Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support enable/disabling SSL client authentication on the management port without overriding SSL parameters #15437

Open
alonbl opened this issue Dec 10, 2018 · 2 comments
Open

Support enable/disabling SSL client authentication on the management port without overriding SSL parameters #15437

alonbl opened this issue Dec 10, 2018 · 2 comments
Labels
theme: ssl Issues related to ssl support type: enhancement A general enhancement
Milestone
3.x

Comments

@alonbl
Copy link
Contributor

alonbl commented Dec 10, 2018

Continuing discussion from #14985, I would like to continue discussion and agree on the solution.

CURRENT IMPLEMENTATION

Management port inherits all SSL settings from the server port, in other words by default management.server.ssl = server.ssl, while any setting at management.ssl.* starts from a fresh management.ssl settings.

This is convenience in most of the cases as in most cases the server side settings are specified and matches both the server and management settings and no need to specify any override of management port settings.

I guess that the common case of design is for disabling management port SSL by management.server.ssl.enabled=false, which is good enough and then we do not care about not inheriting settings from server but start fresh.

However, when specifying client side authentication using client-auth and key-* on the server.ssl.* to provide client authentication to remote side, it sometimes makes sense to either disable this for management port or change the identity without impacting the server side settings, for example protocol, ciphers, enable-protocols etc...

The problem is that once a single parameter is specify at management.server.ssl.* it requires specifying all parameters again, for example:

server:
  ssl:
    enable: true
    protocol: TLSv1.2
    trust-store: trust.jks
    key-store: key.jks
    client-auth: need
 management:
  server:
    ssl:
      enable: true
      protocol: TLSv1.2
      trust-store: trust.jks
      client-auth: none

Notice that the protocol and trust-store should be repeated in the management statement just to turn client authentication off.

EXPECTED IMPLEMENTATION

Separate the server SSL settings from the client SSL settings while keeping backward compatibility.

I suggest to move SSL client setting client-auth and key-* to ssl-client object, and as fallback (if unset) consult the ssl object.

For example:

server:
  ssl:
    enable: true
    protocol: TLSv1.2
    trust-store: trust.jks
  ssl-client:
    key-store: key.jks
    client-auth: need
 management:
  server:
    ssl-client:
      client-auth: none

or:

server:
  ssl:
    enable: true
    protocol: TLSv1.2
    trust-store: trust.jks
  ssl-client:
    key-store: key.jks
    client-auth: need
 management:
  server:
    ssl-client:
      key-store: key-management.jks
      client-auth: need

Backward compatibility is maintained using fallback to server.ssl.*.

server:
  ssl:
    enable: true
    protocol: TLSv1.2
    trust-store: trust.jks
    key-store: key.jks
    client-auth: need
 management:
  server:
    ssl:
      key-store: key-management.jks
      client-auth: need

Any other method will be gladly accepted :)
@alonbl
Copy link
Contributor Author

alonbl commented Dec 10, 2018

@bclozel, @snicoll: I've opened a separate issue to continue discussion from #14985, I will appreciate if you can review, thanks!

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Dec 10, 2018
@wilkinsona
Copy link
Member

This is in a similar vein to #9560, #14302, #15673, and #16098.

@wilkinsona wilkinsona added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Mar 20, 2019
@wilkinsona wilkinsona added this to the 2.x milestone Mar 20, 2019
@mbhave mbhave added the theme: ssl Issues related to ssl support label Jul 31, 2019
roesslerj added a commit to corona-warn-app/cwa-server that referenced this issue Mar 19, 2021
@roesslerj
Once a single parameter is specified at management.server.ssl.* it …
309ee2b 
…requires specifying all parameters again

As of this post: spring-projects/spring-boot#15437 currently, all
@roesslerj roesslerj mentioned this issue Mar 19, 2021
Merged
ioangut added a commit to corona-warn-app/cwa-server that referenced this issue Mar 23, 2021
@roesslerj @ioangut
Once a single parameter is specified at management.server.ssl.* it …
a3a0abb 
…requires specifying all parameters again (#1265)

As of this post: spring-projects/spring-boot#15437 currently, all

Co-authored-by: ioangut <67064882+ioangut@users.noreply.github.com>
@philwebb philwebb modified the milestones: 2.x, 3.x Aug 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
theme: ssl Issues related to ssl support type: enhancement A general enhancement
Projects
None yet
Milestone
3.x
Development

No branches or pull requests
5 participants
@philwebb @wilkinsona @alonbl @mbhave @spring-projects-issues