TLS With Certificate Management for PVXS #92
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
george-mcintyre
referenced
this pull request
in george-mcintyre/pvxs
Nov 25, 2024
…h TLS - Clarify git commands for fetching PR #92 - Remove extraneous spaces in certificate states section
Member
|
The OS community looks to be moving away from OCSP, that might mean functionality to support it could eventually be removed from libraries that implement TLS... |
Contributor
Author
|
Hiya Andrew.Thanks for the heads up.CRL’s have proven to be an inefficient way of transferring revocation information to clients, however the efficiency has improved dramatically in recent years by having browsers pre-download lists on a regular update basis, commonly six hours, and by the use of sharding to reduce the list sizes in some application domains where possible. At the same time OCSP has come under attack because malicious actors can snoop the OCSP requests to spy on the browser activity of infected clients. 1. In Secure PV Access our certificate status requests, though now a simple PV, are equally transparent on the network, so are susceptible to the same snooping attack. However, ALL PV Access searches (Secure or legacy) remain completely transparent on the network in any case. We may need to address this vulnerability in future, but Secure PV Access deliberately does not. For the responses, we are using the same signed packaging of OCSP (PKCS#7) but transporting it over PV Access.2. In typical usage scenarios of OCSP we have a browser agent which has persistent, cross-invocation, storage. The large downloads that plagued the implementations of CRL’s in the past were mitigated by the browser agent making frequent updates to its cached list that were independent of user browser activity, so that by the time a user request was made the revocation status of any certificate the request contained would already be known. With Secure PV Access we could use a similar persistent storage location to allow all Secure PV Access clients to share a list of updated certificate revocations. However, unlike in the browser scenario, we don’t have a single “app” that could maintain this list independently of application requests. Failing this, all initial Secure PV Access requests would have to wait for a new full CRL to be updated in the client storage before a connection could be established. This is not to say that something couldn’t be proposed. Just that the environments are significantly different. 3. We are using some openssl OCSP functions and macros in our response implementation, so this is indeed of some concern. We will seriously look at moving to directly signing our OCSP responses using the PKCS#7 format which is independent of OCSP, and creating our own payload structure instead of relying on the OCSP functions for packing and unpacking the response. We will continue to monitor this developing issue and see what other changes to the design of Secure PV Access need to be made. New patterns are constantly being proposed implemented and tested in this respect, so we’ll keep our eyes open.Thanks again for the update. We’ll look at changing our response processing. George McIntyreThis email and any files transmitted with it are confidential and privileged information, intended solely for the use of the individual or entity to whom they are addressed. Any unauthorised review, use, disclosure or distribution is prohibited. Sent from my iPhoneOn 13 Jan 2025, at 22:49, Andrew Johnson ***@***.***> wrote:
The OS community looks to be moving away from OCSP, that might mean functionality to support it could eventually be removed from libraries that implement TLS...
https://letsencrypt.org/2024/07/23/replacing-ocsp-with-crls/
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: ***@***.***>
|
…ates include MIC token handling in CCR, public key integrity checks, and associated cleanups and comments for improved Kerberos security context management."
…addition of public key, ACLs, and attributes. Improve Dockerfile structure with schema/application loading and cleanup, and enhance SSSD configurations."
… unnecessary parameters, and implement full LDAP-based key verification. Added new helper methods for DN generation, public key retrieval from LDAP, and base64 encoding. Enhanced IP and hostname fallback for authentication."
…ve error handling. - Migrate from `ldap_init` to `ldap_initialize`. - Replace `ldap_get_values` with `ldap_get_values_len` to properly handle binary data. - Enhance error handling for LDAP operations (`ldap_set_option`, `ldap_bind`, etc.). - Streamline LDAP query logic and attribute retrieval process.
…tication method handling."
…s, and streamline dependencies."
…min, softIOC, and client bashrc scripts."
…iable parsing and expand support for standard fields (name, organization, org unit, country) with server-specific variants."
… readability, fixed const correctness, replaced placeholders with ${DOCKER_USERNAME}, and standardized variable naming in authnldap.cpp/h to enhance maintainability."
…commands into single chained operations. Adjust LDAP include directive to address deprecation warnings for better compatibility on macOS."
…code utility. Replace SASL bind with simple bind. Improve memory management and string handling in encoding/decoding functions."
- Added expiration time for LDAP credentials (not_before and not_after fields). - Fixed incorrect parameter order in CertFactory::verifySignature. - Ensured consistent base64 decoding for signature and public keys. - Improved error messages for key-related exceptions. - Refactored `getPublicKey` to use `const` correctness and nullptr. - Renamed `publicKeyString` to `public_key_string` for consistency. These changes improve correctness, readability, and robustness."
…variables for improved readability and reusability across authentication modules."
