Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question: What happens if SSL certs expire? #21

Closed
nullbio opened this issue Oct 15, 2021 · 2 comments
Closed

Question: What happens if SSL certs expire? #21

nullbio opened this issue Oct 15, 2021 · 2 comments
Labels
question Further information is requested

Comments

@nullbio
Copy link

nullbio commented Oct 15, 2021

Planning on using dRPC and this package: https://pkg.go.dev/go.bryk.io/pkg/net/drpc - and trying to spec out whether SSL certs are a good idea for our system.

My concern is what happens when an SSL cert expires, or a certificate is changed (because a cert is due to expire shortly), and the client has an active connection to the dRPC server.

Will the client's connection be killed automatically? Will the client retrieve the new SSL certificate automatically?

I am planning on using Let'sEncrypt autocert to automatically renew certs without requiring a server restart.

Could anyone give any advice around this? Thanks.
@ifraixedes ifraixedes added the question Further information is requested label Oct 15, 2021
@Erikvv
Copy link
Contributor

Erikvv commented Oct 15, 2021
edited
Loading

The answer all depends on how you implement net.Listener you pass to

drpc/drpcserver/server.go

Line 68 in a3f0249

func (s *Server) Serve(ctx context.Context, lis net.Listener) (err error) {
for the server and net.Conn you pass to

drpc/drpcconn/conn.go

Line 37 in a3f0249

func New(tr drpc.Transport) *Conn {
for the client

I will give some answers for the general case where you use the tls package from the Go standard library.

My concern is what happens when an SSL cert expires, or a certificate is changed (because a cert is due to expire shortly), and the client has an active connection to the dRPC server.

Will the client's connection be killed automatically?

The certificate is only validated on handshake. So the connection will keep working. Also certificates are renewed well before they expire, Let's Encrypt certificates are valid for 3 months and renewed after 2 months.

(If you read the TLS spec the server or client can renegotiate at any time but I haven't seen this in the wild.)

Will the client retrieve the new SSL certificate automatically?

The client will validate the certicate against the "parent" certificate in his CA store. These certificates are valid for a multiple years, and are usually updated by your operating system.

I am planning on using Let'sEncrypt autocert to automatically renew certs without requiring a server restart.

In that case you must periodically re-initialize tls.listener or implement tls.Config.GetCertificate.

Note that Let's Encrypt only works for server certificates. If you want to work with client verification you have to generate the client certificate yourself.

At Storj we developed something called NodeID verification to communicate between the thousands of actors in our network which (I think) does both client and server verifcation through TLS certificates. I'm quite fond of it but it would be overkill for a small project. Implementation is at https://github.com/storj/common/blob/main/peertls/tlsopts/tls.go

Hope this helps!

@nullbio
Copy link
Author

nullbio commented Oct 16, 2021

Thanks so much for your thorough response, this answers all my questions. Awesome job on dRPC and Storj, both products look incredible :-).

@nullbio nullbio closed this as completed Oct 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nullbio @ifraixedes @Erikvv