TLS UserAgent hook support for Lua

[thedevopsmachine]

Summary

The Lua module currently supports hooks for HTTP only, but doesn't support the TLS UserAgent hooks . I know nothing about C and very little about ATS's plugin model, so I have no idea what it would take to implement this, or if it's even possible with ATS's model. I thought I'd ask the question here to get some clarification as to whether this is possible, and if it is, whether it's a bad idea to do so.

Background

I have a use case that is similar to the functionality provided by the Certifier plugin, but with some extra requirements that would require significant changes in that module. These changes are very specific to my use case, adding some extra dependencies, and thus the changes would have a near-zero chance of being contributed back into the source. This leaves us with a permanent branch to maintain, which is bad for us.

If we had support for these hooks in the Lua module, I can do everything I want in Lua scripts, plus the work could be contributed back to the source so that everyone can benefit. If we're going to invest in developing a plugin, I believe that the Lua one is the right choice, but I wanted to confirm with people who know better as to whether this is the right path.

[shukitchan]

I think it is doable but I just have a hard time designing the interface of the function for these hooks. I can take a look at it some more and see. Or you can tell me a bit about what you expect the lua interface function to look like.

[thedevopsmachine]

The primary use case is to be able to fetch a certificate from another location (e.g. Redis), parse it, maybe store it in a cache, then tell ATS to use that certificate when establishing the TLS session. Maybe some functions like:

• ts.ssl.parse_server_certificate(certificatePemString, privateKeyPemString)
• ts.ssl.set_server_certificate(x509)

where the parse_server_certificate method returns the x509 object required by the set_server_certificate method.

Regarding the client certificate for mTLS, those methods might be:

• ts.ssl.set_verify_client(certificationLevel, caCertificates)

where the parameters correspond to the settings in the sni.yaml config file

[shukitchan]

After some thoughts, here are my notes

1. To support TLS User agent hook, I need to add support in lua plugin for these hooks - https://docs.trafficserver.apache.org/en/latest/developer-guide/plugins/hooks-and-transactions/ssl-hooks.en.html

2. inside the lua handler function, you can do the following ... a) retrieve the ssl object b) set a connection to blind tunnel c) search for ssl context based on name or address

3. Now with the SSL object you get to do whatever you like with a lua binding library. i am thinking of luaossl (http://25thandclement.com/~william/projects/luaossl.html) . So with that then hopefully you can retrieve a certificate from redis (through another lua binding - e.g. https://github.com/shukitchan/ats_lua_scripts/blob/master/connect_redis.lua) and update the SSL object with the new certificate.

4. Now I think this will probably not work perfectly without openssl (e.g. boringssl). And so the lua plugin will have to disable supporting these hooks/functions in that case.

5. Alternatively if you have a redis with the cert, you can have a script to re-generate ssl_mutlicert.config and reload the ATS. There is of course pros and cons with that. It really depends on your use case.

6. I am not too sure how to control options like setting certification level or CA cert for the MTLS client certificate. I don't think there is an ATS API for that. Thus the plugin would not be able to support it. My understanding is that sni.yaml is flexible enough to support common such use cases. And again you can have a script to re-generate sni.yaml with your changes and reload the ATS to make these changes effective.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. Marking it stale to flag it for further consideration by the community.