Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

automtls: fix bidirectional communication when AutoMTLS is enabled #193

Merged
merged 5 commits into from May 3, 2022
Merged

automtls: fix bidirectional communication when AutoMTLS is enabled #193

merged 5 commits into from May 3, 2022

Conversation

fairclothjm
Copy link
Contributor

@fairclothjm fairclothjm commented Apr 22, 2022
edited

Currently enabling AutoMTLS when connecting from a plugin process back to the host results in the following error:

transport: authentication handshake failed: x509: “localhost” certificate is not standards compliant

This is similar but not identical to the error described in #109 and #179

This PR enables the client and server to successfully establish the mTLS connection for bidirectional communication.

@calvn
Copy link
Member

calvn commented Apr 25, 2022

Took a look at how we generate certs on Vault for mTLS via bootstrap + wrapping token, and it looks the same as this modulo the issuer addition. Do you get the error if issuer is not specified?

@fairclothjm
Copy link
Contributor Author

Took a look at how we generate certs on Vault for mTLS via bootstrap + wrapping token, and it looks the same as this modulo the issuer addition. Do you get the error if issuer is not specified?

@calvn Yes, I do get the same error if the Issuer is not specified. But I did some more testing just now and if I don't set the Subject.Organization field then it works without setting the Issuer. generateCert in sdk/helper/pluginutil/tls.go also does not set the Subject.Organization.

Do you think that approach is preferable? I don't see any downside either way

@jbardin
Copy link
Member

jbardin commented Apr 25, 2022

I haven't thought about this in a long time, so I'm not going to try and comment about what is the more "correct" method for cert generation, but I would be concerned with making sure the changes is compatible between client and server versions. I would verify that existing clients and servers on different minor versions can interoperate with this change in either direction, otherwise we will need some way to make it optional to prevent needing a new major version.

@calvn
Copy link
Member

calvn commented Apr 25, 2022

Yes, I do get the same error if the Issuer is not specified. But I did some more testing just now and if I don't set the Subject.Organization field then it works without setting the Issuer. generateCert in sdk/helper/pluginutil/tls.go also does not set the Subject.Organization.

Interesting, I wonder how mTLS is working on Vault today since it doesn't seem to specify Issuer on cert generation.

WRT the organization field in Subject, I'd say that it's fine to leave it since that's been always present on go-plugin and doesn't seem to interfere with mTLS.

@fairclothjm
Copy link
Contributor Author

I wonder how mTLS is working on Vault today

Database plugins don't use the brokered connections back to the host. Using GRPCBroker is when I am seeing the Certificate errors occur.

calvn
calvn reviewed Apr 28, 2022
View reviewed changes
server_test.go Outdated Show resolved Hide resolved
server_test.go Show resolved Hide resolved
calvn
calvn reviewed Apr 28, 2022
View reviewed changes
server.go Show resolved Hide resolved
calvn
calvn reviewed Apr 28, 2022
View reviewed changes
client.go Show resolved Hide resolved
calvn
calvn approved these changes Apr 28, 2022
View reviewed changes
Copy link
Member

@calvn calvn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a few small comments/questions that other may answer too, but overall the change looks good! Ran the tests locally and they all passed.

@fairclothjm fairclothjm changed the title automtls: fix bidirectional communication and self-signed cert format automtls: fix bidirectional communication when AutoMTLS is enabled Apr 30, 2022
cipherboy
cipherboy approved these changes May 2, 2022
View reviewed changes
Copy link

@cipherboy cipherboy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good from a crypto perspective. :-)

jbardin
jbardin approved these changes May 2, 2022
View reviewed changes
Copy link
Member

@jbardin jbardin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested with both before+after client+server combinations using Terraform providers, and all seemed to work well!

@fairclothjm fairclothjm merged commit 5dee41c into master May 3, 2022
@fairclothjm fairclothjm deleted the fix-server-automtls branch May 3, 2022 19:13
This was referenced May 4, 2022
Merged
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@calvn calvn calvn approved these changes

@jbardin jbardin jbardin approved these changes

@cipherboy cipherboy cipherboy approved these changes

@briankassouf briankassouf Awaiting requested review from briankassouf

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@fairclothjm @calvn @jbardin @cipherboy