Support pinned certificates #526

ghjm · 2022-01-27T19:48:33Z

Receptor currently allows a user to specify a CA, or list of CAs, that must sign a certificate in order to trust it for a connection. However, there are situations where you want to be able to identify a single certificate, or one of a list of certificates, that should be allowed to connect, and it's not sufficient to just say "any certificate signed by such-and-so CA." The solution to this is certificate pinning, where you list specific certificate fingerprints that should be the only ones to be trusted.

Here are example configuration files exercising this feature:

---
- node:
    id: foo

- log-level: debug

- tls-server:
    name: foo_tls
    cert: certs/testcert-foo.crt
    key: certs/testcert-foo.key
    requireclientcert: true
    clientcas: certs/ca.crt
    pinnedclientcert: E6:9B:98:A7:A5:DB:17:D6:E4:2C:DE:76:45:42:A8:79:A3:0A:C5:6D:10:42:7A:6A:C4:54:57:83:F1:0F:E
2:95

- tcp-listener:
    port: 2222
    tls: foo_tls

- control-service:
    service: control
    filename: receptor.sock

---
- node:
    id: bar

- log-level: debug

- tls-client:
    name: bar_tls
    cert: certs/testcert-bar.crt
    key: certs/testcert-bar.key
    rootcas: certs/ca.crt
    pinnedservercert: 91:4B:90:C4:D2:33:94:62:37:2F:0C:83:7A:20:C1:E3:61:FB:0D:EE:9F:6B:E7:1C:2B:76:A2:97:63:21:4
E:F4

- control-service:
    service: control
    filename: bar.sock

- tcp-peer:
    address: localhost:2222
    redial: true
    tls: bar_tls

You can find the fingerprint of a given certificate using openssl x509 -in certs/testcert-foo.crt -noout -fingerprint -sha256. This PR supports sha256 and sha512, but not sha1, because sha1 is now considered insecure. If sha1 support is desired it can easily be added.

fosterseth · 2022-01-27T20:14:25Z

pkg/netceptor/tlsconfig.go

 		tlscfg.ClientCAs = clientCAs
 	}

+	if len(cfg.PinnedClientCert) > 0 {
+		tlscfg.VerifyPeerCertificate, err = GetPeerCertificatePinVerifier(cfg.PinnedClientCert)


for the quic connections, will this conflict with

receptor/pkg/netceptor/conn.go

Line 74 in 2fb942e

tlscfg.VerifyPeerCertificate = s.receptorVerifyFunc(tlscfg, remoteNode, VerifyClient)

You're right, this will indeed conflict.

ghjm · 2022-01-28T21:53:21Z

@fosterseth I fixed the conflict by having the netceptor verify function wrap the pinning verify function, if it exists. Let me know what you think of this. I guess the other solution would be to add a map to the netceptor struct that stores per-config pin fingerprints and have the netceptor-internal verify function do the pinning checks, but that seems like a lot of work.

ghjm · 2022-01-31T19:16:24Z

@fosterseth @eqrx @shanemcd Can I get a ✔️ on this?

fosterseth · 2022-01-31T20:27:17Z

@ghjm any chance we could get you to put a small paragraph / snippet describing this feature in the docs, maybe after this Generate Certs paragraph here

receptor/docs/source/tls.rst

Line 61 in 1dc72e0

Generating certs

maybe include that openssl command to get the fingerprint too

that would be very valuable for us

ghjm · 2022-01-31T23:04:17Z

@fosterseth Docs added as requested

fosterseth · 2022-02-01T18:00:07Z

pulled this down and tested, works well!

Users of course will need to know that if certs are ever refreshed, then this fingerprint will need to be manually updated in the config files. I think that is okay, we don't really have an automatic way to manage certs within receptor mesh as of right now anyways.

@shanemcd I'm good with this PR if you are

shanemcd · 2022-02-04T15:14:59Z

pkg/netceptor/conn.go

@@ -152,7 +152,6 @@ func (li *Listener) sendResult(conn net.Conn, err error) {
 		err:  err,
 	}:
 	case <-li.doneChan:
-	case <-li.doneChan:


What was going on here? Nice find.

shanemcd

Thanks @ghjm, hope you are doing well!

This reverts commit e9fb27f, reversing changes made to ca1bc69.

ghjm added 2 commits January 27, 2022 14:31

Add certificate pinning

291f711

Fix linter error

b03df69

ghjm requested review from eqrx and fosterseth January 27, 2022 19:59

fosterseth reviewed Jan 27, 2022

View reviewed changes

Handle client verify functions

be2ee9f

ghjm force-pushed the pinned_certificates branch from 788614b to be2ee9f Compare January 29, 2022 17:16

Add pinned certificate docs

b1bfded

shanemcd reviewed Feb 4, 2022

View reviewed changes

shanemcd approved these changes Feb 4, 2022

View reviewed changes

shanemcd merged commit e9fb27f into ansible:devel Feb 4, 2022

shanemcd added a commit that referenced this pull request Feb 17, 2022

Revert "Merge pull request #526 from ghjm/pinned_certificates"

7e1a6e2

This reverts commit e9fb27f, reversing changes made to ca1bc69.

shanemcd added a commit that referenced this pull request Feb 17, 2022

Revert "Merge pull request #526 from ghjm/pinned_certificates"

6806f00

This reverts commit e9fb27f, reversing changes made to ca1bc69.

shanemcd added a commit that referenced this pull request Feb 17, 2022

Revert "Merge pull request #526 from ghjm/pinned_certificates"

3041592

This reverts commit e9fb27f, reversing changes made to ca1bc69.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support pinned certificates #526

Support pinned certificates #526

Support pinned certificates #526

Support pinned certificates #526

Conversation

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment