Comments (11)
dhubler
commented on September 1, 2024
i can see how this would get in the way of custom cert validation so maybe
we allow explicitly setting that in config by adding that to the tls yang
and tls Node implementation.
some thoughts:
* adding a CA should work w/o restart then it's a bug
* if a user doesn't provide custom cert validation, seems like safest
default is as it is now, VerifyClientCertIfGiven, so that at least the cert
is validated w/the CAs
…On Fri, Nov 11, 2022 at 8:09 PM Patrick Dumais ***@***.***> wrote:
If I understand correctly, by adding CAs in fc-restconf.web.tls.ca, a
client will have its cert validated against any of the CAs according to
https://github.com/freeconf/restconf/blob/141e395ecaf03235b0f16933ba8b8bc273f21c32/stock/tls.go#L31
Does this mean that if a new CA needs to be added, then the server needs
to be restarted?
it would be nice if we could set this to RequireAnyClientCert or
RequestClientCert and then be able to manually validate the cert using a
Filter. This way, the application using restconf would be able to handle
requests and validate the certs using a dynamic list that is handled
outside of restconf
Or any other suggestions to achieve the same goal?
—
Reply to this email directly, view it on GitHub
<#11>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAACA7V2KTWO3U2U6QC272DWH3U57ANCNFSM6AAAAAAR6B4CKA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
from restconf.
pdumais
commented on September 1, 2024
If adding certs in the ca bag works without reload, then that's ok the way it is. You are confirming that this should be the case? I'll try to make it work, I was just not able to figure out how to update it during runtime yet.
from restconf.
pdumais
commented on September 1, 2024
Would you be able to provide an example on how to add multiple CAs for client auth?
I see I can provide 1 ca only using web.tls.ca.certfile in ApplyStartupConfig.
Should I be directly adding them in http.server.tls.Config.ClientCAs? If yes, would it create conflict with
Line 30 in 141e395
from restconf.
dhubler
commented on September 1, 2024
ok, yeah, i don't see a way currently. Are there any RFC on how to manage
cert trust stores we can implement?
…On Sat, Nov 12, 2022 at 4:46 PM Patrick Dumais ***@***.***> wrote:
Would you be able to provide an example on how to add multiple CAs for
client auth?
I see I can provide 1 ca only using web.tls.ca.certfile in
ApplyStartupConfig.
Should I be directly adding them in http.server.tls.Config.ClientCAs? If
yes, would create conflict with
https://github.com/freeconf/restconf/blob/141e395ecaf03235b0f16933ba8b8bc273f21c32/stock/tls.go#L31
?
—
Reply to this email directly, view it on GitHub
<#11 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAACA7W7IZAXK4W3JCKAAFDWIAFZRANCNFSM6AAAAAAR6B4CKA>
.
You are receiving this because you commented.Message ID:
***@***.***>
from restconf.
pdumais
commented on September 1, 2024
No RFC that I know of.
I think it would be good to have a way to allow users to implement their own strategy outside of freeconf. So freeconf would support all 4 options of ClientAuth and allow to add certs in the certpool. Other users, like myself, may want to skip the certpool and use a filter instead.
What was the intent behind the ca in the yang for tls?
from restconf.
dhubler
commented on September 1, 2024
we'll find a way, just trying to find a way that doesn't introduce issues.
FreeCONF let's you implement your own strategy, this is just somewhat
unique where your clients have a variety of CAs as I understand it. The
single CA assumes client and server certs are signed by same CA. Then this
works.
I found these proposed, active drafts
https://datatracker.ietf.org/doc/draft-ietf-netconf-trust-anchors/
https://datatracker.ietf.org/doc/draft-ietf-netconf-tls-client-server/
Ideally we implement them, but at a minimum we should take inspiration from
them.
…On Sat, Nov 12, 2022 at 10:22 PM Patrick Dumais ***@***.***> wrote:
No RFC that I know of.
I think it would be good to have a way to allow users to implement their
own strategy outside of freeconf. So freeconf would support all 4 options
of ClientAuth and allow to add certs in the certpool. Other users, like
myself, may want to skip the certpool and use a filter instead.
What was the intent behind the ca in the yang for tls?
—
Reply to this email directly, view it on GitHub
<#11 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAACA7RW2Q6RHZT37Z6D7IDWIBNFTANCNFSM6AAAAAAR6B4CKA>
.
You are receiving this because you commented.Message ID:
***@***.***>
from restconf.
pdumais
commented on September 1, 2024
That's correct. in our case, each client could have a different CA since we are working in a multi-tenant environment.
