Commit Graph

84 Commits

Author SHA1 Message Date
Pablo Ruiz García 4188769c32
Added new auto_encrypt.grpc_server_tls config option to control AutoTLS enabling of GRPC Server's TLS usage
Fix for #14253

Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>
2022-08-24 12:31:38 -04:00
R.B. Boyer 61ebb38092
server: ensure peer replication can successfully use TLS over external gRPC (#13733)
Ensure that the peer stream replication rpc can successfully be used with TLS activated.

Also:

- If key material is configured for the gRPC port but HTTPS is not
  enabled now TLS will still be activated for the gRPC port.

- peerstream replication stream opened by the establishing-side will now
  ignore grpc.WithBlock so that TLS errors will bubble up instead of
  being awkwardly delayed or suppressed
2022-07-15 13:15:50 -05:00
DanStough a050aa39b9 Update go version to 1.18.1 2022-04-18 11:41:10 -04:00
Mike Morris 8020fb2098
agent: convert listener config to TLS types (#12522)
* tlsutil: initial implementation of types/TLSVersion

tlsutil: add test for parsing deprecated agent TLS version strings

tlsutil: return TLSVersionInvalid with error

tlsutil: start moving tlsutil cipher suite lookups over to types/tls

tlsutil: rename tlsLookup to ParseTLSVersion, add cipherSuiteLookup

agent: attempt to use types in runtime config

agent: implement b.tlsVersion validation in config builder

agent: fix tlsVersion nil check in builder

tlsutil: update to renamed ParseTLSVersion and goTLSVersions

tlsutil: fixup TestConfigurator_CommonTLSConfigTLSMinVersion

tlsutil: disable invalid config parsing tests

tlsutil: update tests

auto_config: lookup old config strings from base.TLSMinVersion

auto_config: update endpoint tests to use TLS types

agent: update runtime_test to use TLS types

agent: update TestRuntimeCinfig_Sanitize.golden

agent: update config runtime tests to expect TLS types

* website: update Consul agent tls_min_version values

* agent: fixup TLS parsing and compilation errors

* test: fixup lint issues in agent/config_runtime_test and tlsutil/config_test

* tlsutil: add CHACHA20_POLY1305 cipher suites to goTLSCipherSuites

* test: revert autoconfig tls min version fixtures to old format

* types: add TLSVersions public function

* agent: add warning for deprecated TLS version strings

* agent: move agent config specific logic from tlsutil.ParseTLSVersion into agent config builder

* tlsutil(BREAKING): change default TLS min version to TLS 1.2

* agent: move ParseCiphers logic from tlsutil into agent config builder

* tlsutil: remove unused CipherString function

* agent: fixup import for types package

* Revert "tlsutil: remove unused CipherString function"

This reverts commit 6ca7f6f58d268e617501b7db9500113c13bae70c.

* agent: fixup config builder and runtime tests

* tlsutil: fixup one remaining ListenerConfig -> ProtocolConfig

* test: move TLS cipher suites parsing test from tlsutil into agent config builder tests

* agent: remove parseCiphers helper from auto_config_endpoint_test

* test: remove unused imports from tlsutil

* agent: remove resolved FIXME comment

* tlsutil: remove TODO and FIXME in cipher suite validation

* agent: prevent setting inherited cipher suite config when TLS 1.3 is specified

* changelog: add entry for converting agent config to TLS types

* agent: remove FIXME in runtime test, this is covered in builder tests with invalid tls9 value now

* tlsutil: remove config tests for values checked at agent config builder boundary

* tlsutil: remove tls version check from loadProtocolConfig

* tlsutil: remove tests and TODOs for logic checked in TestBuilder_tlsVersion and TestBuilder_tlsCipherSuites

* website: update search link for supported Consul agent cipher suites

* website: apply review suggestions for tls_min_version description

* website: attempt to clean up markdown list formatting for tls_min_version

* website: moar linebreaks to fix tls_min_version formatting

* Revert "website: moar linebreaks to fix tls_min_version formatting"

This reverts commit 38585927422f73ebf838a7663e566ac245f2a75c.

