Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-5030

Add client certificate verification to the REST-API

Details

    • New Feature
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Won't Do
    • None
    • N/A
    • REST-API

    Description

      Currently the TLS certificate of the client is not verified against the configured CA of the REST-API. Comparing this to MariaDB connections, it behaves as if a user was created with REQUIRE SSL but not REQUIRE X509. Adding support for the latter would require that the client's host is verified to be correct and signed by the configured CA or system CAs.

      Attachments

        Activity

          allen.herrera Allen Herrera added a comment - - edited

          I think I have a reproduction of this lack of verification of admin_ssl_cert , though let me know if a new ticket is required

          Error:

          Error: write EPROTO 139947547596672:error:0407E085:rsa routines:RSA_verify_PKCS1_PSS_mgf1:first octet invalid:../deps/openssl/openssl/crypto/rsa/rsa_pss.c:70:
          139947547596672:error:1417B07B:SSL routines:tls_process_cert_verify:bad signature:../deps/openssl/openssl/ssl/statem/statem_lib.c:504:
          

          Reproduction:

          mkdir -p /mnt/certs
          cd  /mnt/certs
           
          # Generate CA Authority key
          openssl genrsa 2048 > ca-key.pem
          # Generate X509 cert for Authority key
          openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Authority/OU=Authority123/CN=CommonName"
           
          # Generate server private key and cert
          openssl req -newkey rsa:2048 -nodes -days 365000 -keyout server-key.pem -out server-req.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Server/OU=Server123/CN=Server456"
          # Generate X509 cert between Authority & server
          openssl x509 -req -days 365000 -set_serial 01 -in server-req.pem -out server-cert.pem -CA ca-cert.pem -CAkey ca-key.pem
           
          # Generate client private key and cert
          openssl req -newkey rsa:2048 -nodes -days 365000 -keyout client-key.pem -out client-req.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Client/OU=Client123/CN=Client456"
          # Generate X509 cert for client
          openssl x509 -req -days 365000 -set_serial 01 -in client-req.pem -out client-cert.pem -CA ca-cert.pem -CAkey ca-key.pem
           
          chown -R maxscale:maxscale /mnt/certs
           
          # Verify the client certificate
          openssl verify -CAfile ca-cert.pem ca-cert.pem client-cert.pem
          # Verify the server certificate
          openssl verify -CAfile ca-cert.pem ca-cert.pem server-cert.pem
           
          maxctrl show maxscale  | grep -i admin_ssl*
           
          maxctrl create user mxadmin mxadminpassword --type=admin
          # maxctrl destroy user mxadmin
          maxctrl --user=mxadmin --password=mxadminpassword list servers
           
          # works
          maxctrl alter maxscale admin_ssl_cert /mnt/certs/server-cert.pem
          maxctrl alter maxscale admin_ssl_key /mnt/certs/server-key.pem
          systemctl restart maxscale
          secure="--user=mxadmin --password=mxadminpassword --secure --tls-ca-cert=/mnt/certs/ca-cert.pem --tls-verify-server-cert=false"
          maxctrl $secure list servers
          maxctrl $secure show maxscale | grep -i admin_ssl*
           
          # Now that we have first set of certs - time to replace/update with new ones
          mkdir -p /mnt/certs-new
          cd  /mnt/certs-new
           
          # Generate CA Authority key
          openssl genrsa 2048 > ca-key.pem
          # Generate X509 cert for Authority key
          openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Authority/OU=Authority123/CN=CommonName" 
           
          # Generate server private key and cert
          openssl req -newkey rsa:2048 -nodes -days 365000 -keyout server-key.pem -out server-req.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Server/OU=Server123/CN=Server456" -config <(printf "[req]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n\n[req_distinguished_name]\n[v3_req]\nkeyUsage = keyEncipherment, dataEncipherment\nextendedKeyUsage = serverAuth\nsubjectAltName = IP:127.0.0.1")
          # Generate X509 cert between Authority & server
          openssl x509 -req -days 365000 -set_serial 01 -in server-req.pem -out server-cert.pem -CA ca-cert.pem -CAkey ca-key.pem
           
