teslamotors
Add ability to disable mTLS
Description
Add option to disable mTLS
Fixes (issue)
Type of change
Please select all options that apply to this change:
- [x] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] Documentation update
Checklist:
Confirm you have completed the following steps:
- [x] My code follows the style of this project.
- [x] I have performed a self-review of my code.
- [x] I have made corresponding updates to the documentation.
- [x] I have added/updated unit tests to cover my changes.
- [ ] I have added/updated integration tests to cover my changes.
I will try using this once back from holiday travels. Have you been able to test this with a real vehicle?
I haven't test with real vehicle setup.
An integration test for this would be nice to have but at first glance, it doesn't look like the easiest thing to add.
I'll try to add another integration test.
I'll try to add another integration test.
There's only a unit test currently. Integration tests are defined in test/integration.
There's only a unit test currently. Integration tests are defined in
test/integration.
I try to add integration test, but still struggle with it. My idea is to add nginx that expose another port that terminate mTLS and forward in header on docker compose. Add a similar test as existing one, but call on that another port.
Hey folks! Thanks for PR! I'm planing to use telemetry behind cloudflare tunnel and it's now not possible because of mTLS.
telemetry behind cloudflare tunnel
I'm not so sure this is possible. I would be happy if you prove me wrong.
mTLS is not something you should/can just ignore, this PR just tries to handle it differently. Instead of terminating the mTLS connection directly in the telemetry-server, where the full client cert is validated, it expects some proxy to terminate it and forward the full client cert via the "Client-Cert-Chain" header, so it again can be validated.
cloudflare is technically such a proxy. But as far as I am aware, it can not insert the full client cert into a header. This is the list of fields you could add into headers: https://developers.cloudflare.com/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_revoked
If you just use the issuer and client subject DN without any verification, this information could easily be spoofed.
There is a "cf.tls_client_auth.cert_verified" field that would work for Cloudflare-issued client certificates, but in order to validate the certificate the vehicle sends against the Tesla Vehicle CA, you need to provide Teslas CA cert to cloudflare, which is only possible for enterprise acccounts: https://developers.cloudflare.com/ssl/client-certificates/byo-ca/#availability
Just pushed an image to docker hub and will try testing shortly.
patrickdemers6/fleet-telemetry:279-disable-mtls-1d4ff5f
@patrickdemers6 does the image on your docker hub have the Mqtt changes too?
@patrickdemers6 Could you help test my PR? I have difficulty to get a tesla to test.
The image I pushed didn't have the MQTT changes.
I wasn't able to figure out hosting this behind a proxy, but didn't have a ton of time. I can work on validating some other time, but would appreciate if anyone else in the community is able to help.