TLS support in KUKSA.val Client #580
Conversation
| To use a secure connection specify `--tls-cert`and `--tls-private-key` | ||
|
|
||
| ``` | ||
| ~/kuksa.val/kuksa_databroker$ cargo run --bin databroker -- --metadata ../data/vss-core/vss_release_4.0.json --tls-cert ../kuksa_certificates/Server.pem --tls-private-key ../kuksa_certificates/Server.key |
There was a problem hiding this comment.
I think we should use here the container solution instead as it is the preferred one.
There was a problem hiding this comment.
If so I think it makes sense to describe both alternatives, that is quite handy for testing.
And is the container solution the preferred one? If so why?
There was a problem hiding this comment.
I'd say it is the preferred one because it's easier for testing. And we mention the docker things in our quickstart. Butmentioning both wouldn't hurt.
There was a problem hiding this comment.
It depends on what type of testing you intend to do. If you intend to test with a released version it is true. If you intend to test with your own changes or with your own certificates it is somewhat more complicated. But it would indeed be good to show how to do it.
There was a problem hiding this comment.
I sort of agree that "cargo run" is more a development kind of view (also important), but there should be an answer for people "just downloaded/pulled a release", which also would act as guidance how e.g. projects like Velocitas would do it, when they provision everthing as containers
There was a problem hiding this comment.
I think this is part of a bigger discussion on what different deployment alternatives we support out of the box. In the future we might for instance release Databroker as a Debian/Apertis package as well and then we might need to have yet another alternative documented. I added a Docker example below.
doc/tls.md
Outdated
| to have "Server" as subjectAltName. | ||
|
|
||
| ``` | ||
| ~/kuksa.val/kuksa_databroker$ cargo run --bin databroker-cli -- --ca-cert ../kuksa_certificates/CA.pem |
| Uses TLS by default, but doe not support mutual TLS. By default it uses KUKSA.val example certificates/keys `Server.key`, `Server.pem` and `CA.pem`. | ||
|
|
||
| ``` | ||
| ~/kuksa.val/kuksa-val-server/build/src$ ./kuksa-val-server --vss ./vss_release_4.0.json |
| It is posible to specify a different certificate path, but the file names must be the same as listed above. | ||
|
|
||
| ``` | ||
| ~/kuksa.val/kuksa-val-server/build/src$ ./kuksa-val-server --vss ./vss_release_4.0.json -cert-path ../../../kuksa_certificates |
There was a problem hiding this comment.
Yes, I get the point
kuksa-client/README.md
Outdated
| ~/kuksa.val/kuksa-client$ kuksa-client --ip localhost --port 55555 --protocol grpc --certificate ../kuksa_certificates/Client.pem --keyfile ../kuksa_certificates/Client.key --cacertificate ./kuksa_certificates/CA.pem | ||
| ``` | ||
|
|
||
| As do this, as mutual authentication is not supported in KUKSA.val Databroker: |
There was a problem hiding this comment.
this sentence is not clear to me. Maybe rephrase it.
|
|
||
| ``` | ||
| kuksa-client --ip 127.0.0.1 --port 8090 --protocol ws --cacertificate ./kuksa_certificates/CA.pem | ||
| ``` |
There was a problem hiding this comment.
This returns: Disconnected!! [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for '127.0.0.1'. (_ssl.c:1129)
ran kuksa-val-server with docker run -it --rm -v $HOME/kuksaval.config:/config -p 127.0.0.1:8090:8090 -e LOG_LEVEL=ALL ghcr.io/eclipse/kuksa.val/kuksa-val:master
There was a problem hiding this comment.
What is in your config at $HOME/kuksaval.config? Do you use the new Server.pem certificate?
If not the error is expected as the old certificate only use "Server" as name. Try to use the --tls-server-name Server option and see if it helps. That is a "work-around" if your Server.pem does not include the name you are connecting to (in this case 127.0.0.1) or the TLS client by other reasons cannot handle name validation of IP-addresses
There was a problem hiding this comment.
