Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: added CRL check [WIP] #5968

Closed
wants to merge 12 commits into from
Closed

security: added CRL check [WIP] #5968

wants to merge 12 commits into from

Conversation

kayrus
Copy link
Contributor

@kayrus kayrus commented Jul 18, 2016
edited
Loading

resolves #4034, uses patches from cloudflare/cfssl#637

Comments are appreciated.

Test certs: https://github.com/endocode/etcd/raw/kayrus/test_certs/test_certs.tgz

Add /etc/hosts entry for test certs:

echo "127.0.0.1 coreos1" | sudo tee -a /etc/hosts

Test commands:

./bin/etcd --force-new-cluster=true \
 --trusted-ca-file cfssl/ca.pem \
 --client-cert-auth=true \
 --crl-file cfssl/crl.pem \
 --cert-file cfssl/server.pem \
 --key-file cfssl/server-key.pem \
 --listen-client-urls=https://localhost:2379 \
 --advertise-client-urls=https://localhost:2379 \
 --client-cert-auth=true \
 --peer-cert-file cfssl/server.pem \
 --peer-key-file cfssl/server-key.pem \
 --peer-trusted-ca-file cfssl/ca.pem \
 --peer-client-cert-auth=true \
 --peer-crl-file cfssl/crl.pem \
 --listen-peer-urls https://127.0.0.1:2380

curl -v --cacert cfssl/ca.pem \
 --cert cfssl/client.pem \
 --key cfssl/client-key.pem \
 https://coreos1:2379/v2/keys/message

heyitsanthony
heyitsanthony reviewed Jul 18, 2016
View reviewed changes
etcdmain/config.go Outdated
fs.BoolVar(&cfg.ClientAutoTLS, "auto-tls", false, "Client TLS using generated certificates")
fs.StringVar(&cfg.PeerTLSInfo.CAFile, "peer-ca-file", "", "DEPRECATED: Path to the peer server TLS CA file.")
fs.StringVar(&cfg.PeerTLSInfo.CertFile, "peer-cert-file", "", "Path to the peer server TLS cert file.")
fs.StringVar(&cfg.PeerTLSInfo.KeyFile, "peer-key-file", "", "Path to the peer server TLS key file.")
fs.BoolVar(&cfg.PeerTLSInfo.ClientCertAuth, "peer-client-cert-auth", false, "Enable peer client cert authentication.")
fs.StringVar(&cfg.PeerTLSInfo.TrustedCAFile, "peer-trusted-ca-file", "", "Path to the peer server TLS trusted CA file.")
fs.StringVar(&cfg.PeerTLSInfo.CRLFile, "peer-crl-file", "", "Path to the peer server certificate revocation list file.")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these options should also be available via yaml conf in embed/config.go

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@xiang90
Copy link
Contributor

xiang90 commented Jul 18, 2016

Can we add a e2e or integration test for this? I think the direction is good!

heyitsanthony
heyitsanthony reviewed Jul 18, 2016
View reviewed changes
embed/etcd.go Outdated
@@ -272,6 +275,27 @@ func startClientListeners(cfg *Config) (sctxs map[string]*serveCtx, err error) {
return sctxs, nil
}

func revokeCheckHandler(req *http.Request, CRLpath string) error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should live in tlsutil? There's nothing etcd specific here.

@heyitsanthony
Copy link
Contributor

Mostly looks good aside from some minor code stuff. Thanks!

@kayrus kayrus mentioned this pull request Jul 19, 2016
Closed
@kayrus kayrus force-pushed the kayrus/crl_check branch 3 times, most recently from aafbf79 to 03272cd Compare July 19, 2016 15:43
@kayrus
Copy link
Contributor Author

kayrus commented Jul 19, 2016
edited
Loading

Can someone explain me why when I add debug info at the beginning of revokeCheckHandler function, I notice that the req contains nil TLS for the Peer listener? So it doesn't check whether cert is revocated for peers.

@kayrus
Copy link
Contributor Author

kayrus commented Jul 19, 2016

@heyitsanthony @xiang90 ^

@heyitsanthony
Copy link
Contributor

@kayrus I debugged this down to the go standard library. The TLS field is set depending on the tlsState which is set only if the connection type is tls.Conn (cf. https://golang.org/src/net/http/server.go#L1398). The peer listeners are created with rafthttp.NewListener which creates a transport.NewTimeoutListener, which creates a timeoutConn. So it looks like the type assertion is failing in the standard library and tlsState is never set.

@kayrus
Copy link
Contributor Author

kayrus commented Jul 19, 2016

@heyitsanthony what can we do with this?

@kayrus
Copy link
Contributor Author

kayrus commented Jul 20, 2016

@heyitsanthony nice! #5998 did the trick

@kayrus kayrus force-pushed the kayrus/crl_check branch 3 times, most recently from 52ab929 to 791f37d Compare July 20, 2016 08:28
heyitsanthony
heyitsanthony reviewed Jul 20, 2016
View reviewed changes
cmd/vendor/github.com/cloudflare/cfssl/revoke/revoke.go Outdated
@@ -31,17 +31,20 @@ type Revoke struct {
// status of a certificate (i.e. due to network failure) causes
// verification to fail (a hard failure).
HardFail bool
// HardFailLck is a Mutex locker for the HardFail
HardFailLck sync.Mutex
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please stick to whatever is in upstream?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

which rev in the cfssl repo has type Revoke struct? vendored deps shouldn't diverge from upstream...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I work on several PRs in parallel. Please refer to the main PR message. It is still in progress I will let you know when it will be merged.

@xiang90
Copy link
Contributor

xiang90 commented Jul 20, 2016

@kayrus Let us know when this is reviewable. Probably separate out the vendor and code commits. Thank you a lot!

@kayrus
Copy link
Contributor Author

kayrus commented Jul 20, 2016
edited
Loading

@xiang90 sure. That is why this PR has [WIP] postfix.

@gyuho gyuho force-pushed the master branch 2 times, most recently from 44ca396 to 4301f49 Compare June 2, 2017 15:53
@heyitsanthony heyitsanthony mentioned this pull request Jun 17, 2017
Merged
@heyitsanthony
Copy link
Contributor

superseded by #8124

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support for managing revoked certs
4 participants
@kayrus @xiang90 @heyitsanthony @gyuho