nats-server
nats-server copied to clipboard
nats-io
Include TLS client information in connz output
Feature Request
When clients connect via TLS with client side certificate validation, no information about the client is available in the HTTP monitoring endpoints. This is what the data looks like right now:
Use Case:
Better insight into NATS server activity and its client connections.
Proposed Change:
Add public key, fingerprints, serial, subject to connz endpoint when query parameter auth is truthy.
I like this idea, want to make sure @kozlovic and @philpennock approve as well from an idea/security standpoint.
What exactly should we then report? Exporting the whole tls.Conn.ConnectionState().PeerCertificates will be way too much content. Also note that this will be empty unless the server requires client certificate.
We may need a complete list of what we would want to report...
Certificate subject and fingerprints would be a good start I think. Subject is typically human readable to quickly identify a certificate, the fingerprint is the truely unique identifier that can be used for, for example, database lookups.
@RedShift1 @philpennock I am struggling to know what we would need to include as the new TLS details entry. I am assuming that we would report a subset of PeerCertificates slice, but from the godoc Certificate definition here: https://pkg.go.dev/crypto/x509#Certificate, what are the fields we would want exactly?
@RedShift1 @philpennock I am struggling to know what we would need to include as the new TLS details entry. I am assuming that we would report a subset of PeerCertificates slice, but from the godoc Certificate definition here: https://pkg.go.dev/crypto/x509#Certificate, what are the fields we would want exactly?
https://github.com/nats-io/nats-server/issues/3317#issuecomment-1202165750
@RedShift1 I saw your original comment, my point is that the "Subject" is actually a pkix.Name (see https://pkg.go.dev/crypto/x509/pkix#Name) and that seem a lot to return. As for the fingerprint, what would that be? A google search found this post (https://blog.abhi.host/blog/2020/02/01/Get-certificate-fingerprint-in-golang/) that seem to indicate that it would be a md5.sum of the certificate's Raw byte slice, and then make it a hex representation. Is that what it would be?
@RedShift1 I saw your original comment, my point is that the "Subject" is actually a pkix.Name (see https://pkg.go.dev/crypto/x509/pkix#Name) and that seem a lot to return. As for the fingerprint, what would that be? A google search found this post (https://blog.abhi.host/blog/2020/02/01/Get-certificate-fingerprint-in-golang/) that seem to indicate that it would be a md5.sum of the certificate's
Rawbyte slice, and then make it a hex representation. Is that what it would be?
Yes, the fingerprint (sometimes also called thumbprint) is the hash of the certificate. MD5 used to be common but nowadays sha256 is used, for example:
And the subject is typically presented as a string like CN=mydevice,OU=IT,C=FR.