations.
This PR adds several new options:
tls_client_ca
tls_ca
tls_client_cert
tls_cert
tls_client_key
tls_key
tls_client_auth
tls_auth
tls_database_ca
tls_ca
tls_database_cert
tls_cert
tls_database_key
tls_key
tls_database_auth
tls_auth
tls_database_sni
tls_db_sni
New options override old options. The old options still remains not deprecated, they might be useful as a shortcut.
This required a refactoring to split the TLS configuration,
so in the future it will be possible to have more specific configuration (think, different allowed authentication modes, cryptosuites, TLS versions, etc.)which allowed to easily split the configuration.There are no integration tests for this option currently. (Do we need them?) I have tested it manually, with recently updated certificates. The timing could not have been better...