Add DN name to accept_result struct #20
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
BenPope
reviewed
Apr 21, 2022
src/net/tls.cc
Outdated
| _creds->_dn_callback(t, subject, issuer); | ||
| } | ||
| if (fetch_dn) { | ||
| return session_dn{.subject=subject, .issuer=issuer}; |
There was a problem hiding this comment.
subject and issuer can be moved.
Previously, it was possible to get DN using dn_callback passed to credentials object. This callback is invoked on every handshake (if 'client_auth' is set to true) and accepts two parameters, subject and issuer. But there is no way for the user of the tls library to connect particular client connection with the DN string. Also, it's not the best way to obtain the DN string because the handshake is delayed until the first read or write attempt is made. This commit solves the issue by - adding a DN field to the accept_result struct - propagating DN name to the accept_result - forcing TLS handshake after the connection is established and before the accept_result is returned in order to get DN field populated In order for this mechanism to work the user must use 'seastar::tls::listen' method directly and not 'wrap_server'. Also, the user have to pass the credentials with client-auth set to 'REQUIRED' to the 'listen' function.
Lazin
force-pushed
the
feature/pass-dn-on-accept
branch
from
8f9ec17 to
b76092e
Compare
I'm curious as well. Normally TLS exhaustion attack will actually require a handshake anyway. Here we're just starting the handshake as soon as connection is established. Without this the attacker can open a lot of connection without doing the handshake. So in my point of view this looks like reduction of the attack surface.
I don't think that there are any concerns regarding this. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously, it was possible to get DN using dn_callback passed to
credentials object. This callback is invoked on every handshake (if
'client_auth' is set to true) and accepts two parameters, subject and
issuer. But there is no way for the user of the tls library to connect
particular client connection with the DN string. Also, it's not the best
way to obtain the DN string because the handshake is delayed until the
first read or write attempt is made.
This commit solves the issue by
the accept_result is returned in order to get DN field populated
In order for this mechanism to work the user must use 'seastar::tls::listen'
method directly and not 'wrap_server'. Also, the user have to pass
the credentials with client-auth set to 'REQUIRED' to the 'listen'
function.