Client TLS: Add option to require a specific DNS name in Subject Alternate Name #126
Conversation
|
@roidelapluie and @SuperQ this is ready for review when you get a chance, I'd like to get this into Loki for tighter security |
chodges15
force-pushed
the
verify-cert-san
branch
from
6149788
to
08e6333
Compare
|
@SuperQ - can you kick off CI for this PR again? Linter error that was causing previous error should be resolved. |
chodges15
force-pushed
the
verify-cert-san
branch
from
eba3081
to
f737664
Compare
|
@SuperQ - can I get another round of review for this? |
|
Looks good, can you update the README docs? |
chodges15
force-pushed
the
verify-cert-san
branch
2 times, most recently
from
2e40f19
to
f58eb40
Compare
|
@SuperQ - docs updated, ready for another review |
|
please remove the changelog |
|
@roidelapluie - changelog removed. |
|
I think we should force the regex to be anchored, as it is common in Prometheus. |
web/tls_config.go
Outdated
|
|
||
| // NewRegexp creates a new anchored Regexp and returns an error if the | ||
| // passed-in regular expression does not compile. | ||
| func NewRegexp(s string) (Regexp, error) { |
There was a problem hiding this comment.
This struct borrowed from Prometheus
If needed, this can be refactored by moving into github.com/prometheus/common, though it would be nice if that could be done in a follow up PR.
docs/web-configuration.md
Outdated
| # Verify that the client certificate has a Subject Alternate Name (SAN) which includes the following | ||
| # regex pattern, else terminate connection. SAN match can be one or multiple of the following: | ||
| # DNS, IP, e-mail, or URI address from https://pkg.go.dev/crypto/x509#Certificate. | ||
| [ client_allowed_san_regex: <string> | default ""] |
Signed-off-by: saroshali-dbx <saroshali@dropbox.com> Signed-off-by: chodges15 <chris.hodges@gmail.com>
Signed-off-by: saroshali-dbx <saroshali@dropbox.com> Signed-off-by: chodges15 <chris.hodges@gmail.com>
The changed certs were updated based on the command @WGH- in prometheus#61, just with an added SAN DNS. They were generated with this command: openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout client2_selfsigned.key -out client2_selfsigned.pem -nodes -subj '/CN=test3' -days 36500 -addext "subjectAltName = DNS:test3" -addext "extendedKeyUsage = clientAuth" Signed-off-by: chodges15 <chris.hodges@gmail.com>
Signed-off-by: chodges15 <chris.hodges@gmail.com>
Signed-off-by: chodges15 <chris.hodges@gmail.com>
Signed-off-by: chodges15 <chris.hodges@gmail.com>
Signed-off-by: chodges15 <chris.hodges@gmail.com>
Signed-off-by: chodges15 <chris.hodges@gmail.com>
Signed-off-by: chodges15 <chris.hodges@gmail.com>
Signed-off-by: chodges15 <chris.hodges@gmail.com>
Signed-off-by: chodges15 <chris.hodges@gmail.com>
Signed-off-by: chodges15 <chris.hodges@gmail.com>
Signed-off-by: chodges15 <chris.hodges@gmail.com>
chodges15
force-pushed
the
verify-cert-san
branch
from
2985402
to
b205f7a
Compare
|
@roidelapluie - documentation fixed, not sure how I missed that. |
| @@ -163,6 +234,11 @@ func ConfigToTLSConfig(c *TLSConfig) (*tls.Config, error) { | |||
| cfg.ClientCAs = clientCAPool | |||
| } | |||
|
|
|||
| if c.ClientAllowedSanRegex.Regexp != nil { | |||
| // verify that the client cert contains the allowed domain name | |||
| cfg.VerifyPeerCertificate = c.VerifyPeerCertificate | |||
There was a problem hiding this comment.
I guess I'm not fully tracking the question, without the if the behavior would be to always require the client to verify SAN; unless you are thinking we could default the regex to be fully permissive with something like .*?
|
Shouldn't we use go upstream tls.VerifyOptions ? |
|
The upstream x509.VerifyHostname does not check all SAN fields, and for fields that it does check it does not support regex, only a wildcard. That being said, if we only care about DNS and IP addresses here (which would handle my use case) I'm fine going with the standard upstream verification. |
|
Okay. You are correct about SAN's. I think we can move ahead, maybe we should explicltly call out in the documentation that dots must be escaped due to the nature of regexes, but I am also happy about removing support for regexes and working with an explicit list of sans instead. |
Signed-off-by: chodges15 <chris.hodges@gmail.com>
|
An explicit list feels better here from a simplicity point of view - and more secure to avoid user regex mistakes. |
|
Sorry about the regex distraction. It seemed like a good idea at the time. :) |
|
One CI lint issue. |
Signed-off-by: chodges15 <chris.hodges@gmail.com>
|
thanks! |
|
Nice! |
|
Thanks for the good feedback @roidelapluie and @SuperQ. |
…rnate Name (prometheus#126) Signed-off-by: saroshali-dbx <saroshali@dropbox.com> Signed-off-by: chodges15 <chris.hodges@gmail.com> Co-authored-by: saroshali-dbx <saroshali@dropbox.com> Co-authored-by: Chris Hodges <chodges@dropbox.com> Co-authored-by: chodges15 <chris.hodges@gmail.org>
* [FEATURE] Client TLS: Add option to require a specific Subject Alternate Names #126 * [FEATURE] Add a POST form to the landing page #144 * [FEATURE] Add generic customization to landing page #146 * [ENHANCEMENT] Add a Content-Type header to the landing page #142 * [BUGFIX] Fix Nil pointer references for WebSystemdSocket #127 Signed-off-by: SuperQ <superq@gmail.com>
This is a follow up to the work done in #97 which addresses the requested change by @roidelapluie and @SuperQ to go from CN to SAN verification. Closes #96.
Command used to update the certs can be found in the commit message.