Skip to content

Add new TLS options sigalgs() and client-sigalgs() #4000

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 5, 2022
Merged

Add new TLS options sigalgs() and client-sigalgs() #4000

merged 3 commits into from
May 5, 2022

Conversation

MrAnno
Copy link
Collaborator

@MrAnno MrAnno commented May 2, 2022
edited
Loading

This PR adds 2 new TLS options, which make it possible to restrict which signature/hash pairs can be used in digital signatures.

This is a TLS extension specified by RFC5246:
https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.1.4.1

sigalgs:

This sets the supported signature algorithms for TLSv1.2 and TLSv1.3.
For clients this value is used directly for the supported signature
algorithms extension. For servers it is used to determine which
signature algorithms to support.

client-sigalgs:

This sets the supported signature algorithms associated with client
authentication for TLSv1.2 and TLSv1.3. For servers the value is used
in the signature_algorithms field of a CertificateRequest message.
For clients it is used to determine which signature algorithm to use
with the client certificate.

Example config:

source {
	network(port(4444) transport(tls)
		tls(
			pkcs12-file("/home/anno/Work/syslog-ng/tls/localhost.p12")
			peer-verify(yes)
			client-sigalgs("RSA-PSS+SHA256:ed25519")
		)
	);
};

destination {
	network("localhost" port(4444) transport(tls)
		tls(
			pkcs12-file("/home/anno/Work/syslog-ng/tls/localhost.p12")
			peer-verify(yes)
			sigalgs("RSA-PSS+SHA256:ed25519")
		)
	);
};

Partially resolves #3993

bazsi
bazsi previously approved these changes May 2, 2022
View reviewed changes
@MrAnno MrAnno mentioned this pull request May 2, 2022
Closed
@kira-syslogng
Copy link
Contributor

Build SUCCESS

@MrAnno MrAnno marked this pull request as ready for review May 2, 2022 17:40
@kira-syslogng
Copy link
Contributor

Build SUCCESS

MrAnno added 3 commits May 3, 2022 09:20
@MrAnno
tlscontext: add support for restricting TLS signature algorithms
c7ba645 
This is a TLS extension specified by RFC5246:
https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.1.4.1

sigalgs:
> This sets the supported signature algorithms for TLSv1.2 and TLSv1.3.
> For clients this value is used directly for the supported signature
> algorithms extension. For servers it is used to determine which
> signature algorithms to support.

client-sigalgs:
> This sets the supported signature algorithms associated with client
> authentication for TLSv1.2 and TLSv1.3. For servers the value is used
> in the signature_algorithms field of a CertificateRequest message.
> For clients it is used to determine which signature algorithm to use
> with the client certificate.

Signed-off-by: László Várady <laszlo.varady@protonmail.com>
@MrAnno
afsocket: add new TLS options sigalgs() and client-sigalgs()
e594f4f 
This implements a TLS extension specified by RFC5246:
https://datatracker.ietf.org/doc/html/rfc5246#section-7.4.1.4.1

Signed-off-by: László Várady <laszlo.varady@protonmail.com>
@MrAnno
news: add entry for feature syslog-ng#4000
963ccc9 
Signed-off-by: László Várady <laszlo.varady@protonmail.com>
@kira-syslogng
Copy link
Contributor

Build SUCCESS

@OverOrion OverOrion self-requested a review May 5, 2022 08:31
OverOrion
OverOrion approved these changes May 5, 2022
View reviewed changes
Copy link
Collaborator

@OverOrion OverOrion left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, tested:

Signature Hash Algorithms (2 algorithms)
    Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
    Signature Algorithm: ed25519 (0x0807)

@OverOrion OverOrion merged commit a940bf5 into syslog-ng:master May 5, 2022
@mohitvaid
Copy link

@MrAnno @gaborznagy is this change applicable for MQTT TLS as well?

@MrAnno
Copy link
Collaborator Author

MrAnno commented May 17, 2022

Unfortunately, the MQTT source/destination uses a library (paho.mqtt.c), which does not support restricting sigalgs.
The best way to add support to the MQTT driver for this is asking them to either make it possible to freely configure an OpenSSL context or just add support for sigalgs restriction as we did.

https://github.com/eclipse/paho.mqtt.c

@mohitvaid
Copy link

mohitvaid commented May 17, 2022
edited
Loading

How about supporting the ecdh-curve-list? I will follow up with paho separately.

paho discussion: eclipse-paho/paho.mqtt.c#1226

@MrAnno
Copy link
Collaborator Author

MrAnno commented May 17, 2022

The same is true for ecdh-curve-list(): it is supported in standard network drivers, but not in MQTT/HTTP.

Supporting it in the HTTP destination is possible, let us know if you need it by opening a feature request .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@OverOrion OverOrion OverOrion approved these changes

@gaborznagy gaborznagy gaborznagy approved these changes

@bazsi bazsi bazsi left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support SSL_CONF_cmd() to configure advanced client tls options
6 participants
@MrAnno @kira-syslogng @mohitvaid @bazsi @OverOrion @gaborznagy