* autoconfig: translate old values for TLSMinVersion

* agent: rename var for translated value of deprecated TLS version value

* Update agent/config/deprecated.go

Co-authored-by: Dan Upton <daniel@floppy.co>

* agent: fix lint issue

* agent: fixup deprecated config test assertions for updated warning

Co-authored-by: Dan Upton <daniel@floppy.co>
2022-03-24 15:32:25 -04:00
Dan Upton 57f0f42733
Support per-listener TLS configuration ⚙️ (#12504)
Introduces the capability to configure TLS differently for Consul's
listeners/ports (i.e. HTTPS, gRPC, and the internal multiplexed RPC
port) which is useful in scenarios where you may want the HTTPS or
gRPC interfaces to present a certificate signed by a well-known/public
CA, rather than the certificate used for internal communication which
must have a SAN in the form `server.<dc>.consul`.
2022-03-18 10:46:58 +00:00
Dhia Ayachi 4d763ef9e6
regenerate expired certs (#11462)
* regenerate expired certs

* add documentation to generate tests certificates
2021-11-01 11:40:16 -04:00
Daniel Nephin 6e9dd995eb tlsutil: only AuthorizerServerConn when VerifyIncomingRPC is true
See github.com/hashicorp/consul/issues/11207

When VerifyIncomingRPC is false the TLS conn will not have the required certificates.
2021-10-27 13:43:25 -04:00
Daniel Nephin 24df1392b3 rpc: include error for AuthorizeServerConn failures
The errs were not being captured because the value of append was not being assigned.
2021-10-04 13:22:30 -04:00
Daniel Nephin 402d3792b6 Revert "Merge pull request #10588 from hashicorp/dnephin/config-fix-ports-grpc"
This reverts commit 74fb650b6b966588f8faeec26935a858af2b8bb5, reversing
changes made to 58bd8173364effb98b9fd9f9b98d31dd887a9bac.
2021-09-29 12:28:41 -04:00
Hans Hasselberg 24c6ce0be0
tls: consider presented intermediates during server connection tls handshake. (#10964)
* use intermediates when verifying

* extract connection state

* remove useless import

* add changelog entry

* golint

* better error

* wording

* collect errors

* use SAN.DNSName instead of CommonName

* Add test for unknown intermediate

* improve changelog entry
2021-09-09 21:48:54 +02:00
Evan Culver 93f94ac24f
rpc: authorize raft requests (#10925) 2021-08-26 15:04:32 -07:00
Daniel Nephin 9c6458c6c2 rename GRPC->XDS where appropriate 2021-07-09 12:17:45 -04:00
Daniel Nephin e226733b26 fix 64-bit aligment for 32-bit platforms
sync/atomic must be used with 64-bit aligned fields, and that alignment is difficult to
ensure unless the field is the first one in the struct.

https://golang.org/pkg/sync/atomic/#pkg-note-BUG.
2021-06-29 16:10:21 -04:00
Daniel Nephin 6b5d3b78ef
Merge pull request #10497 from hashicorp/dnephin/tls-cert-exploration-3
tlsutil: unexport and remove methods
2021-06-25 18:24:33 -04:00
R.B. Boyer c3d5a2a5ab
connect/ca: cease including the common name field in generated certs (#10424)
As part of this change, we ensure that the SAN extensions are marked as
critical when the subject is empty so that AWS PCA tolerates the loss of
common names well and continues to function as a Connect CA provider.

Parts of this currently hack around a bug in crypto/x509 and can be
removed after https://go-review.googlesource.com/c/go/+/329129 lands in
a Go release.

Note: the AWS PCA tests do not run automatically, but the following
passed locally for me:

    ENABLE_AWS_PCA_TESTS=1 go test ./agent/connect/ca -run TestAWS
2021-06-25 13:00:00 -05:00
Daniel Nephin 4cc444e15f Invert the logic of outgoingRPCTLSDisabled
To remove the double negatives, which should make it easier to read.
2021-06-24 19:25:02 -04:00
Daniel Nephin 77dde1df38 tlsutil: inline verifyIncomingHTTPS
This function was only used in one place, and the indirection makes it slightly
harder to see what the one caller is doing. Since it's only accesing a couple fields
it seems like the logic can exist in the one caller.
2021-06-24 19:25:02 -04:00
Daniel Nephin 7342c7e977 tlsutil: remove indirection and duplication
VerifyIncomingRPC and verifyIncomingRPC were duplicate functions, and
once one is removed, Config.verifyIncomingRPC is only called in one place.

