Improve usability for TLS usage and setup #6817

Open
huslage opened this Issue Jul 2, 2014 · 7 comments

Projects

None yet

9 participants

@huslage
Contributor
huslage commented Jul 2, 2014

Right now it is very complicated and problematic for a user to create all of the certificates required to secure Docker.

@discordianfish wrote a Dockerfile to show the entire process: https://gist.github.com/discordianfish/1d2bbc5bf2d94fee147b

It turns out that repeatability is a big deal. If I make certs on my mac and import them into boot2docker, for instance, there are "Bad Certificate" errors on the client side.

We need to provide built-in tooling for generating keys for basic security out-of-the-box, while still allowing users the flexibility to generate their own keys.

@dmp42 dmp42 added the Trust label Jul 2, 2014
@SvenDowideit
Collaborator

@discordianfish @huslage does this need to be ubuntu? or can you re-do using a minimal debian:jessie (or even smaller) ?

@discordianfish
Contributor

@SvenDowideit Why not just try it?

@SvenDowideit
Collaborator

I ask in case you guys already know a reason - ie, to make sure I'm not replicating a known waste of time :) or in case someone has succeeded somewhere else (like with busybox)

@david-guenault

Well i'm also facing this problem. What i do is using a Makefile that deal with all the certificates management.

  • root CA
  • signing CA
  • client/server certs
  • client certs
  • certificate revocation with crl (and publish endpoints)

I do not think a complete tooling is needed since organizations already manage this process (internal or external). But we need a better documentation and support for the various revocation implementations such as CRL, OCSP and SCVP. At the moment i do not think any of those implementations are supported in docker (even CRL and OCSP that are already suported in golang net/http).

@icecrime icecrime removed the dist/trust label Jul 17, 2015
@samrocketman

It would be nice if CRL at the very least was supported. I don't feel OCSP really applies here because it's typical the certificate authority is internal.

@md-5
md-5 commented Feb 19, 2016

Without recovation, how is the current TLS implementation any better than static keys?

@samrocketman

FYI, I think supporting a set of scripts would be easy to do. I wrote up repeatable scripts that I could probably open source with permission from my company.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment