-
Notifications
You must be signed in to change notification settings - Fork 261
Support TLS client certificate enrollment #1120
Comments
Right now we use a single port/hostname for ALL endpoints, including the osqueryd ones. Here's a few possibilities:
aside: Building this functionality into a cloud offering would be simpler as we can always serve the TLS endpoints by a completely different backend and do path based routing there. |
I think the first option is a non starter. Option 2 Feasible but messy, requiring quite a but of new code. That's what I've been exploring as a solution currently. So the SNI option would require a CNAME to alias the kolide host? That might not be too bad. I think that given the effort that this is likely to take if we are to implement #2 your point about focusing our efforts on the cloud offering is a better option. |
According to @theopolis the osquery tls plugin supports SNI so that might be the way to go, since you can define a function in tls.Config to handle it |
It's still per server, not per-endpoint |
So if I understand this correctly, using SNI, the only way to get this to work, would be to have the osquery endpoints served on a different port? |
different port, or different hostname are both options |
As far as I can tell and with a little experimentation with the Go TLS stack it appears it is possible to do client certificate based authentication per endpoint by specifying After specifying One added benefit is that you can still specify a I might try to see if I can get this working. |
As mentioned in the discussion above, the hard part is not having the server ask for/verify a cert but the fact that TLS auth is applied globally per server:port not per HTTP route. The correct answer to this issue is to use nginx or HAproxy in front of fleet and terminate all the osquery endpoints with TLS certificates. |
From my experimentation with Chrome, Safari, and Firefox I don't see any browser prompting for a client certificate when using |
I don't think this is on our current agenda, so it does not seem worth keeping open. @zwass Feel free to re-open if you'd rather keep it in that state. |
osquery supports two forms of client authentication:
Right now Kolide only supports the shared secret enrollment, but customers have been asking for TLS client certificate enrollment. The documentation for specifying the client certificate and key can be found here: https://osquery.readthedocs.io/en/stable/deployment/remote/#tls-client-auth-enrollment.
The text was updated successfully, but these errors were encountered: