Node certificate endorsement and TLS authentication changes #581

jumaffre · 2019-11-22T15:54:54Z

Resolves #552

Before

Each CCF node provides 3 "virtual" servers (for nodes, members and users) and clients have to pass the corresponding ServerName during the TLS handshake to be routed to the right server/frontend.
When using a standard TLS client (e.g. curl when CCF is built with HTTP), it is necessary to tell the client (e.g. --resolve) "the host you connect to at , well assume that its real name is <sni_name>". This is because when doing a TLS handshake, the client verifies that the server it's talking to is the server it believes it is (by checking that the SubjectAlternativeName (or CommonName, if SAN does not exist)).

After

Each CCF node provides only 1 server (for all nodes, members and users). The routing to the right server is already done via command prefixing (see Prefix frontend dispatch #501). All the SNI code on the server side has been removed (see rpcsessions.h, tls/server.h, etc.).
The certificate presented by a node during TLS handshakes with clients is as follows:
- Before the node has joined the network, it only presents the self-signed node certificate (a).
- Once the node has joined, it presents its node signed by the network certificate (b)
It is now possible to pass a --domain to a new node which will be used for TLS host authentication (see next point). If no domain is set, the IP address for RPC connections is used (*).
Self-signed (a) contains CN=CCF Node and SAN: iPAddress:<node_ip> (or SAN: dNSName=<domain>).
Network-endorsed (b) contains CN=CCF Node <node_id> and SAN: iPAddress:<node_ip> (or SAN: dNSName=<domain>).

(*) mbedtls does not parse IPAddress= in the SubjectAltName. See more details #552 (comment)

Implementation Details

A frontend is now open or closed, as opposed to the corresponding SNI certificate being installed or not.
Because we use mbedtls for our client, memberclient and for the join protocol, we no longer call mbedtls_ssl_set_hostname() on the client side. This would break any clients when using IPAddress in SAN on the server-side as it is not parsed by mbedtls. This is fine as we still check the endorsement of the server certificate with the network certificate.
Hopefully all the interesting limitations of mbedtls have also been documented in the code, as comments.

src/enclave/appinterface.h

src/tls/cert.h

tests/infra/jsonrpc.py

ghost · 2019-11-22T16:02:02Z

ghost · 2019-11-22T16:07:58Z

codecov-io · 2019-11-22T16:11:10Z

Codecov Report

Merging #581 into master will decrease coverage by 0.22%.
The diff coverage is 74.86%.

@@            Coverage Diff            @@
##           master    #581      +/-   ##
=========================================
- Coverage   78.32%   78.1%   -0.22%     
=========================================
  Files         140     141       +1     
  Lines       10697   10754      +57     
=========================================
+ Hits         8378    8399      +21     
- Misses       2319    2355      +36

Flag	Coverage Δ
#e2e_BFT	`50.71% <72.57%> (+0.3%)`	⬆️
#e2e_CFT	`73.28% <74.29%> (-0.23%)`	⬇️
#unit_BFT	`63.94% <10.53%> (-0.74%)`	⬇️
#unit_CFT	`71.31% <12.38%> (-0.58%)`	⬇️

Impacted Files	Coverage Δ
src/apps/logging/logging.cpp	`69.83% <ø> (ø)`	⬆️
src/enclave/enclave.h	`98.99% <ø> (ø)`	⬆️
src/enclave/enclavetypes.h	`93.75% <ø> (ø)`	⬆️
src/apps/luageneric/luageneric.cpp	`86.75% <ø> (ø)`	⬆️
src/enclave/rpchandler.h	`50% <ø> (ø)`	⬆️
src/tls/client.h	`100% <ø> (+75%)`	⬆️
src/enclave/rpcmap.h	`84.62% <ø> (ø)`	⬆️
src/tls/context.h	`76.47% <ø> (+2.18%)`	⬆️
src/enclave/http.h	`42.35% <0%> (-1.02%)`	⬇️
src/host/main.cpp	`98.34% <100%> (+0.02%)`	⬆️
... and 15 more

eddyashton · 2019-11-22T16:30:30Z

src/enclave/rpcsessions.h

-        hasCa ? tls::auth_required : tls::auth_optional);
-
-      certs.push_back(std::move(the_cert));
+        tls::auth_optional);


Can we add a comment on this, to convince me that either we don't always to need to verify or we always check the verification later?

I would have thought we needed tls::auth_required here? It's true we check the cert later, but do we even want to allow unauthed connections at all?

tls::auth_required maps to MBEDTLS_SSL_VERIFY_REQUIRED. As per https://tls.mbed.org/api/ssl_8h.html#a5695285c9dbfefec295012b566290f37, the server does not have to verify the client certificate (default). Otherwise, we would have to have the clients certs signed by a trusted CA and replace nullptr by that CA here.

ghost · 2019-11-22T18:07:14Z

src/clients/client.cpp

src/enclave/http.h

src/enclave/rpcendpoint.h

src/tls/keypair.h

…_endorsement

ghost · 2019-11-25T11:56:44Z

…t#581)

Julien Maffre added 17 commits November 19, 2019 09:29

Add SAN

ac3a41e

Some fixes

72796cd

Remove sni and pass domain

0a8921f

Remove sni from CA

8201e3e

Making things work

ffd5e6c

Fixes

879f76e

Merge remote-tracking branch 'origin/master' into cert_endorsement

376e693

Fix perf client

866e831

edit /etc/hosts from python (test)

dac23ec

Perf client format

9673ca5

Use IP Address and do not verify hostname

10a45b4

Python format

e3109c2

Logger is not verbose by default

c97ce5f

Cert cleanup

13d9fc7

Only set domain name if it is passed to enclave

ee0b4db

Small tweaks

775d89e

Fix perf client

7dee9bf

jumaffre requested a review from a team as a code owner November 22, 2019 15:54

jumaffre commented Nov 22, 2019

View reviewed changes

src/enclave/appinterface.h Show resolved Hide resolved

jumaffre commented Nov 22, 2019

View reviewed changes

src/tls/cert.h Show resolved Hide resolved

jumaffre commented Nov 22, 2019

View reviewed changes

tests/infra/jsonrpc.py Show resolved Hide resolved

Own review

0d00e4f

eddyashton reviewed Nov 22, 2019

View reviewed changes

Merge branch 'master' into cert_endorsement

041ea99