TLS and MTLS enhancements to HTTPListener input plugin

[allingeek]

This enhancement allows a user to enable TLS for the endpoint by providing certificate and private key files. They can use private PKI by specifying a list of certificate authority file names. Mutual TLS authentication can be enabled by providing a list of allowed client CA certificate files.

Signed-off-by: Jeff Nickoloff [email protected]

Required for all PRs:

• Signed CLA.
• Associated README.md updated.
• Has appropriate unit tests.

[danielnelson]

This will have to be a 1.5 addition.

[danielnelson]

This is probably a limitation in my TLS understanding, but I thought this (the one assigned to RootCAs) was only needed if you were a client. For instance, when setting a basic nginx server without client authentication up, you only need the ssl_certificate and ssl_certificate_key. Why do we need both of these CA options?

[allingeek]

You're correct. I've removed that unnecessary field and validated in testing.

[danielnelson]

I think this change will end up being copied around to other inputs that could support it, so I'm being even more pedantic about naming that normal. Let me know what you think.

[danielnelson]

I thought about calling this ssl_cert to match the normal client configuration, but since this our first server configuration maybe we have a chance to fix a few naming issues as I'm sure this will end up being copied to other listeners. What if we name the options:

• tls_cert
• tls_key
• tls_cacert (server or client is implicit based on how the plugin works)

I think all of the examples paths should end with .pem to indicate the formatting. The client paths are current like: "/etc/telegraf/cert.pem", but perhaps better would be "/etc/telegraf/server/cert.pem"?

At some point I would like to rename these in a backwards compatible way on the client side as well.

[allingeek]

Agreed on all points. Will update.

[allingeek]

Except CA... that needs to be something like "tls_allowed_cacerts" because service endpoints need to be able to authorize using a set of certs.

[danielnelson]

Sounds good

[danielnelson]

In the client config, we only support a single CA certificate, is there a strong argument for needing multiple CAs on the server side? I know it might be needed, but I don't want to make things complicated for limited payoff.

Also, should we have a way to use the hosts root CA set with client certificate validation? Is this what happens if tlsConfig.ClientCAs is nil but ClientAuth is set to RequireAndVerifyClientCert?

[allingeek]

The allowed client CAs are the only authorization mechanisms. I've worked in orgs and on products where multiple client root CAs are in use. Using a list of certificates for this purpose is common.

The current change will not use the system cert pool CAs. I'm not sure that CAs in the root trust chain vend client certificates. However, if we decide that is a feature we should pursue then we would need to add a flag - something like "allow_all_system_root_cas" - to indicate that the CertificatePool should originate from the SystemCertPool instead of an empty one. Personally, I'm not sure that I would ever authorize "all clients with certificates signed by a public root CA."

Currently, if ssl_allowed_client_certificate_authorities is unset then the service does not require client auth. At that point it is just an HTTPS listener which is still useful.

[danielnelson]

Agreed

[allingeek]

Let me know if you have any other feedback.

[danielnelson]

Looks like we just need to update the README with the new names.

[allingeek]

Updated... embarrassing.

[danielnelson]

Thanks!