pvxs icon indicating copy to clipboard operation
pvxs copied to clipboard

Published 20 hours ago verified publisher icon epics-base

TLS

Open mdavidsaver opened this issue 1 year ago • 8 comments

Applying OpenSSL to PVXS.

Wire compatibility with existing (plain tcp) clients/servers is maintained. Likewise this PR is compatible with work by @kasemir adding TLS support to core.pva in the phoebus repository.

To maintain compatibility. When configured with a keychain file, client search requests include two "protocol" names: tcp and tls. Server listens on a second TCP port for TLS connections, prefers to respond with tls when both present.

Adds x509 AUTHZ method. Client advertises x509 when configured with a client certificate. Server prefers x509 to ca. If selected, uses client cert commonName as account name. eg. CN=foo appears to ACF logic as foo. (note, this really needs an extension to the ACF logic to account for different source of accounts)

TLS features/restrictions

  • OpenSSL >= 3.0
  • TLS protocol version >= 1.3 required
  • ALPN extension negotiates with protocol pva/1. (mandatory?)
  • Client/server reload TLS configuration (eg. replace cert) at runtime. Forces closes connections.

New Configuration:

  • $EPICS_PVAS_TLS_KEYCHAIN $EPICS_PVA_TLS_KEYCHAIN name of a PKCS12 file containing some combination of key, server/client certificate, and/or CA certificates. The file path may optionally be followed by ; and a password. eg. EPICS_PVAS_TLS_KEYCHAIN=/path/to/some.p12;secret.
  • $EPICS_PVAS_TLS_OPTIONS $EPICS_PVA_TLS_OPTIONS space separated list of key=value pairs. Currently supported are client_cert=optional and client_cert=required.
  • $EPICS_PVAS_TLS_PORT $EPICS_PVA_TLS_PORT default port to listen for TLS connections
  • $OPENSSL_CONF Location of OpenSSL config file. Defaults to /usr/lib/ssl/openssl.cnf on Linux. Application name pvxs is used.
  • $SSLKEYLOGFILE If set, TLS session keys will be written here. eg. for use by wireshark. cf. https://github.com/mdavidsaver/cashark/pull/14 (may be disabled at build time with make PVXS_ENABLE_SSLKEYLOGFILE=NO ...)

Building:

libevent must be built with optional openssl support (bundled build will detect). openssl is expected to be installed in the default search path. I have no plans to bundled openssl.

TODO:

  • [X] Configure TLS in $EPICS_PVA_NAME_SERVERS w/ URI-ish pvas://1.2.3.4:5678.
  • [X] Verify interoperability with PKCS12 created by java keytool (OpenSSL parser for PKCS12 is... limited)
    • [X] Can work with files created by openssl pkcs12 or keytool. (although Java can't current work with openssl created files)
    • [X] Handle password protected PKCS12 (which java keytool insists on...)
  • [X] Configure client cert. required at TLS level?
  • [X] Fix OSX RPATH issue
  • [x] Fix MSVC build failure w/ appveyor
  • [X] IOC shell commands to manage TLS (re)configuration
  • [X] Test server reconfigure
    • [X] Expose server credentials to client
  • [X] x509 AUTHZ method design
    • [X] Add authority alongside method and account
  • [X] Update python module build
  • [ ] Config for openssl outside of implicit search path (OSX brew).
  • [ ] What to do about CMD_BEACON ?
  • [ ] OSCP over PVA?
  • [ ] What to do about certificate expiration? (drop credentials? force reconnect w/o TLS?)
  • [ ] Include CA IDs in search request/reply? (more graceful fallback if mis-matched CA certs)
  • [ ] Investigate openssl provider/engine support. eg tpm2-openssl

Supersedes https://github.com/mdavidsaver/pvxs-dev/pull/2

mdavidsaver avatar Aug 17 '23 19:08 mdavidsaver