I tested by building the kuksa-val-server container locally and running it as
docker run -it --rm -p 127.0.0.1:8090:8090 -e LOG_LEVEL=ALL kuksa-val:latest
and connecting to it with both 127.0.0.1 and localhost with kuksa-client and both connections worked.
(kuksa-client) erik@debian3:~/kuksa.val/kuksa-client$ kuksa-client --ip localhost --port 8090 --protocol ws --cacertificate ./kuksa_certificates/CA.pem
Welcome to Kuksa Client version 0.4.0a2.post36+git.556a8bbc.dirty
(kuksa-client) erik@debian3:~/kuksa.val/kuksa-client$ kuksa-client --ip 127.0.0.1 --port 8090 --protocol ws --cacertificate ./kuksa_certificates/CA.pem
Welcome to Kuksa Client version 0.4.0a2.post36+git.556a8bbc.dirty
There was a problem hiding this comment.
Tested it too with --tls-server-name Server it works fine.
| // With new tonic we do not need the hack of setting Server as domain name, | ||
| // it can resolve both localhost and 127.0.0.1 as subjectAltName | ||
| //.domain_name("Server"); |
There was a problem hiding this comment.
While informative for this PR, the comment should probably not be kept in the code going forward (i.e. should not be here).
There was a problem hiding this comment.
Agree, as soon as you tonic fix has been merged I will remove it. For now your tonic-fix is cherry-picked into this branch.
There was a problem hiding this comment.
I can just close that PR as it would be just as good to include that it in this one (as it's TLS related anyway).
There was a problem hiding this comment.
Closed the PR. Also, when you remove this comment, run cargo fmt as the build is failing because of faulty formatting (at these lines).
erikbosch
force-pushed
the
erik_tls
branch
2 times, most recently
from
49c1889 to
7acf03f
Compare
erikbosch
force-pushed
the
erik_tls
branch
2 times, most recently
from
1ffc530 to
e8cedce
Compare
That sounds like a good idea, so you would not just "enable TLS" and run into danger of (unintendedly) running with "factory certs". In the long run/making TLS mandatory question would be, how easy it can be get up and running (thinking quickstart again) |
Taking Databroker as an example, in the future I would like to support only two alternatives to start it: I.e. not having TLS mandatory, but if you want to run without TLS you must state it explicitly. The quickstart does not need to be that much more complicated, just add |
erikbosch
changed the title
|
@lukasmittag - please review when you are back from vacation |
doc/quickstart.md
Outdated
| @@ -2,11 +2,13 @@ | |||
|
|
|||
| The quickest possible way to get KUKSA.val up and running | |||
|
|
|||
| *Note: The examples in this document does not use TLS or access control.* | |||
There was a problem hiding this comment.
typo the examples and does
doc/tls.md
Outdated
| ## KUKSA.val Client (library) | ||
|
|
||
| Clients like [KUKSA.val CAN Feeder](https://github.com/eclipse/kuksa.val.feeders/tree/main/dbc2val) | ||
| tht use KUKSA.val Client library must typically set the path to the root CA certificate. |
kuksa-client/README.md
Outdated
| ``` | ||
|
|
||
| ## Using TLS |
There was a problem hiding this comment.
structure wise comment: Using TLS and then Connecting to KUKSA.val Server as sub headline without having a Connecting to KUKSA.val Databroker is not the best way. Only my opinion and nothing 'big'
There was a problem hiding this comment.
Good point, will fix it as soon as I see that all builds pass
Update tonic Make --insecure (or tls config) mandatory for databroker Remove server hack
This intends to provide a working solution for TLS usage with KUKSA.val Client.
Functional changes:
Tests have so far been performed towards both Server and Databroker, and also with DBC Feeder.
There should hopefully be no changes introducing incompatibility, but there are things we need to agree on later: