-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Simplifying ssl/tls configuration (server) #17038
Comments
Absolutely +1 from aligning and for deprecating the old stuff we have |
Agree.
In SR Config we can relocate or fallback property names, so you can link the old and the new name. Relocate will use the new property value if you refer to the old value. Fallback will use the old value if you can't find the new one. |
@cescoffier Hi Clement -
|
@sberyozkin good point about FIPS. I would drop the "file-type" and just use "type. provider will still be supported of course (but rather an advanced used case, I don't know any other usage than FIPS). So for FIPS, it would be:
|
plus a million for simplifying and moving to "modern" terminology. The new config space means we can do whatever coping is required if the old properties are still present (I don't think it is as simple as just mapping to new values). Do we need a separate configuration for http vs. gRPC? should we drop to |
Good question. It's two different servers (two different ports). Also, the Vert.x HTTP server has more features than the gRPC one (typically, the gRPC server does not support SNI). So, I would lean toward having 2 different configurations BUT using the same config structure (same key name, same management behind the hood). |
@ebullient I also like the idea of having an (internal) TLS extension that handles all the config, and other susbystems just consume the results. It means TLS config could be unified for all extensions. |
It would need to distinguish the server and client. So, we could have quarkus.server.tls, but quarkus.tls could be problematic. I'm not a big fan of 'server' as we may have servers not reading this configuration. But, can't find anything better. Also, there is one tricky case. Imagine http and gRPC, both configured with this common configuration. If HTTP, supporting sni uses multiple pem files, gRPC would only consider the first one (at least for now). It might be fine, and a simple warning enough, but that's something we should consider. |
Maybe TLS config is a map (not single) with named profiles, so that consumers could do: I would use Also means we would have a place to set up letsencrypt support and deal w/ cert rotation and other things without having to reproduce that config in different config namespaces. |
+1 I'm a bit concerned about introducing profiles here (confusion with the quarkus profile). But at the same time, named configuration could we great. |
yes. agree re: confusion with |
So basically, there are two proposals. I will try to summarize them in this comment and add pros/cons for each. Both aim to simplify and provide a cohesive experience when dealing with TLS. Proposal A - Each extension owns the configurationThis approach is mostly a cleanup of the current situation. Each extension would continue to handle SSL/TLS. The only difference is that extensions would share a common Config object and have access to utility classes to load the certificates.
In addition to these fields, the shared configuration would allow configuring: Note that each extension would be responsible for validating the configuration. This approach is in the same vein as the current approach but rationalizes the format. Proposal B - TLS extensionThis second approach is slightly different as it introduces an extension managing TLS on behalf of the other extension. These other extensions (HTTP, gRPC) would depend on it to access the configured certs. That extension would be configured using named buckets (as I can't find a better name, I picked the worst one). So, if we consider the
The extension handles a
The same could be applied to the clients. However, the client configuration is slightly different, so that it would need a separate Map (that's why the proposal keys have While this proposal is more disruptive, it also has more perspectives. Typically, we can start thinking about a proper way to handle certificates and certificate generation and renewal (Acme). CC @ebullient , @geoand , @stuartwdouglas |
Thanks for the great summary @cescoffier. Personally I am leaning towards the first proposal. |
Personally I like the idea of the second proposal. My thinking is that this could make things a lot easier to configure if you have your own CA. If you can just specify your truststore once and then have everything use it this could simplify things, although how this would work in practice I am not sure. I did get a query about postgres + SSL the other day, and the driver only supports adding a path to a certificate in the URL. If we have fully unified config we could potentially automatically make this work as well, so there really is only one place to configure SSL. @darranl bassically did approach 2 for Elytron in WildFly so he might also have some insight. |
But do you really want to configure SSL in place in all cases?
I'd really like to hear Darran's insight on this |
I'm also in favour of Proposal B, but with some reservations as well.
This indeed may hurt the user experience. Lets imagine two extensions, one supports the pem file and the other one does not. We cannot really fail the build, we can add a warning for the extension that does not support the pem file, but the user may not notice it and expect it to work.
We should be able to add custom parameters for each extension. Something like: quarkus.tls.server.http.extension.property.a
quarkus.tls.server.http.anotherextension.property.b |
If possible we should try and add support for things that extensions don't support natively, e.g. write a TrustStore that supports PEM files and provide that to extensions that don't know how to deal with PEM files. |
Exactly, Stuart. One place that can deal w/ the nuances of TLS/SSL would be epic. Quarkus extensions are all about dealing with imposed constraints and mismatches (for native mode or anything else), and if that makes for better / more consistent TLS configuration and behavior (especially if it makes it easier to integrate w/ cloud native environments, secrets, vaults, .. ), that is a solid win for users. |
Yea, I think a TLS extension will likely be more work for us, but the end result will be a much better experience for users. |
The important part is the ability to add features to this new extension such as ACME, revocation, and so on. Adding that Today would require changing multiple extensions. So, yes, more work, but somewhat better in the long term. |
If we do have a single TLS extension, what would configuration look like if a user needs to configure a certificate for listening on HTTPS and also a trust store for the rest client (to call a downstream service)? |
I guess it would use the "named" bucket:
|
IMHO it should be like databases, where there is a default unnamed one (one for client, one for server), and then you can specify named ones if you need more flexibility. |
I must be missing something, but if we do use a default one, how do you determine where it applies? |
For servers, we can either use a default one + custom ones
Or we define a default name for all extensions ( The first approach would allow reusing configuration between servers (which would also be possible using names). |
It would apply everywhere that has enabled SSL and has not explicitly specified a named context. |
Ah, OK. I was missing the |
Ok, so we probably should create an epic out of this discussion. |
FYI, I'm going to try to start working on this... |
related to the fun around #8975 for having just one place to skip verification but allow turning it on in specific places. That is nice! One question I have about use then having keystores separately from javas main pem store. We would still be able to pass in at runtime a setting/property to get the certificates for the cluster managed by something like https://cert-manager.io/docs/release-notes/release-notes-1.2/#usability-improvements ? That cert you would want all the subsystems to be aware of if I grok it right ...but you write as if client and server would need to know different certs ? how will that add up? |
cert-manager is able to provision a set of certificates and you would have to "map" them to your different client/server. A bit like SBO. |
If you need a KeyStore implementation for PEM format, you can have a look at /~https://github.com/KarlScheibelhofer/java-crypto-tools . I have written this recently and would contribute it. Currently, it supports reading PEM files with private keys and certificates and basic creation. |
Here /~https://github.com/KarlScheibelhofer/jcp-demo-quarkus-https you can find a simple demo showing how to use java-crypto-tools to configure a PEM format keystore in quarkus. In addition to using a PKCS12 keystore, you can see these differences:
If Quarkus integrates this lib, only setting the |
For the record, I restarted working on this more seriously recently. |
#39825 last comment states there is more to do - should this stay open yet or ? |
I think we can keep it closed - the mechanism is in place and it's now just a question of adding support into extensions. I have already fixed the mailer. Redis and Rest client are next. Let me create separate issue for the missing ones (I have the list - it's not long). |
Enabling SSL (TLS actually) on the server and client is not particularly easy. While I was working on SNI support, I also found different approaches in various extensions.
Current approach
The Vert.x HTTP extension handles the configuration of TLS. The SSL configuration is stored under
quarkus.http.ssl
. Note that the SSL port is underquarkus.http.sslPort
. SSL is enabled as soon as the SSL config contains certificates.First, we are still referring to SSL. However, it is not the correct wording, as we are using TLS.
To use SSL / TLS, we need certificates. These are configured, in the Vert.x HTTP extension, under:
quarkus.http.ssl.certificates
(gRPC does not have this certificates sub-level). There are multiple formats: PEM, JKS, and PCKS12, all with different configurations. The current configuration is a direct mapping of the Vert.x configuration, but it might be confusing. Typically, to use a PEM certificate and its key, you configure:For JKS, you use:
PKCS12 uses the same attribute as JKS:
The key store password is optional, but use the rather odd default: "password".
All the paths refer to files that should not be packaged within the application (for security reasons).
When key-store-file is used, you can configure the type of key store. If not set, Quarkus checks the extensions of the file. Note that it does not cover PEM.
You also need to configure the trust store:
Only JKS and PCKS12 are supported for the trust store. If the type is not set, it makes a guess based on the file name. For the trust store, there is no default password.
While not yet supported (PR pending), SNI changes the configuration a bit, as in this case, you can have multiple PEM files (keys and certificates). Other formats support multiple certificates.
Proposal
This issue is about discussing a new simpler format.
Same for the trust store:
What about pem?
As the pem format is slightly different and can contain multiple entries (SNI), I would rather go for a map:
Final considerations
Note that the proposed configuration switch from SSL to TLS, as SSL 2.0 is deprecated since 2011 and SSL 3.0 since 2015.
Also, that configuration does not use a
certificates
nested config object.Another aspect to discuss is how we can avoid breaking configuration. The fact that the proposal uses a different config group (TLS) can allow us to deprecate
ssl.*
and recommend switching totls.*
.The idea would be to apply the same structure to all our extensions supporting TLS (gRPC for example).
Thoughts?
\CC @geoand @stuartwdouglas @gsmet @radcortez @ebullient
The text was updated successfully, but these errors were encountered: