[PATCH 1/2] tls: Drop support for tls_allowed_dn_list
Ján Tomko
jtomko at redhat.com
Tue Nov 9 16:35:46 UTC 2021
On a Tuesday in 2021, Martin Kletzander wrote:
>This setting was unsafe for a number of reasons, so bear with me here.
>
>In the Distinguished Name (or rather the string representation of ASN.1
>RelativeDistinguishedName if you will) the individial fields (or rather each
>AttributeTypeAndValue) can be in any order as defined in RFC4514, section 2.2.
>The function we use to get the DN is gnutls_x509_crt_get_dn(3) which claims to
>return the DN as described in the aforementioned RFC.
>
>The help we are providing to the user when no DN from the list of allowed DNs
>matches an incoming TLS connection says to check the output of certtool,
>particularly `certtool -i --infile clientcert.pem`. However in the output of
>that command the order of the fields changed in some previous version exposing
>the inconsistency (see bugzilla link below for more details).
>
>This is one reason why we should not depend on the order of the fields being
>stable as the same change can happen (and maybe already happened) with the
>gnutls_x509_crt_get_dn(3) function.
>
>Another issue is that we are matching the patterns with a simple glob match,
>particularly g_pattern_match_simple(3) from glib. Due to the fact that any
>asterisk in that pattern might match not only the field, but anything in the
>whole DN, it is very prone to errors, sometimes even not caused by the
>administrator or application setting up the allowed list.
>
>This functionality is therefore considered unsafe and should not be used, hence
>this commit makes the daemon fail during startup with a descriptive explanation
>which is the safest option that does not allow unwanted behaviour and makes the
>error message immediately apparent.
>
>Possible solutions were considered, such as ordering of the fields and
>implementing better matching configuration options and algorithm. However these
>could lead to unsafe behaviour if not implemented exactly based on the RFC and
>even with that taken into the consideration it is not really an efficient way of
>defining filters when done with the configuration in conf (ini) format. In case
>of using low level functions like gnutls_x509_crt_get_subject(3) and
>gnutls_x509_dn_get_rdn_ava(3) this would add huge amount of complexity to offer
>proper filtering and string representations (including encoding etc.).
>
>https://bugzilla.redhat.com/show_bug.cgi?id=2018488
>
>Signed-off-by: Martin Kletzander <mkletzan at redhat.com>
>---
>I am very happy to discuss this in more detail.
>
>I am also working on a better way to provide ACLs for remote connections and I
>would be OK with postponing this patch until that is merged so that there is a
>supported way of limiting remote users if there are any current users of this
>functionality.
>---
> docs/remote.html.in | 26 --------------
> docs/tlscerts.html.in | 6 ----
> src/remote/libvirtd.aug.in | 1 -
> src/remote/libvirtd.conf.in | 16 ---------
> src/remote/remote_daemon.c | 2 --
> src/remote/remote_daemon_config.c | 19 +++++-----
> src/remote/remote_daemon_config.h | 1 -
> src/remote/test_libvirtd.aug.in | 4 ---
> src/rpc/virnettlscontext.c | 60 ++++++-------------------------
> src/rpc/virnettlscontext.h | 2 --
> tests/virconfdata/libvirtd.conf | 17 ---------
> tests/virconfdata/libvirtd.out | 14 --------
> tests/virnettlscontexttest.c | 1 -
> tests/virnettlssessiontest.c | 1 -
> 14 files changed, 21 insertions(+), 149 deletions(-)
>
>diff --git a/docs/remote.html.in b/docs/remote.html.in
>index cc8db80c959c..211557aad66b 100644
>--- a/docs/remote.html.in
>+++ b/docs/remote.html.in
>@@ -236,32 +236,6 @@ Blank lines and comments beginning with <code>#</code> are ignored.
> If you set this to an empty string, then no CRL is loaded.
> </td>
> </tr>
>- <tr>
>- <td> tls_allowed_dn_list ["DN1", "DN2"] </td>
>- <td> (none - DNs are not checked) </td>
>- <td>
>- <p>
>- Enable an access control list of client certificate Distinguished
>- Names (DNs) which can connect to the TLS port on this server.
>- </p>
>- <p>
>- The default is that DNs are not checked.
>- </p>
>- <p>
>- This list may contain wildcards such as <code>"C=GB,ST=London,L=London,O=Libvirt Project,CN=*"</code>
>- See the POSIX <code>fnmatch</code> function for the format
>- of the wildcards.
>- </p>
>- <p>
>- Note that if this is an empty list, <i>no client can connect</i>.
>- </p>
>- <p>
>- Note also that GnuTLS returns DNs without spaces
>- after commas between the fields (and this is what we check against),
>- but the <code>openssl x509</code> tool shows spaces.
>-</p>
>- </td>
>- </tr>
> </table>
> <h2>
> <a id="Remote_IPv6">IPv6 support</a>
>diff --git a/docs/tlscerts.html.in b/docs/tlscerts.html.in
>index 5b7a5f56e4c2..c5206172f806 100644
>--- a/docs/tlscerts.html.in
>+++ b/docs/tlscerts.html.in
>@@ -71,9 +71,6 @@ next section.
> <td> Installed on the client </td>
> <td> Client's certificate signed by the CA
> (<a href="#Remote_TLS_client_certificates">more info</a>) </td>
>- <td> Distinguished Name (DN) can be checked against an access
>- control list (<code>tls_allowed_dn_list</code>).
>- </td>
> </tr>
> <tr>
> <td>
>@@ -90,9 +87,6 @@ next section.
> <td> Installed on the client </td>
> <td> Client's certificate signed by the CA
> (<a href="#Remote_TLS_client_certificates">more info</a>) </td>
>- <td> Distinguished Name (DN) can be checked against an access
>- control list (<code>tls_allowed_dn_list</code>).
>- </td>
> </tr>
> </table>
> <p>
>diff --git a/src/remote/libvirtd.aug.in b/src/remote/libvirtd.aug.in
>index d744548f4126..5bfc0a501aa5 100644
>--- a/src/remote/libvirtd.aug.in
>+++ b/src/remote/libvirtd.aug.in
>@@ -52,7 +52,6 @@ module @DAEMON_NAME_UC@ =
>
> let tls_authorization_entry = bool_entry "tls_no_verify_certificate"
> | bool_entry "tls_no_sanity_certificate"
>- | str_array_entry "tls_allowed_dn_list"
> | str_entry "tls_priority"
> @END@
>
>diff --git a/src/remote/libvirtd.conf.in b/src/remote/libvirtd.conf.in
>index 8e709856aacb..5e4a8c34915f 100644
>--- a/src/remote/libvirtd.conf.in
>+++ b/src/remote/libvirtd.conf.in
>@@ -285,22 +285,6 @@
> #tls_no_verify_certificate = 1
>
>
>-# An access control list of allowed x509 Distinguished Names
>-# This list may contain wildcards such as
>-#
>-# "C=GB,ST=London,L=London,O=Red Hat,CN=*"
>-#
>-# See the g_pattern_match function for the format of the wildcards:
>-#
>-# https://developer.gnome.org/glib/stable/glib-Glob-style-pattern-matching.html
>-#
I like your justification for removing this dead link.
Reviewed-by: Ján Tomko <jtomko at redhat.com>
Jano
>-# NB If this is an empty list, no client can connect, so comment out
>-# entirely rather than using empty list to disable these checks
>-#
>-# By default, no DN's are checked
>-#tls_allowed_dn_list = ["DN1", "DN2"]
>-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20211109/712256be/attachment-0001.sig>
More information about the libvir-list
mailing list