If I understand correctly, implementing those RFCs would add a truststore inside freeconf. I think that's a great feature, but I was initially proposing something simpler where freeconf would completely disregard the client certificates and offload the logic to the users of the library. The only thing preventing a user from using freeconf this way right now is that freeconf will not request a client certificate unless the fc-restconf.web.tls.ca.certFile is set. Freeconf only sets http.server.tls.config.ClientAuth if a certfile is provided and the auth is set to VerifyClientCertIfGiven.
I'm wondering if the simplest fix of all would be for freeconf to set http.server.tls.config.ClientAuth=RequestClientCert by default. With this setting as a default:
- a client cert would be requested but nothing would happen if a cert is not presented. So this is backwards compatible
- If a client cert is sent by the client, freeconf won't do anything about it, but the user could decide to implement a Filter to retrieve the client cert and implement his own strategy.
- if the user sets fc-restconf.web.tls.ca.certFile, then the behaviour will be overriden to VerifyClientCertIfGiven and certificates will be verified automatically. This would prevent the users from implementing their own strategy but that's fine since the user has made the conscious decision of adding a cert himself. This could later be improved to support multiple certificates. But this is not necessarily what I'm requesting from this ticket since I don't mind having to validate the certs myself.
My current PR allows a user to manually set ClientAuth, this adds more flexibility but also adds risks for users to shoot themselves in the foot. So maybe just setting http.server.tls.config.ClientAuth=RequestClientCert as the default would be the least invasive solution.
Does that make sense? I'm still reading through your code so it's possible I might have missed important aspects that makes my proposal impossible to implement.
from restconf.
dhubler
commented on September 1, 2024
I do understand your use case. The fc-restconf.web.tls.ca.certFile is
used for server cert CA as well otherwise your proposal would work fine.
Let me investigate exposing the setting from a Go API code level, (i.e. not
YANG) and add copious comments that you MUST validate client certs CA
elsewhere like Filters and see what that looks like. This should only take
couple hours.
…On Sun, Nov 13, 2022 at 8:17 AM Patrick Dumais ***@***.***> wrote:
That's correct. in our case, each client could have a different CA since
we are working in a multi-tenant environment.
If I understand correctly, implementing those RFCs would add a truststore
inside freeconf. I think that's a great feature, but I was initially
proposing something simpler where freeconf would completely disregard the
client certificates and offload the logic to the users of the library. The
only thing preventing a user from using freeconf this way right now is that
freeconf will not request a client certificate unless the
fc-restconf.web.tls.ca.certFile is set. Freeconf only sets
http.server.tls.config.ClientAuth if a certfile is provided and the auth is
set to VerifyClientCertIfGiven.
I'm wondering if the simplest fix of all would be for freeconf to set
http.server.tls.config.ClientAuth=RequestClientCert by default. With this
setting as a default:
- a client cert would be requested but nothing would happen if a cert
is not presented. So this is backwards compatible
- If a client cert is sent by the client, freeconf won't do anything
about it, but the user could decide to implement a Filter to retrieve the
client cert and implement his own strategy.
- if the user sets fc-restconf.web.tls.ca.certFile, then the behaviour
will be overriden to VerifyClientCertIfGiven and certificates will be
verified automatically. This would prevent the users from implementing
their own strategy but that's fine since the user has made the conscious
decision of adding a cert himself. This could later be improved to support
multiple certificates. But this is not necessarily what I'm requesting from
this ticket since I don't mind having to validate the certs myself.
My current PR allows a user to manually set ClientAuth, this adds more
flexibility but also adds risks for users to shoot themselves in the foot.
So maybe just setting http.server.tls.config.ClientAuth=RequestClientCert
as the default would be the least invasive solution.
Does that make sense? I'm still reading through your code so it's possible
I might have missed important aspects that makes my proposal impossible to
implement.
—
Reply to this email directly, view it on GitHub
<#11 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAACA7RBGP6BUWYBFO4YM53WIDS63ANCNFSM6AAAAAAR6B4CKA>
.
You are receiving this because you commented.Message ID:
***@***.***>
from restconf.
dhubler
commented on September 1, 2024
It might already be accessible
mgmt := restconf.NewServer(d)
// after you apply config, Web and Server should be created, then...
mgmt.Web.Server.TLSConfig.ClientAuth = tls.RequestClientCert
…On Sun, Nov 13, 2022 at 9:47 AM Douglas Hubler ***@***.***> wrote:
I do understand your use case. The fc-restconf.web.tls.ca.certFile is
used for server cert CA as well otherwise your proposal would work fine.