Remove 2 of the 3 functions to make the behaviour easier to follow (less indirection).
2021-06-24 18:43:30 -04:00
Daniel Nephin 9f9ffd990d tlsutil: remove unnecessary getter functions
These functions did nothing but hide the fields they were returning.
2021-06-24 18:43:29 -04:00
Daniel Nephin b30ec82d2d tlsutil: unexport and remove indirection
Unexport outgoingALPNRPCConfig since it is only used internally
Remove the MutualTLSCapable->mutualTLSCapable indirection, we only need the exported method.
Inline enableAgentTLSForChecks to make it more clear what it does, since it only has a single caller and is wrapping a single field lookup.
2021-06-24 18:43:29 -04:00
Daniel Nephin 63b43f9964 tlsutils: more test cases for OutgoingTLSConfigForCheck 2021-06-24 13:49:58 -04:00
Daniel Nephin 6de514fbd1 tlsutil: fix default server name for health checks
Don't use the agent node name or agent server name when EnableAgentTLSForChecks=false.
2021-06-24 13:49:58 -04:00
Daniel Nephin 2bfdd8ceed tlsutil: convert tests for OutgoingTLSConfigForCheck to a table
In preparation for adding more test cases.
2021-06-24 12:51:40 -04:00
Daniel Nephin 86c9cb037f tlsutil: reduce interface provided to auto-config
Replace two methods with a single one that returns the cert. This moves more
of the logic into the single caller (auto-config).

tlsutil.Configurator is widely used. By keeping it smaller and focused only on storing and
returning TLS config, we make the code easier to follow.

These two methods were more related to auto-config than to tlsutil, so reducing the interface
moves the logic closer to the feature that requires it.
2021-06-22 14:11:28 -04:00
Daniel Nephin 1bdcd3df91 tlsutil: un-ptr and document the manual struct 2021-06-21 12:52:54 -04:00
Daniel Nephin 106384a835 tlsutil: document Configurator and some of its fields 2021-06-21 12:52:54 -04:00
Daniel Nephin 96a1335874 tlsutil: un-ptr and add godoc to autoTLs struct
the autoTLS field on Configurator is only set once. By making it a value receiver it
should be allocated as a single block of memory along with Configurator.

Also add godoc to document what it is used for.
2021-06-21 12:52:54 -04:00
Daniel Nephin 212b8a7b3c tlsutil: remove unused method
Method was only used in tests, and an equivalent function alraedy exists.
2021-06-21 12:52:54 -04:00
Daniel Nephin f2a904db00 tlsutil: unexport two types
These types are only used internally and should not be exported.

Also remove some unnecessary function wrapping.
2021-06-21 12:52:54 -04:00
Daniel Nephin 63fdadfbe3 tlsutil: remove the RLock from log
The log method only needed the lock because it accessed version. By using an atomic
instead of a lock, we can remove the risk that the comments call out, making log safer
to use.

Also updates the log name to match the function names, and adds some comments about how
the lock is used.
2021-06-18 12:13:30 -04:00
Daniel Nephin e89dcf7783 tlsutil: Un-method Configurator.check
The method receiver was never used. Also rename it and add a godoc comment.
2021-06-18 12:13:30 -04:00
Daniel Nephin c9e53783d0 tlsutil: fix a panic
UpdateAutoTLSCA would panic if either of the calls errored, because the read lock was being unlocked
incorrectly.
2021-06-18 12:13:30 -04:00
Daniel Nephin 3717888b30 tlsutil: un-embed the RWMutex
Embedded structs make code harder to navidate because an IDE can not show all uses of
the methods of that field separate from other uses.

Generally embedding of structs should only be used to satisfy an interface, and in this
case the Configurator type does not need to implement the RWMutex interface.
2021-06-17 18:48:44 -04:00
Daniel Nephin 6ee17c15ff tlsutil: fix a test for go1.16
Using a TestSigner was causing problems because go1.16 has this change:

> CreateCertificate now verifies the generated certificate's signature
> using the signer's public key. If the signature is invalid, an error is
> returned, instead of a malformed certificate.