          # Generate client private key and cert
          openssl req -newkey rsa:2048 -nodes -days 365000 -keyout client-key.pem -out client-req.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Client/OU=Client123/CN=Client456" -config <(printf "[req]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n\n[req_distinguished_name]\n[v3_req]\nkeyUsage = keyEncipherment, dataEncipherment\nextendedKeyUsage = serverAuth\nsubjectAltName = IP:127.0.0.1")
          # Generate X509 cert for client
          openssl x509 -req -days 365000 -set_serial 01 -in client-req.pem -out client-cert.pem -CA ca-cert.pem -CAkey ca-key.pem
           
          chown -R maxscale:maxscale /mnt/certs-new
           
          # Verify the client certificate
          openssl verify -CAfile ca-cert.pem ca-cert.pem client-cert.pem
          # Verify the server certificate
          openssl verify -CAfile ca-cert.pem ca-cert.pem server-cert.pem
          maxctrl $secure show maxscale  | grep -i admin_ssl*
           
          maxctrl $secure alter maxscale admin_ssl_cert /mnt/certs-new/server-cert.pem
          cat /var/lib/maxscale/maxscale.cnf.d/maxscale.cnf
           
          ##################################################################
          # FAILS HERE
          maxctrl $secure alter maxscale admin_ssl_key /mnt/certs-new/server-key.pem
          Error: write EPROTO 139947547596672:error:0407E085:rsa routines:RSA_verify_PKCS1_PSS_mgf1:first octet invalid:../deps/openssl/openssl/crypto/rsa/rsa_pss.c:70:
          139947547596672:error:1417B07B:SSL routines:tls_process_cert_verify:bad signature:../deps/openssl/openssl/ssl/statem/statem_lib.c:504:
          # work around: vi /var/lib/maxscale/maxscale.cnf.d/maxscale.cnf  "/mnt/certs/server-key.pem" -> "/mnt/certs-new/server-key.pem"; then systemctl restart maxscale
           
          # Expectation - stop the alter? but then how to update both values 
          maxctrl $secure reload tls
           
          secure="--user=mxadmin --password=mxadminpassword --secure --tls-ca-cert=/mnt/certs-new/ca-cert.pem --tls-verify-server-cert=false"
          maxctrl $secure list servers
          maxctrl $secure show maxscale  | grep -i admin_ssl*
          

