Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check peer certs #2545

Merged
merged 1 commit into from
Nov 18, 2024
Merged

Check peer certs #2545

merged 1 commit into from
Nov 18, 2024

Conversation

plorenz
Copy link
Member

@plorenz plorenz commented Nov 15, 2024

No description provided.

@plorenz plorenz requested review from a team as code owners November 15, 2024 02:46
Base automatically changed from add-cluster-id to main November 15, 2024 13:19
@andrewpmartinez
Copy link
Member

andrewpmartinez commented Nov 18, 2024
edited
Loading

There are two sides to certificate verification: server and client. Ensuring both sides properly verify and reject connections needs to be done. Statically analyzing the code (which is error prone) it appears that the tls.Config's used during dials are going to verify the server properly via go's built-in TLS logic. The server side verifies after the TSL connection during bind handling.

Since this area of code does not require flexible verification of client certificates, if possible, we should rely on Go's internal TLS implementation. This can be done by ensuring the tls.Config returned by calling id.ServerTLSConfig() has the field ClientAuth changed to tls.RequireAndVerifyClientCert. As long as the tls.Config is appropriately setup with the root CA and the client is providing a client certificate chain of intermediates, this will allow go's TLS package to handle verifying certs for us.

To recap:

  • the added checks client side for dials, appear superfluous
  • the added check server side is required, but realistically for an inflexible stock configuration should be handled via tls.Config properties

@plorenz
Copy link
Member Author

plorenz commented Nov 18, 2024

Discussed with @andrewpmartinez and given the complexity that ALPN adds, adding a post check seems reasonable.

@plorenz plorenz merged commit 01d8122 into main Nov 18, 2024
19 checks passed
@plorenz plorenz deleted the check-peer-certs branch November 18, 2024 20:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaelquigley michaelquigley michaelquigley approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@plorenz @andrewpmartinez @michaelquigley