-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add TLS client authentication support. #43090
Add TLS client authentication support. #43090
Conversation
Pinging @elastic/kibana-platform |
Pinging @elastic/kibana-security |
87b6812
to
b723c06
Compare
💚 Build Succeeded |
@@ -202,4 +244,55 @@ describe('with TLS', () => { | |||
httpSchema.validate(allKnownWithOneUnknownProtocols) | |||
).toThrowErrorMatchingSnapshot(); | |||
}); | |||
|
|||
test('HttpConfig instance should properly interpret `none` client authentication', () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note: just a bunch of tests to only test functionality I'm introducing...
src/legacy/server/config/schema.js
Outdated
@@ -111,7 +111,8 @@ export default () => Joi.object({ | |||
keyPassphrase: Joi.string(), | |||
certificateAuthorities: Joi.array().single().items(Joi.string()).default([]), | |||
supportedProtocols: Joi.array().items(Joi.string().valid('TLSv1', 'TLSv1.1', 'TLSv1.2')).default(['TLSv1.1', 'TLSv1.2']), | |||
cipherSuites: Joi.array().items(Joi.string()).default(cryptoConstants.defaultCoreCipherList.split(':')) | |||
cipherSuites: Joi.array().items(Joi.string()).default(cryptoConstants.defaultCoreCipherList.split(':')), | |||
clientAuthentication: Joi.any().description('This key is handled in the new platform ONLY'), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note: this removes a blocker status from #42818 (at least for PKI auth provider)
Here is the archive with |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM and tested locally
💚 Build Succeeded |
7.x/7.4.0: d106a4b |
…p-metrics-selectall * 'master' of github.com:elastic/kibana: (50 commits) [Uptime] update monitor list configs for mobile view (elastic#43218) [APM] Local UI filters (elastic#41588) [Code] Upgrade ctags langserver (elastic#43252) [Code] show multiple definition results in panel (elastic#43249) Adds Metric Type to full screen launch tracking (elastic#42692) [Canvas] Convert Autocomplete to Typescript (elastic#42502) [telemetry] add spacesEnabled config back to xpack_main (elastic#43312) [ML] Adds DF Transform Analytics list to Kibana management (elastic#43151) Add TLS client authentication support. (elastic#43090) [csp] Telemetry for csp configuration (elastic#43223) [SIEM] Run Cypress Tests Against Elastic Cloud & Cypress Command Line / Reporting (elastic#42804) docs: add tip on agent config in a dt (elastic#43301) [ML] Adding bucket span estimator to new wizards (elastic#43288) disable flaky tests (elastic#43017) Fix percy target branch for PRs (elastic#43160) [ML] Adding post create job options (elastic#43205) Restore discover histogram selection triggering fetch (elastic#43097) Per panel time range (elastic#43153) [Infra UI] Add APM to Metadata Endpoint (elastic#42197) Sentence case copy changes (elastic#43215) ...
Recently we introduced
server.ssl.requestCert
(7.3+) for upcoming Kibana node-to-node TLS authentication, but that setting neither ever worked properly nor ever was mentioned in our docs. That lets us to dropserver.ssl.requestCert
completely in a next minor in favor ofserver.ssl.clientAuthentication: {none|optional|required}
to be on a par with Elasticsearch'sxpack.security.http.ssl.client_authentication
. This is also a blocker for PKI authentication provider.How to test
Generate certificates for Kibana and End User or use my test certificate-bundle.zip. Steps below assume that you use certificates from the attached certificate bundle.
Run Kibana with the following config:
certificate-bundle/user/user.pfx
andcertificate-bundle/kibana/kibana.pfx
(to test 2 different users) to the list of your certificates in the browser.Blocks: #42606
"Release Note: added new
server.ssl.clientAuthentication
setting that controls the server’s behavior in regard to requesting a certificate from client connections. Valid values arerequired
,optional
, andnone
. Therequired
forces a client to present a certificate, whileoptional
requests a client certificate but the client is not required to present one. Defaults tonone
."