-
Notifications
You must be signed in to change notification settings - Fork 536
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce InsecureSkipVerify to DR #2040
Conversation
Skipping CI for Draft Pull Request. |
cc @ericvn can you go over the documentation for this PR? Thanks! |
releasenotes/notes/25652.yaml
Outdated
|
||
releaseNotes: | ||
- | | ||
**Added** InsecureSkipVerify to DestinationRule. Users can choose to opt-out of validating external site certificates on hosts basis if a user has enabled certificate validation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
on a per-host basis?
releasenotes/notes/25652.yaml
Outdated
releaseNotes: | ||
- | | ||
**Added** InsecureSkipVerify to DestinationRule. Users can choose to opt-out of validating external site certificates on hosts basis if a user has enabled certificate validation. | ||
**Modified** VerifyCertificateAtClient is now deprecated in meshconfig. This will be removed in a future release and was never implemented. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
meshConfig
?
"This feature was not implemented, and will be removed in a future release" ?
while Eric is out, Brian asked me to look at this; the only thing I think that is relevant to docs is
so LGTM with some comments on the release note |
|
||
// Boolean specifying if proxy should not check the CA signature for the host | ||
// certificate. `InsecureSkipVerify` is `false` by default. If set to true, | ||
// the proxy will skip verification of the host's certificate regardless of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// the proxy will skip verification of the host's certificate regardless of | |
// the proxy will skip verification of the host's certificate, regardless of |
@@ -964,6 +964,12 @@ message ClientTLSSettings { | |||
|
|||
// SNI string to present to the server during TLS handshake. | |||
string sni = 6; | |||
|
|||
// Boolean specifying if proxy should not check the CA signature for the host |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if the proxy?
/retest |
lg, need to run |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You need to sync v1alpha3 to v1beta1 APIs. @howardjohn recently wrote a tool for it so you can just run it and ensure the proto files are in sync.
// Boolean specifying if the proxy should not check the CA signature for the host | ||
// certificate. `InsecureSkipVerify` is `false` by default. If set to true, | ||
// the proxy will skip verification of the host's certificate, regardless of | ||
// any CA certificate specified elsewhere. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// Boolean specifying if the proxy should not check the CA signature for the host | |
// certificate. `InsecureSkipVerify` is `false` by default. If set to true, | |
// the proxy will skip verification of the host's certificate, regardless of | |
// any CA certificate specified elsewhere. | |
// InsecureSkipverify specifies whether the proxy should skip verifying the CA signature for the server | |
// certificate. `InsecureSkipVerify` is `false` by default. If set to true, | |
// the proxy will skip verification of the server's certificate, regardless of | |
// the CA certificate path specified elsewhere. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does it also not verify the SAN field?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This would also not verify the SAN past the cert and host name match
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok basically certificate signature and Host in SAN is validated. If that's correct we should not just mention signature here.
* hide VerifyCertificateAtClient in ProxyConfig to eventually be removed. * Add InsecureSkipVerify bool to allow users to prevent any certificate validation on desired external host.
* Update release-notes to specify changes and purpose for adding InsecureSkipVerify and deprecating VerifyCertificateAtClient * VerifyCertificateAtClient gets deprecated instead of only hidden
9576ab4
to
fc930dc
Compare
// Boolean specifying if the proxy should not check the CA signature for the host | ||
// certificate. `InsecureSkipVerify` is `false` by default. If set to true, | ||
// the proxy will skip verification of the host's certificate, regardless of | ||
// any CA certificate specified elsewhere. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok basically certificate signature and Host in SAN is validated. If that's correct we should not just mention signature here.
Few more minor suggestions, rest look good! |
@brian-avery if you have time, I would appreciate any input! |
@@ -436,7 +437,7 @@ message MeshConfig { | |||
// For wildcard host name in DestinationRule, client-side proxy will do a suffix match. For example, | |||
// if host is `*.x.y.com`, client-side proxy will verify the presented server certificate SAN matches | |||
// ``.x.y.com` suffix. | |||
google.protobuf.BoolValue verify_certificate_at_client = 54; | |||
google.protobuf.BoolValue verify_certificate_at_client = 54 [deprecated=true]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you clarify default here given this is not configurable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the scenario that this is set to true by default globally but certain service wants to skip the validation by setting insecure_skip_verify?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By default, we don't verify server certificates unless you specify caCertificates
in DR which is the bug (CVE) we are trying to address. @Kmoneal is adding an ENV var in istio/istio so that going forward CA verification can be turned on globally (it will still be default off for backwards compatibility). Once you have it enabled globally, the new config option in DR insecureSkipVerify disables it on a per host (service) basis.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Neeraj summed it up well. This was an attempt to add in enabling mesh-wide external server certificate validation. By planning to default verification to on, we wanted to make sure that we can allow users to disable it mesh-wide.