…efactor variable initialization and improve GSSAPI error reporting"
…eros authentication. - Refactored `fromAuthNEnv` to `fromAuthEnv` for standardization across LDAP, JWT, and Kerberos configurations. - Introduced detailed documentation and comments for clarity in Kerberos authentication processes, including MIC verification, credential handling, and CCR validation. - Simplified formatting, enhanced error reporting, and ensured memory cleanup in Kerberos-related functions. - Added constants for Kerberos default configuration and improved logging for debugging. Ensures cleaner and more maintainable code with enhanced inline documentation.
…d detailed certificate monitoring/debugging messages, and standardize log formatting to improve clarity and traceability.
…ion, and documentation files to ensure compatibility with the new release.
…blyGood` methods with `getStatusCategory` and `getEffectiveStatusCategory` for improved clarity. Introduce `cert_status_category_t` enum to centralize status representation.
… with `cert_status_category_t` for enhanced status clarity and flexibility. Update logic to handle `UNKNOWN_STATUS` and refactor state transitions for improved maintainability and debugging. Enhance logging across workflows. Introduce and utilize `sslkeylogfile_log` functionality when enabled.
…ks with `cert_status_category_t` for greater flexibility and clarity across workflows. Update state transition logic to handle `UNKNOWN_STATUS`, enhance logging for better debugging, and improve maintainability.
… with `cert_status_category_t` for enhanced status clarity and flexibility. Update logic to handle `UNKNOWN_STATUS` and refactor state transitions for improved maintainability and debugging. Enhance logging across workflows. Introduce and utilize `sslkeylogfile_log` functionality when enabled.
…atible OpenSSL library versions, disable TLS if mismatches are found, and enhance logging for debugging library issues.
- Improve logging for certificate status updates and connection workflows. - Standardize log formatting and add new debugging statements for better traceability. - Simplify openssl integration by including new modules (`opensslgbl`, `certfactory`, `certstatus*`). - Update version references to `1.4` in documentation and configuration files. - Tidy and reorganize module inclusion in `setup.py` for clarity.
…o streamline connection logic.
…up unused dependencies.
…nsure compatibility with OpenSSL headers.
…ABLE_OPENSSL block.
…on logic under `PVXS_ENABLE_OPENSSL` guard.
…ate expected values for `client1` and `client2` across `testtlswithcms` and `testtlswithcmsandstapling`.
- Adjust test expectations for certificate status counters in `testtlswithcms` and `testtlswithcmsandstapling`. - Improve error handling and logging in `clientconn.cpp` for failed non-blocking connections. - Refine TLS and certificate monitoring conditional logic under `PVXS_ENABLE_OPENSSL`. - Enhance OpenSSL initialization comment for clarity in `opensslgbl.cpp`.
…ceed with channel creation.
…line channel creation logic.
- Introduced new `status_cli` and `status_svr` loggers for client and server status debugging. - Added consistent log statements for state transitions across major classes (`Server`, `SSLContext`, `Connection`, `Channel`, etc.). - Modified constructors and methods to track state changes through debug logs for enhanced traceability. - Updated relevant files to ensure all state changes are logged consistently.
…ions: - Add detailed peer and channel name information to state transition log messages across `ConnBase`, `SubscriptionImpl`, `ServerChan`, and related methods. - Improve traceability by including contextual information for better debugging.
…ions: - Add detailed peer and channel name information to state transition log messages across `ConnBase`, `SubscriptionImpl`, `ServerChan`, and related methods. - Improve traceability by including contextual information for better debugging.
…ions: - Add detailed peer and channel name information to state transition log messages across `ConnBase`, `SubscriptionImpl`, `ServerChan`, and related methods. - Improve traceability by including contextual information for better debugging.
…ions: - Add detailed peer and channel name information to state transition log messages across `ConnBase`, `SubscriptionImpl`, `ServerChan`, and related methods. - Improve traceability by including contextual information for better debugging.
…matting changes.
…nn.cpp` and `serverconn.cpp`: - Eliminated `retryChannelCreation` and `retryConnectionValidation` methods along with their static wrappers under `PVXS_ENABLE_OPENSSL`. - Cleaned up related declarations in `clientimpl.h` and `serverconn.h`. - Streamlined code by removing redundant functionality.
…ation logic: - Eliminated redundant `AwaitingPeerCertValidity` state in `clientconn.cpp` and `serverconn.cpp`. - Added `Validated` state to clearly mark successful validation. - Removed unused OpenSSL retry and pending validation logic. - Improved state transition debugging for enhanced clarity.
- Wrapped `dlfcn.h` and OpenSSL-specific logging methods (`logOsslVersions` and `logOsslSymbolOrigins`) with `_WIN32` guards. - Prevent unnecessary code execution and warnings on Windows. - Ensure platform-specific compatibility with OpenSSL logic.
- Replaced `cert_status.status.s.c_str()` with `pva_status.status.s.c_str()` in `log_warn_printf` for accurate logging.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Cert Management
Stapling
OCSP
Cert Status