Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve TLS connection resilience #881

Merged
merged 2 commits into from
Mar 20, 2023
Merged

Improve TLS connection resilience #881

merged 2 commits into from
Mar 20, 2023

Conversation

Jarema
Copy link
Member

@Jarema Jarema commented Mar 17, 2023

Until now, it was possible to procure MitM attack by acting
as a malicious fake server.
This commit removes that possibility by never trusting pre-tls
addresses provided by the NATS server.

For now, it has to be based of tokio-rustls fork, as ruslts support
for IP addresses is not yet released.

This points tokio-rustls to rustls main branch. No custom code was added.

Signed-off-by: Tomasz Pietrek tomasz@nats.io

@Jarema
Change nats-server to return localhost instead of 127.0.0.1
782fd3f 
Signed-off-by: Tomasz Pietrek <tomasz@nats.io>
@Jarema Jarema requested a review from caspervonb March 17, 2023 08:36
@Jarema Jarema mentioned this pull request Mar 17, 2023
Closed
paolobarbolini
paolobarbolini reviewed Mar 17, 2023
View reviewed changes
async-nats/src/connector.rs Outdated
@@ -301,21 +301,8 @@ impl Connector {
.map_err(|err| ConnectError::with_source(crate::ConnectErrorKind::Tls, err))?;

// Use the server-advertised hostname to validate if given as a hostname, not an IP address
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment is now wrong

@Jarema
Improve TLS connection resilience
2d01171 
Until now, it was possible to procure MitM attack by acting
as malicious fake server.
This commit removes that possibility by never trusting pre-tls
addresses provided by the NATS server.

For now it has to be based of tokio-rustls fork, as ruslts support
for IP addresses is not yet released.

This points tokio-rustls to rustls main branch. No custom code added.

Signed-off-by: Tomasz Pietrek <tomasz@nats.io>
caspervonb
caspervonb approved these changes Mar 19, 2023
View reviewed changes
Copy link
Collaborator

@caspervonb caspervonb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@Jarema Jarema merged commit 817a7b9 into main Mar 20, 2023
@Jarema Jarema deleted the jarema/fix-tls branch March 20, 2023 07:41
@Jarema Jarema mentioned this pull request Mar 20, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@paolobarbolini paolobarbolini paolobarbolini left review comments

@caspervonb caspervonb caspervonb approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Jarema @caspervonb @paolobarbolini