See https://golang.org/doc/go1.16#crypto/x509
2021-04-13 13:31:20 -04:00
Hans Hasselberg 052662bcf9
introduce certopts (#9606)
* introduce cert opts

* it should be using the same signer

* lint and omit serial
2021-03-22 10:16:41 +01:00
Christopher Broglie 94b02c3954 Add support for configuring TLS ServerName for health checks
Some TLS servers require SNI, but the Golang HTTP client doesn't
include it in the ClientHello when connecting to an IP address. This
change adds a new TLSServerName field to health check definitions to
optionally set it. This fixes #9473.
2021-03-16 18:16:44 -04:00
Daniel Nephin c312e0fd35 Fix main build failing
An old PR (#7623) was merged after #9585. The old code was incompatible with the new
changes, but none of the lines caused a git conflict so the merge was allowed.

The incompatible changes caused the tests to fail. This fixes the old code to
work with the new changes.
2021-02-05 17:25:57 -05:00
Kyle Havlovitz b299e30db6
Merge pull request #7623 from FriedCircuits/patch-1
Add support for RSA private key to TLS utils.
2021-02-04 11:37:51 -08:00
Hans Hasselberg 623aab5880
Add flags to support CA generation for Connect (#9585) 2021-01-27 08:52:15 +01:00
jsosulska 36a2fc55f9 Add RSA Test case for generating CA Cert 2021-01-20 18:36:55 -05:00
jsosulska b41d6a8321 Reuse Connect.parseSigner.Adds change from #8898
Co-authored-by: Aliaksandr Mianzhynski <amenzhinsky@gmail.com>
2021-01-20 18:36:55 -05:00
William 8c1741360b Add RSA Support to KeyID 2021-01-20 18:36:55 -05:00
William 99dd0953c4 Add support for RSA private key to TLS utils.
Co-authored-by: Thomas Detoux <detoux@gmail.com>
2021-01-20 18:35:53 -05:00
Mike Morris a343365da7
ci: update to Go 1.15.4 and alpine:3.12 (#9036)
* ci: stop building darwin/386 binaries

Go 1.15 drops support for 32-bit binaries on Darwin https://golang.org/doc/go1.15#darwin

* tls: ConnectionState::NegotiatedProtocolIsMutual is deprecated in Go 1.15, this value is always true

* correct error messages that changed slightly

* Completely regenerate some TLS test data

Co-authored-by: R.B. Boyer <rb@hashicorp.com>
2020-11-13 13:02:59 -05:00
Daniel Nephin 06f8674cb6 tlsutil: remove unused UseTLS field 2020-10-27 16:34:17 -04:00
Tim Arenz 6dbb5f3234
Add support for -ca-path option in the connect envoy command (#8606)
* Add support for -ca-path option in the connect envoy command
* Adding changelog entry
2020-09-08 12:16:16 +02:00
Matt Keeler 76add4f24c
Allow setting verify_incoming* when using auto_encrypt or auto_config (#8394)
Ensure that enabling AutoConfig sets the tls configurator properly

This also refactors the TLS configurator a bit so the naming doesn’t imply only AutoEncrypt as the source of the automatically setup TLS cert info.
2020-07-30 10:15:12 -04:00
Matt Keeler fa6a2b38d9
Add an AutoEncrypt “integration” test
Also fix a bug where Consul could segfault if TLS was enabled but no client certificate was provided. How no one has reported this as a problem I am not sure.
2020-06-30 15:23:29 -04:00
Matt Keeler 8c601ad8db
Merge pull request #8035 from hashicorp/feature/auto-config/server-rpc 2020-06-17 16:07:25 -04:00
Matt Keeler eda8cb39fd
Implement the insecure version of the Cluster.AutoConfig RPC endpoint
Right now this is only hooked into the insecure RPC server and requires JWT authorization. If no JWT authorizer is setup in the configuration then we inject a disabled “authorizer” to always report that JWT authorization is disabled.
2020-06-17 11:25:29 -04:00