          side error that could be more clear

          Error: socket hang up
          

          allen.herrera Allen Herrera added a comment - - edited I think I have a reproduction of this lack of verification of admin_ssl_cert , though let me know if a new ticket is required Error: Error: write EPROTO 139947547596672 :error:0407E085:rsa routines:RSA_verify_PKCS1_PSS_mgf1:first octet invalid:../deps/openssl/openssl/crypto/rsa/rsa_pss.c: 70 : 139947547596672 :error:1417B07B:SSL routines:tls_process_cert_verify:bad signature:../deps/openssl/openssl/ssl/statem/statem_lib.c: 504 : Reproduction: mkdir -p /mnt/certs cd /mnt/certs   # Generate CA Authority key openssl genrsa 2048 > ca-key.pem # Generate X509 cert for Authority key openssl req - new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Authority/OU=Authority123/CN=CommonName"   # Generate server private key and cert openssl req -newkey rsa: 2048 -nodes -days 365000 -keyout server-key.pem -out server-req.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Server/OU=Server123/CN=Server456" # Generate X509 cert between Authority & server openssl x509 -req -days 365000 -set_serial 01 -in server-req.pem -out server-cert.pem -CA ca-cert.pem -CAkey ca-key.pem   # Generate client private key and cert openssl req -newkey rsa: 2048 -nodes -days 365000 -keyout client-key.pem -out client-req.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Client/OU=Client123/CN=Client456" # Generate X509 cert for client openssl x509 -req -days 365000 -set_serial 01 -in client-req.pem -out client-cert.pem -CA ca-cert.pem -CAkey ca-key.pem   chown -R maxscale:maxscale /mnt/certs   # Verify the client certificate openssl verify -CAfile ca-cert.pem ca-cert.pem client-cert.pem # Verify the server certificate openssl verify -CAfile ca-cert.pem ca-cert.pem server-cert.pem   maxctrl show maxscale | grep -i admin_ssl*   maxctrl create user mxadmin mxadminpassword --type=admin # maxctrl destroy user mxadmin maxctrl --user=mxadmin --password=mxadminpassword list servers   # works maxctrl alter maxscale admin_ssl_cert /mnt/certs/server-cert.pem maxctrl alter maxscale admin_ssl_key /mnt/certs/server-key.pem systemctl restart maxscale secure= "--user=mxadmin --password=mxadminpassword --secure --tls-ca-cert=/mnt/certs/ca-cert.pem --tls-verify-server-cert=false" maxctrl $secure list servers maxctrl $secure show maxscale | grep -i admin_ssl*   # Now that we have first set of certs - time to replace/update with new ones mkdir -p /mnt/certs- new cd /mnt/certs- new   # Generate CA Authority key openssl genrsa 2048 > ca-key.pem # Generate X509 cert for Authority key openssl req - new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Authority/OU=Authority123/CN=CommonName"   # Generate server private key and cert openssl req -newkey rsa: 2048 -nodes -days 365000 -keyout server-key.pem -out server-req.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Server/OU=Server123/CN=Server456" -config <(printf "[req]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n\n[req_distinguished_name]\n[v3_req]\nkeyUsage = keyEncipherment, dataEncipherment\nextendedKeyUsage = serverAuth\nsubjectAltName = IP:127.0.0.1" ) # Generate X509 cert between Authority & server openssl x509 -req -days 365000 -set_serial 01 -in server-req.pem -out server-cert.pem -CA ca-cert.pem -CAkey ca-key.pem   # Generate client private key and cert openssl req -newkey rsa: 2048 -nodes -days 365000 -keyout client-key.pem -out client-req.pem -subj "/C=US/ST=Georgia/L=Atlanta/O=Client/OU=Client123/CN=Client456" -config <(printf "[req]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n\n[req_distinguished_name]\n[v3_req]\nkeyUsage = keyEncipherment, dataEncipherment\nextendedKeyUsage = serverAuth\nsubjectAltName = IP:127.0.0.1" ) # Generate X509 cert for client openssl x509 -req -days 365000 -set_serial 01 -in client-req.pem -out client-cert.pem -CA ca-cert.pem -CAkey ca-key.pem   chown -R maxscale:maxscale /mnt/certs- new   # Verify the client certificate openssl verify -CAfile ca-cert.pem ca-cert.pem client-cert.pem # Verify the server certificate openssl verify -CAfile ca-cert.pem ca-cert.pem server-cert.pem maxctrl $secure show maxscale | grep -i admin_ssl*   maxctrl $secure alter maxscale admin_ssl_cert /mnt/certs- new /server-cert.pem cat /var/lib/maxscale/maxscale.cnf.d/maxscale.cnf   ################################################################## # FAILS HERE maxctrl $secure alter maxscale admin_ssl_key /mnt/certs- new /server-key.pem Error: write EPROTO 139947547596672 :error:0407E085:rsa routines:RSA_verify_PKCS1_PSS_mgf1:first octet invalid:../deps/openssl/openssl/crypto/rsa/rsa_pss.c: 70 : 139947547596672 :error:1417B07B:SSL routines:tls_process_cert_verify:bad signature:../deps/openssl/openssl/ssl/statem/statem_lib.c: 504 : # work around: vi /var/lib/maxscale/maxscale.cnf.d/maxscale.cnf "/mnt/certs/server-key.pem" -> "/mnt/certs-new/server-key.pem" ; then systemctl restart maxscale   # Expectation - stop the alter? but then how to update both values maxctrl $secure reload tls   secure= "--user=mxadmin --password=mxadminpassword --secure --tls-ca-cert=/mnt/certs-new/ca-cert.pem --tls-verify-server-cert=false" maxctrl $secure list servers maxctrl $secure show maxscale | grep -i admin_ssl* side error that could be more clear Error: socket hang up
          markus makela markus makela added a comment -

          The solution to how to update both values is to use:

          maxctrl $secure alter maxscale admin_ssl_key=/mnt/certs-new/server-key.pem admin_ssl_cert=/mnt/certs-new/server-cert.pem
          

          markus makela markus makela added a comment - The solution to how to update both values is to use: maxctrl $secure alter maxscale admin_ssl_key=/mnt/certs-new/server-key.pem admin_ssl_cert=/mnt/certs-new/server-cert.pem
          markus makela markus makela added a comment -

          I filed MXS-5033 for the lack of compatibility testing between the certificates being configured for the REST-API. Any problems with the key should be reported by the alter command.

          markus makela markus makela added a comment - I filed MXS-5033 for the lack of compatibility testing between the certificates being configured for the REST-API. Any problems with the key should be reported by the alter command.

          People

            Unassigned Unassigned
            markus makela markus makela
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.