Unable to retrieve full certificate chain for PKI auth when using TLSv1.3

[legrego]

Blocked on nodejs/node#36926

Kibana version: 7.11.0

Alternate Titles:

Unable to login to Kibana using PKI Auth when the Login Selector is enabled.

Detected incomplete certificate chain with protocol 'TLSv1.3', cannot renegotiate connection.

Describe the bug:

TLS session negotiation is an expensive operation for both the client and the server. Once a session is negotiated, the two parties attempt to reuse the existing session for subsequent requests, in order to reduce this mutual overhead.

When PKI (client certificate) auth is enabled, Kibana expects to be able to retrieve the full client certificate chain so that we can forward it to Elasticsearch to complete the delegated PKI authentication.

When a TLS session is reused, the client is not expected to resend its full certificate chain.

If a user attempts to login to Kibana using a resumed TLS session, then the authentication attempt will fail because that request does not contain the full certificate chain. This usually manifests when PKI auth is combined with the Login Selector. Loading the login selector screen establishes the TLS session, but we do not attempt authentication until the user clicks the appropriate login button.

Once the user clicks the login button, we will attempt to read the full certificate chain from the request, and forward to ES. This operation fails because the request does not contain the cert chain.

We worked around this for TLSv1, TLSv1.1, and TLSv1.2 by renegotiating the session whenever PKI auth is attempted, and we detect an incomplete certificate chain (Issue, PR).

This session renegotiation does not work for TLS1.3 because this version does not support renegotiation.

The equivalent operation for TLSv1.3 SSL_verify_client_post_handshake, which is described in more detail by OpenSSL in their docs. As of this writing, this OpenSSL function is not exposed by the Node.js runtime, and is therefore unavailable for us to use in application code.

I've opened nodejs/node#36926 to track support for this in Node.js.

Steps to reproduce:

1. Configure Kibana for PKI auth, ensuring that server.ssl.clientAuthentication is set to either optional or required.
2. Configure Kibana to use the Login Selector.
3. Load Kibana, and attempt to login using PKI auth

Note: Failures are intermittent and sometimes difficult to reproduce! Behavior can vary depending upon your browser version and how your certificates are issued. See the linked issue for more details.

Workaround (versions >= 7.11.0)

Until this bug is resolved, users can force Kibana to use TLSv1.2, so that we can properly renegotiate the connection:

# kibana.yml
server.ssl.supportedProtocols: ['TLSv1.2']

# Optionally support older protocols if you need them
# server.ssl.supportedProtocols: ['TLSv1', 'TLSv1.1', 'TLSv1.2']

Versions prior to 7.11.0

Versions prior to 7.11.0 do not support TLSv1.3 -- you are seeing a related error (#88100), which we resolved for the 7.11 release. Upgrading to 7.11 will resolve your issue, but keep in mind that upgrading to 7.11 adds support for TLSv1.3, so you may encounter this after upgrading. Once upgraded, you can force Kibana to use TLSv1.2 as described above.

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[jportner]

Notes on the workaround in versions >= 7.11.0...

As of Kibana 7.11, the default server.ssl.supportedProtocols is TLSv1.1, TLSv1.2, TLSv1.3, as stated in the docs.

In addition to the Kibana configuration, Node restricts the minimum TLS version that can be used. Kibana 7.11 ships with Node 14, which uses a minimum of TLSv1.2 by default. However, the Kibana distributable sets that minimum to TLSv1 for backwards compatibility reasons:

kibana/src/dev/build/tasks/bin/scripts/kibana

Line 29 in a62d693

NODE_OPTIONS="--no-warnings --max-http-header-size=65536 --tls-min-v1.0 $KBN_NODE_OPTS $NODE_OPTIONS" NODE_ENV=production exec "${NODE}" "${DIR}/src/cli/dist" ${@}

If you are running Kibana 7.11 or newer from source and you want to use TLSv1 or TLSv1.1, in addition to the server.ssl.supportedProtocols configuration value, you need to specify the Node argument on the command line:

node --tls-min-v1.0 scripts/kibana