Let me investigate exposing the setting from a Go API code level, (i.e.
not YANG) and add copious comments that you MUST validate client certs CA
elsewhere like Filters and see what that looks like. This should only take
couple hours.
On Sun, Nov 13, 2022 at 8:17 AM Patrick Dumais ***@***.***>
wrote:
> That's correct. in our case, each client could have a different CA since
> we are working in a multi-tenant environment.
>
> If I understand correctly, implementing those RFCs would add a truststore
> inside freeconf. I think that's a great feature, but I was initially
> proposing something simpler where freeconf would completely disregard the
> client certificates and offload the logic to the users of the library. The
> only thing preventing a user from using freeconf this way right now is that
> freeconf will not request a client certificate unless the
> fc-restconf.web.tls.ca.certFile is set. Freeconf only sets
> http.server.tls.config.ClientAuth if a certfile is provided and the auth is
> set to VerifyClientCertIfGiven.
>
> I'm wondering if the simplest fix of all would be for freeconf to set
> http.server.tls.config.ClientAuth=RequestClientCert by default. With this
> setting as a default:
>
> - a client cert would be requested but nothing would happen if a cert
> is not presented. So this is backwards compatible
> - If a client cert is sent by the client, freeconf won't do anything
> about it, but the user could decide to implement a Filter to retrieve the
> client cert and implement his own strategy.
> - if the user sets fc-restconf.web.tls.ca.certFile, then the
> behaviour will be overriden to VerifyClientCertIfGiven and certificates
> will be verified automatically. This would prevent the users from
> implementing their own strategy but that's fine since the user has made the
> conscious decision of adding a cert himself. This could later be improved
> to support multiple certificates. But this is not necessarily what I'm
> requesting from this ticket since I don't mind having to validate the certs
> myself.
>
> My current PR allows a user to manually set ClientAuth, this adds more
> flexibility but also adds risks for users to shoot themselves in the foot.
> So maybe just setting http.server.tls.config.ClientAuth=RequestClientCert
> as the default would be the least invasive solution.
>
> Does that make sense? I'm still reading through your code so it's
> possible I might have missed important aspects that makes my proposal
> impossible to implement.
>
> —
> Reply to this email directly, view it on GitHub
> <#11 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AAACA7RBGP6BUWYBFO4YM53WIDS63ANCNFSM6AAAAAAR6B4CKA>
> .
> You are receiving this because you commented.Message ID:
> ***@***.***>
>
from restconf.
pdumais
commented on September 1, 2024
Yes. This would work. As long as I dont set the root CA cert in the config, otherwise it will get overriden.
This is what I'll use for now.
Do we close this issue? Or would it still be preferable to add "official" support for this?
from restconf.
dhubler
commented on September 1, 2024
Let's close the issue. I see that if this comes up again and this solution
doesn't suffice, we look to implementing one of these models.
…On Sun, Nov 13, 2022 at 5:18 PM Patrick Dumais ***@***.***> wrote:
Yes. This would work. As long as I dont set the root CA cert in the
config, otherwise it will get overriden.
This is what I'll use for now.
Do we close this issue? Or would it still be preferable to add "official"
support for this?
—
Reply to this email directly, view it on GitHub
<#11 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAACA7RZGMZM6NQKXPXQQATWIFSMJANCNFSM6AAAAAAR6B4CKA>
.
You are receiving this because you commented.Message ID:
***@***.***>
from restconf.
Related Issues (20)
- when requesting xml, response is a truncated json response HOT 5
- Feature request: Support XMLparsing HOT 1
- Feature request: Support XML output HOT 7
- ServeHTTP in server is not using Request context HOT 2
- Restconf server automatically opens a HTTP server HOT 1
- Feature request: Improve README HOT 1
- Feature request: Improve reflection support HOT 3
- Feature request: Improve error handling HOT 7
- Yang reference needs bump HOT 1
- Response content type not correctly set after XML pull request merge HOT 1
- local.go:ApplyStartupConfigFile function panics instead of returning an error HOT 2
- Restconf does not set the body in the right format (XML) for errors with a body when the accept in the request is XML HOT 2
- Restconf go.mod does not refer to latest freeconf/yang HOT 1
- Content-Type set in util::handle is overwritten by net/http/server.go HOT 1
- Response body for errors not valid in XML HOT 1
- Edit a leaf with `config false` HOT 2
- Question: how to post binary data with JSON HOT 3
- Bug in support for RFC 8525 HOT 3
- Question: how to view full config after change HOT 9
- Question: how to re-retrieve server configuration HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from restconf.