// is `false` by default. If set to true, the proxy will skip verification of | ||
// the server certificate, regardless of any certificate validation | ||
// configureation provided elsewhere. | ||
google.protobuf.BoolValue insecure_skip_verify = 8; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what about skip_verify_cert
or skip_verify_certificate
? seems easier to understand and consistent with VerifyCertificateAtClient
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Negation makes more sense as it is consistent with tools like curl that provide "-k" flag. We expect most users to have verification globally turned on (and hopefully in few releases default on) so in that light this naming is more clear. WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We wanted to make sure it was explicit that it was an insecure flag to enable and I prefer to keep that. If insecure_skip_verify_cert
is agreeable I would be happy to change it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like InsecureSkipVerify because it has a wellknown meaning already
// is `false` by default. If set to true, the proxy will skip verification of | ||
// the server certificate, regardless of any certificate validation | ||
// configureation provided elsewhere. | ||
google.protobuf.BoolValue insecure_skip_verify = 8; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the certificate expiration checked?
@nrjpoddar If we're confident that we won't need more control then I'm OK with not being an enum.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess so? I'm assuming Envoy uses the openssl call to verify most expected attributes like signature, SAN, expiration, not valid before etc. We can refine the comment to not explicitly list out just signature and SAN.
I think starting out with boolean is good here. I haven't seen many requests for signature verification but no SAN or skip expiration etc.
This is what curl documents for -k:
The server connection is verified by making sure the server's certificate contains the right name and verifies successfully using the cert store.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The certificate would be checked that it is a usable cert (expiration, not malformed, etc) but it will not check against a CA.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
curl -k
doesn't verify expiration (you can check with https://expired.badssl.com/) fwiw
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If folks questions are answered can we approve this? @howardjohn @linsun @louiscryan? Thanks!
|
||
// InsecureSkipverify specifies whether the proxy should skip verifying the | ||
// CA signature and SAN for the server certificate corresponding to the host. | ||
// `InsecureSkipVerify` is `false` by default. If set to true, the proxy will |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is "false
by default" accurate?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please, correct me if I am missing something, but InsecureSkipVerify
would disable any other added CA Root Certs or SAN specified which means it should be false
. Defaulting to false
would have no changes to current environments once the istio modifications are made. This is a new feature to disable security checks per host and the Env Var portion is adding the additional security setting which will be disabled by default as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems misleading. If someone told me InsecureSkipVerify is false by default, and I configure a DR for https://google.com
(with no caCertificate config), I think the vast majority of users would expect that we are verifying the TLS.
Even without this comment, today most people (including most Istio developers), thought it was verifying. This furthers the confusion IMO.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree, it is misleading and may provide a false sense of security for the standard settings. I took a second look and wanted to know if any of these solutions would be able to fix any concerns?
- Hide
InsecureSkipVerify
from docs until OS CA Certificates verification is enabled by default. - Switch to an enum like the one below. This could also give a false sense of security unless
VERIFY
is added only when it is available. It will be a change from RFC but considering it has been talked about a couple of time I think it would be worth it
enum InsecureSkipVerifyMode {
// Keep the legacy behavior, no change
UNSPECIFIED = 0;
// Do not verify certificates against a CA but verify that the certificate is valid
// with basic checks (i.e. expiration check, issued to the expected host, etc.)
NO_VERIFY = 1;
// Allow any verification enabled to be unchanged
VERIFY = 2;
}
- Change wording to specify that this just disables added DestinationRule and ServiceEntry CA/SAN settings verification.
If there is anything else you would recommend or any modifications I would be happy to hear them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would suggest adding clarification around how this flag works in relationship with the environment variable i.e. this flag should only be used when the env var is enabled and you have verification turned on globally but want it disabled for a specific host. I would even add which Istio releases have the env var default off and later when we toggle it add from the release it is by default on. WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 to documenting correlation to the flag.
Put a hold for small comment |
John, @Kmoneal responses to your comment so PTAL and remove hold so this can collapse. |
// | ||
// `InsecureSkipVerify` is `false` by default. | ||
// `VerifyCertAtClient` is `false` by default in Istio version 1.9 until | ||
// Istio version 1.13 where, going forward, it will be enabled by default. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: would avoid exact date, historically we don't hit our targets a lot 🙂
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Kmoneal I missed updates to this PR so added few suggestions. PTAL.
// This flag should only be set if global CA signature verifcation is | ||
// enabled, `VerifyCertAtClient` environmental variable is set to `true`, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// This flag should only be used if server certificate validation has been globally enabled
// via setting the environment variable VERIFY_CERTIFICATE_AT_CLIENT
to true in istiod
// but no verification is desired for a specific host.
// SAN will be skipped. | ||
// | ||
// `InsecureSkipVerify` is `false` by default. | ||
// `VerifyCertAtClient` is `false` by default in Istio version 1.9 but will |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// Environment variable VERIFY_CERTIFICATE_AT_CLIENT
is false
by default in Istio versions 1.9 - 1.11
// for backwards compatibility.
// This variable will be set to true
by default in a later version where, going forward, it will be enabled by default.
// It is strongly recommended to turn on server certificate validation globally by setting this environment
// variable to true and selectively disabling verification on a per-host basis by using the
// InsecureSkipVerify
flag in DestinationRule.
removed.
validation on desired external host.