nebula icon indicating copy to clipboard operation
nebula copied to clipboard
verified publisher icon vesoft-inc

customized certificate not work

Open Ha0124 opened this issue 1 year ago • 7 comments

Introduction

When using plaintext certificates for verification, communication between services can occur. If the certificate is encrypted, communication cannot be completed. Can an interface be provided for this type of scenario?

Contents If I use customized certificates and paired password keys, can it be compatible with such scenarios?

Related work

Ha0124 avatar Apr 16 '24 16:04 Ha0124

@Ha0124 hi, thank you for your feedback. When you mentioned 'customized certificates,' are you referring to self-signed certificates? Or are you saying that these certificates have passwords?

If possible, could you provide any feasible solutions or implementations you have encountered or seen in other products?

QingZ11 avatar Apr 17 '24 02:04 QingZ11

When i try to use ssl encryption function following by https://docs.nebula-graph.io/3.6.0/7.data-security/4.ssl/ . I try to use provided case from /tests, download it to local. and then add --password_path=/xx/xx/xx/test.ca.password --key_path=/xx/xx/xx//nebula/test.ca.key --cert_path=/xx/xx/xx/test.ca.pem --enable_ssl=true to nebula-graphd.conf nebula-metad.conf nebula-storaged.conf but it doesn't work. 20240417-193005(WeLinkPC)

when i set --enable_ssl=false, the services can be linked. Did the ssl encryption function has limits ?

Ha0124 avatar Apr 17 '24 11:04 Ha0124

After you configured the SSL information, did you restart the three services?

QingZ11 avatar Apr 18 '24 04:04 QingZ11

you should re-generate the certs, you could refer https://github.com/vesoft-inc/nebula-go/tree/master/nebula-docker-compose/secrets for generation and https://github.com/vesoft-inc/nebula-go/blob/master/nebula-docker-compose/docker-compose-ssl.yaml, https://github.com/vesoft-inc/nebula-go/blob/master/nebula-docker-compose/.env for usage in nebula

HarrisChu avatar Apr 18 '24 05:04 HarrisChu

After the RSA key pair is generated using openssl genrsa command, we encrypted the RSA key pair using openssl rsa command with AES-256-CBC. The key file encrypted using AES-256-CBC is used to meet security requirements. However, nebula may not be able to parse such a key file.

vealfan avatar Apr 18 '24 09:04 vealfan

the password in nebula just encrypt like passout in openssl genrsa. e.g.

echo "123456" > passphrase.txt
openssl genrsa  -passout file:passphrase.txt -out privkey.pem 2048

# and then password_path should be passphrase.txt

HarrisChu avatar Apr 22 '24 03:04 HarrisChu

if i doencrypt woth the cert ,will it be accepted in nebula?

Ha0124 avatar May 07 '24 02:05 Ha0124