Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

proxy: Make inbound servers aware of client identities #2126

Closed
olix0r opened this issue Jan 22, 2019 · 2 comments
Closed

proxy: Make inbound servers aware of client identities #2126

olix0r opened this issue Jan 22, 2019 · 2 comments
Assignees
@seanmonstar
Labels
area/proxy

Comments

@olix0r
Copy link
Member

olix0r commented Jan 22, 2019

Once #2125 is complete:

  1. we need tests that validate that the server properly validates the client's authenticator (i.e. that it can be verified with the trust chain)
  2. the client id should be included in the TLS status, as noted on inbound server metrics
  3. the client id should be included in inbound tap events.
  4. A l5d-client-id header should be added (similar to l5d-server-id)
@seanmonstar
Copy link
Contributor

In order to provide this, we want to grab a verified SAN from the client certificate. As of today, there's two ways we could do this, but both will require additional work outside the proxy:

  1. Add the necessary API to webpki to get the verified DNS names. This is because there's otherwise no way to get the SAN from the rustls::Certificate. There's an in-progress PR, but it seems to have stalled.
  2. Add a way for the inbound proxy to get a list of all TlsIdentitys that the controller knows about. This would allow us to use webpki::EndEntityCerty::verify_is_valid_for_dns_name, but we'd need to supply the DNS name, and iterate through a list.

@seanmonstar seanmonstar self-assigned this Jan 30, 2019
@seanmonstar
Copy link
Contributor

PR for webpki filed: briansmith/webpki#91

@seanmonstar seanmonstar mentioned this issue Jan 31, 2019
Merged
olix0r pushed a commit to linkerd/linkerd2-proxy that referenced this issue Feb 7, 2019
@seanmonstar @olix0r
Add l5d-client-id on inbound requests if meshed TLS (#184)
7add4fc 
If meshed TLS is used on an inbound connection, the TLS Identity of client is
added as a header `l5d-client-id` to the request, so that the internal
service can see it was encrypted.

* Client certificates were already automatically used if a proxy was configured with TLS.
* The server verifier was changed to _require_ a client certificates.
* We assume the first DNS name in the certificate is the TLS identity assigned
  by the controller's CA.
  * In order to get the DNS names from the certificate, a fork of webpki is
    used, while waiting for the pull request to land.
* The `l5d-client-id` header is stripped on both inbound and outbound requests
  at the beginning, so _only_ the inbound proxy will expose this header.

Closes linkerd/linkerd2#2125 linkerd/linkerd2#2126

Signed-off-by: Sean McArthur <[email protected]>
Co-Authored-By: seanmonstar <[email protected]>
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 18, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@seanmonstar seanmonstar

Labels
area/proxy
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@seanmonstar @olix0r