From d934e59a6f581496364cd8ef9d32d4eb1298ee61 Mon Sep 17 00:00:00 2001 From: su-amaas Date: Wed, 28 Aug 2024 00:36:02 +0000 Subject: [PATCH] update to latest version: v1.4.1 --- CHANGELOG.md | 4 ++++ README.md | 6 ++++++ VERSION | 2 +- grpc.go | 22 ++++++++++++++-------- grpc_client_test.go | 12 +++++++++--- sdk.go | 2 +- 6 files changed, 35 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 641c468..ab074c6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # CHANGELOG +## 1.4.1 - 2024-08-27 + +* Support certificate verification bypass using environment variable + ## 1.4.0 - 2024-08-21 * Support digest calculation bypass diff --git a/README.md b/README.md index 15d48fd..fe987ab 100644 --- a/README.md +++ b/README.md @@ -464,3 +464,9 @@ The communication channel between the client program or SDK and the Trend Vision The certificate employed by server-side TLS is a publicly-signed certificate from Trend Micro Inc, issued by a trusted Certificate Authority (CA), further bolstering security measures. The File Security SDK consistently adopts TLS as the default communication channel, prioritizing security at all times. It is strongly advised not to disable TLS in a production environment while utilizing the File Security SDK, as doing so could compromise the integrity and confidentiality of transmitted data. + +## Disabling certificate verification + +For customers who need to enable TLS channel encryption without verifying the provided CA certificate, the `TM_AM_DISABLE_CERT_VERIFY` environment variable can be set. However, this option is only recommended for use in testing environments. + +When `TM_AM_DISABLE_CERT_VERIFY` is set to `1`, certificate verification is disabled. By default, the certificate will be verified. diff --git a/VERSION b/VERSION index 88c5fb8..347f583 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.4.0 +1.4.1 diff --git a/grpc.go b/grpc.go index 56a941b..3d8dd00 100644 --- a/grpc.go +++ b/grpc.go @@ -37,6 +37,7 @@ const ( _envvarAuthKeyNotRequired = "TM_AM_AUTH_KEY_NOT_REQUIRED" // Set to 1 and Client SDK will not send auth key to server; set to 0 or leave empty to disable. _envvarServerAddr = "TM_AM_SERVER_ADDR" // : _envvarDisableTLS = "TM_AM_DISABLE_TLS" // Set to 1 to not use TLS for client-server communication; set to 0 or leave empty otherwise. + _envvarDisableCertVerify = "TM_AM_DISABLE_CERT_VERIFY" // Set to 1 to disable server certificate check by client; set to 0 or leave empty to verify certificate. _envInitWindowSize = "TM_AM_WINDOW_SIZE" appNameHTTPHeader = "tm-app-name" @@ -229,6 +230,7 @@ type AmaasClient struct { addr string useTLS bool caCert string + verifyCert bool timeoutSecs int appName string archHandler AmaasClientArchiveHandler @@ -461,8 +463,8 @@ func (ac *AmaasClient) fileScanRunNormalFile(fileName string, tags []string) (st } // Function to load TLS credentials with optional certificate verification -func loadTLSCredentials(caCertPath string) (credentials.TransportCredentials, error) { - logMsg(LogLevelDebug, "log TLS certificate = %s", caCertPath) +func loadTLSCredentials(caCertPath string, verifyCert bool) (credentials.TransportCredentials, error) { + logMsg(LogLevelDebug, "log TLS certificate = %s cert verify = %t", caCertPath, verifyCert) // Load the CA certificate pemServerCA, err := os.ReadFile(caCertPath) if err != nil { @@ -477,7 +479,8 @@ func loadTLSCredentials(caCertPath string) (credentials.TransportCredentials, er // Create the TLS credentials with optional verification creds := credentials.NewTLS(&tls.Config{ - RootCAs: certPool, + InsecureSkipVerify: !verifyCert, + RootCAs: certPool, }) return creds, nil @@ -512,14 +515,14 @@ func (ac *AmaasClient) setupComm() error { var creds credentials.TransportCredentials if ac.caCert != "" { // Bring Your Own Certificate case - creds, err = loadTLSCredentials(ac.caCert) + creds, err = loadTLSCredentials(ac.caCert, ac.verifyCert) if err != nil { return err } } else { // Default SSL credentials case - logMsg(LogLevelDebug, "using default SSL credential") - creds = credentials.NewTLS(&tls.Config{}) + logMsg(LogLevelDebug, "using default SSL credential with cert verify = %t", ac.verifyCert) + creds = credentials.NewTLS(&tls.Config{InsecureSkipVerify: !ac.verifyCert}) } if enableProxy { @@ -703,10 +706,11 @@ func identifyServerAddr(region string) (string, error) { return fmt.Sprintf("%s:%d", fqdn, _defaultCommPort), nil } -func retrieveTLSSettings() (useTLS bool) { +func retrieveTLSSettings() (useTLS bool, verifyCert bool) { envDisableTLS := os.Getenv(_envvarDisableTLS) + envDisableCertVerify := os.Getenv(_envvarDisableCertVerify) - return (envDisableTLS == "" || envDisableTLS == "0") + return (envDisableTLS == "" || envDisableTLS == "0"), envDisableCertVerify != "1" } func getDefaultScanTimeout() (int, error) { @@ -1032,6 +1036,8 @@ func NewClientInternal(key string, addr string, useTLS bool, caCert string) (*Am var err error + ac.useTLS, ac.verifyCert = retrieveTLSSettings() + if ac.timeoutSecs, err = getDefaultScanTimeout(); err != nil { return nil, err } diff --git a/grpc_client_test.go b/grpc_client_test.go index 76c72d4..1b35925 100644 --- a/grpc_client_test.go +++ b/grpc_client_test.go @@ -218,22 +218,28 @@ func TestIdServerAddressValidWithOverride(t *testing.T) { func TestRetrieveTLSSettings(t *testing.T) { os.Setenv(_envvarDisableTLS, "") + os.Setenv(_envvarDisableCertVerify, "") - useTLS := retrieveTLSSettings() + useTLS, verifyCert := retrieveTLSSettings() assert.Equal(t, true, useTLS) + assert.Equal(t, true, verifyCert) os.Setenv(_envvarDisableTLS, "0") + os.Setenv(_envvarDisableCertVerify, "0") - useTLS = retrieveTLSSettings() + useTLS, verifyCert = retrieveTLSSettings() assert.Equal(t, true, useTLS) + assert.Equal(t, true, verifyCert) os.Setenv(_envvarDisableTLS, "1") + os.Setenv(_envvarDisableCertVerify, "1") - useTLS = retrieveTLSSettings() + useTLS, verifyCert = retrieveTLSSettings() assert.Equal(t, false, useTLS) + assert.Equal(t, false, verifyCert) } // diff --git a/sdk.go b/sdk.go index a2aef6c..1f53075 100644 --- a/sdk.go +++ b/sdk.go @@ -43,7 +43,7 @@ func NewClient(key string, region string) (c *AmaasClient, e error) { return nil, err } - ac.useTLS = retrieveTLSSettings() + ac.useTLS, ac.verifyCert = retrieveTLSSettings() if ac.timeoutSecs, err = getDefaultScanTimeout(); err != nil { return nil, err