Introduce InsecureSkipVerify to DR

[Kmoneal]

• hide VerifyCertificateAtClient in ProxyConfig to eventually be
  removed.
• Add InsecureSkipVerify bool to allow users to prevent any certificate
  validation on desired external host.

[istio-testing]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[jacob-delgado]

cc @ericvn can you go over the documentation for this PR? Thanks!

[brian-avery]

This is part of https://docs.google.com/document/d/100Jvwjr9KkURiF2HtiOtRlAON8TqgskUyLfT17_xoRM/edit#

[craigbox]

on a per-host basis?

[craigbox]

meshConfig?

"This feature was not implemented, and will be removed in a future release" ?

[craigbox]

while Eric is out, Brian asked me to look at this; the only thing I think that is relevant to docs is

// $hide_from_docs

so LGTM with some comments on the release note

[craigbox]

Suggested change

	// the proxy will skip verification of the host's certificate regardless of
	// the proxy will skip verification of the host's certificate, regardless of

[craigbox]

if the proxy?

[Kmoneal]

/retest

[hzxuzhonghu]

lg, need to run make gen

[nrjpoddar]

You need to sync v1alpha3 to v1beta1 APIs. @howardjohn recently wrote a tool for it so you can just run it and ensure the proto files are in sync.

[nrjpoddar]

Suggested change

	// Boolean specifying if the proxy should not check the CA signature for the host
	// certificate. `InsecureSkipVerify` is `false` by default. If set to true,
	// the proxy will skip verification of the host's certificate, regardless of
	// any CA certificate specified elsewhere.
	// InsecureSkipverify specifies whether the proxy should skip verifying the CA signature for the server
	// certificate. `InsecureSkipVerify` is `false` by default. If set to true,
	// the proxy will skip verification of the server's certificate, regardless of
	// the CA certificate path specified elsewhere.

[nrjpoddar]

Does it also not verify the SAN field?

[Kmoneal]

This would also not verify the SAN past the cert and host name match

[nrjpoddar]

Ok basically certificate signature and Host in SAN is validated. If that's correct we should not just mention signature here.

[nrjpoddar]

Ok basically certificate signature and Host in SAN is validated. If that's correct we should not just mention signature here.

[nrjpoddar]

Few more minor suggestions, rest look good!

[Kmoneal]

@brian-avery if you have time, I would appreciate any input!

[linsun]

Can you clarify default here given this is not configurable?

[linsun]

Is the scenario that this is set to true by default globally but certain service wants to skip the validation by setting insecure_skip_verify?

[nrjpoddar]

By default, we don't verify server certificates unless you specify caCertificates in DR which is the bug (CVE) we are trying to address. @Kmoneal is adding an ENV var in istio/istio so that going forward CA verification can be turned on globally (it will still be default off for backwards compatibility). Once you have it enabled globally, the new config option in DR insecureSkipVerify disables it on a per host (service) basis.

[Kmoneal]

Neeraj summed it up well. This was an attempt to add in enabling mesh-wide external server certificate validation. By planning to default verification to on, we wanted to make sure that we can allow users to disable it mesh-wide.

[linsun]

what about skip_verify_cert or skip_verify_certificate? seems easier to understand and consistent with VerifyCertificateAtClient

[nrjpoddar]

Negation makes more sense as it is consistent with tools like curl that provide "-k" flag. We expect most users to have verification globally turned on (and hopefully in few releases default on) so in that light this naming is more clear. WDYT?

[Kmoneal]

We wanted to make sure it was explicit that it was an insecure flag to enable and I prefer to keep that. If insecure_skip_verify_cert is agreeable I would be happy to change it.

[howardjohn]

I like InsecureSkipVerify because it has a wellknown meaning already

[louiscryan]

Is the certificate expiration checked?

@nrjpoddar If we're confident that we won't need more control then I'm OK with not being an enum.

[nrjpoddar]

I guess so? I'm assuming Envoy uses the openssl call to verify most expected attributes like signature, SAN, expiration, not valid before etc. We can refine the comment to not explicitly list out just signature and SAN.

I think starting out with boolean is good here. I haven't seen many requests for signature verification but no SAN or skip expiration etc.

This is what curl documents for -k:

The server connection is verified by making sure the server's certificate contains the right name and verifies successfully using the cert store.

[Kmoneal]

The certificate would be checked that it is a usable cert (expiration, not malformed, etc) but it will not check against a CA.

[howardjohn]

curl -k doesn't verify expiration (you can check with https://expired.badssl.com/) fwiw

[nrjpoddar]

If folks questions are answered can we approve this? @howardjohn @linsun @louiscryan? Thanks!

[howardjohn]

is "false by default" accurate?

[Kmoneal]

Please, correct me if I am missing something, but InsecureSkipVerify would disable any other added CA Root Certs or SAN specified which means it should be false. Defaulting to false would have no changes to current environments once the istio modifications are made. This is a new feature to disable security checks per host and the Env Var portion is adding the additional security setting which will be disabled by default as well.

[howardjohn]

This seems misleading. If someone told me InsecureSkipVerify is false by default, and I configure a DR for https://google.com (with no caCertificate config), I think the vast majority of users would expect that we are verifying the TLS.
Even without this comment, today most people (including most Istio developers), thought it was verifying. This furthers the confusion IMO.

[Kmoneal]

I agree, it is misleading and may provide a false sense of security for the standard settings. I took a second look and wanted to know if any of these solutions would be able to fix any concerns?

1. Hide InsecureSkipVerify from docs until OS CA Certificates verification is enabled by default.
2. Switch to an enum like the one below. This could also give a false sense of security unless VERIFY is added only when it is available. It will be a change from RFC but considering it has been talked about a couple of time I think it would be worth it

    enum InsecureSkipVerifyMode {
        // Keep the legacy behavior, no change
        UNSPECIFIED = 0;
        // Do not verify certificates against a CA but verify that the certificate is valid
        // with basic checks (i.e. expiration check, issued to the expected host, etc.)
        NO_VERIFY = 1;
        // Allow any verification enabled to be unchanged
        VERIFY = 2;
    }

3. Change wording to specify that this just disables added DestinationRule and ServiceEntry CA/SAN settings verification.

If there is anything else you would recommend or any modifications I would be happy to hear them.

[nrjpoddar]

I would suggest adding clarification around how this flag works in relationship with the environment variable i.e. this flag should only be used when the env var is enabled and you have verification turned on globally but want it disabled for a specific host. I would even add which Istio releases have the env var default off and later when we toggle it add from the release it is by default on. WDYT?

[howardjohn]

+1 to documenting correlation to the flag.

[howardjohn]

Put a hold for small comment

[nrjpoddar]

Put a hold for small comment

John, @Kmoneal responses to your comment so PTAL and remove hold so this can collapse.

[howardjohn]

Nit: would avoid exact date, historically we don't hit our targets a lot 🙂

[nrjpoddar]

@Kmoneal I missed updates to this PR so added few suggestions. PTAL.

[nrjpoddar]

// This flag should only be used if server certificate validation has been globally enabled
// via setting the environment variable VERIFY_CERTIFICATE_AT_CLIENT to true in istiod
// but no verification is desired for a specific host.

[nrjpoddar]

// Environment variable VERIFY_CERTIFICATE_AT_CLIENT is false by default in Istio versions 1.9 - 1.11
// for backwards compatibility.
// This variable will be set to true by default in a later version where, going forward, it will be enabled by default.
// It is strongly recommended to turn on server certificate validation globally by setting this environment
// variable to true and selectively disabling verification on a per-host basis by using the
// InsecureSkipVerify flag in DestinationRule.