Add endpoint option to authenticate by client tls cert.

[andersbetner]

I have added authentication by client certificate as per #402
I haven't added any tests yet.

1. Does this pullrequest look all right?
2. I did not add an option for ClientAuthType. I just picked and hardcoded the most sensible default value: RequireAndVerifyClientCert
3. Should I add tests by basically duplicating the TestWithSNIConfigHandshake and TestWithSNIConfigRoute and then add client certification + client cert and CA cert in fixtures?

[emilevauge]

Hi @andersbetner, thanks for your contribution :)
I have few comments:

• as we are in the process of releasing the 1.0.0 version, this PR will land in the 1.1.0 version (in few weeks).
• I think we need to be able to have multiple client SSL certs. It would be interesting to change type of ClientCAFile.ClientCAFile from string to Certificates (and rename it then):

type TLS struct {
    Certificates          Certificates
    ClientCertificates    Certificates
}

WDYT?

/cc @vdemeester @samber

[andersbetner]

@emilevauge
Actually the cert-file can contain multiple certs.
I have added tests and clarified the documentation. (and changed the config parameter to ClientCAsFile).

The name ClientCAs is a bit of a misnomer, it doesn't hold client certificates. It contains the public key of one or more certificate authorities that you trust to sign client certs.
The client has to present a certificate that is signed by one of the CA:s in the ClientCAsFile.
I created two test cases where one has two CA:s in the ClientCAsFile.

Since this PR involves security it would be great if more than my pair of eyes could have a look at the code.

[vdemeester]

Seems good to me 😉
I kinda agree with @emilevauge on the fact that we should allow multiple values for ClientCAs (that each could have more public key in each 😛).

[emilevauge]

@andersbetner

The name ClientCAs is a bit of a misnomer, it doesn't hold client certificates. It contains the public key of one or more certificate authorities that you trust to sign client certs.
The client has to present a certificate that is signed by one of the CA:s in the ClientCAsFile.
I created two test cases where one has two CA:s in the ClientCAsFile.

True, obviously we cannot reuse Certificates type here.

Actually the cert-file can contain multiple certs.

Even if a file can contain multiple keys, I think it would be simpler to not force users to do that. Besides, the std library as been designed with that in mind: CertPool.AddCert https://golang.org/pkg/crypto/x509/#CertPool.AddCert. A slice of keys would allow both use case :)

Since this PR involves security it would be great if more than my pair of eyes could have a look at the code.

As soon as we agree on design, we will make a deep code review :)

[andersbetner]

@emilevauge , @vdemeester
I have no problem with a slice, I just didn't think of it. I was so colored by how Nginx ssl_client_certificate and Apache SSLCACertificateFile wants all CA:s in one file.

I had a look around and it seems like Caddy does it like you suggested.

Just to make sure I understand.
Is this what you meant?

type TLS struct {
    Certificates  Certificates
    ClientCAFiles []string
}

[entryPoints.https]
address = ":443"
ClientCAFiles = ["ca1.pem", "ca2.pem"]
[entryPoints.https.tls]
  [[entryPoints.https.tls.certificates]]
    CertFile = "integration/fixtures/https/snitest.com.crt"
    KeyFile = "integration/fixtures/https/snitest.com.key"

It is a pity that the authentication is forced on all SNI-certs on the same listener (by the go library), but I guess we are not alone there: Caddy issue #849

[emilevauge]

@andersbetner: Seems good.
You will also have to modify the entryPoints command line parser to include these client certs:

--entrypoints Entrypoints definition using format: --entryPoints='Name:http Address::8000 Redirect.EntryPoint:https' --entryPoints='Name:https Address::4442 TLS:tests/traefik.crt,tests/traefik.key' (default "map[]")

[emilevauge]

Hi @andersbetner, I'm planning to get this PR in the 1.1 releases. Do you think it's possible ?

[andersbetner]

@emilevauge
Sure, I was waiting for the 1.0 release.
I will rebase and make the changes to the config and command line.
Should I squash all changes into just two commit one for the changes to the code and one for the documentation? (that it should I sqash my future changes into the existing commits or does it not matter?

[emilevauge]

@andersbetner it would be better to squash your commits yes :)

[andersbetner]

@emilevauge
Added support for multiple CA-files as discussed earlier.
Tell me if you would like anything changed.

[emilevauge]

I would add this to the existing line SSL (Certificates. Keys...) :)

[andersbetner]

@emilevauge
I managed to get the config right for the tests but not in the documentation...

• Fixed according to your comments.
• Squashed the commit.
• Rebased on top of master.

[emilevauge]

Thanks @andersbetner !
Maybe we will change a bit https://github.com/containous/traefik/pull/461/files#diff-bee1b19602a9f84a06f44e111f79a479R96 in a futur PR. I'm not totally convinced by how we manage flags with entrypoints...
LGTM!

/cc @containous/traefik

[andersbetner]

@emilevauge
Great, yeah I just made my addition to the flag syntax up. I have no problem with it being changed to something clearer.

[andersbetner]

@emilevauge
Rebased

[emilevauge]

/cc @containous/traefik

[vdemeester]

LGTM 🐯