Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes incomplete client cert chain when using PKI authentication with the login selector #88229

Merged
merged 3 commits into from
Jan 14, 2021
Merged

Fixes incomplete client cert chain when using PKI authentication with the login selector #88229

merged 3 commits into from
Jan 14, 2021

Conversation

jportner
Copy link
Contributor

Resolves #88100.

This PR introduces new behavior in the PKI authenticator when an incomplete client cert chain is detected. It now attempts to renegotiate the connection one time to retrieve the full client cert chain. This only works when using TLS 1.0-1.2, as TLS 1.3 does not support renegotiation.

Testing: see linked issue.

Debug logs scenario 1 (normal PKI auth obtains full cert chain) 
[2021-01-13T18:23:23.074Z][DEBUG][plugins.security.pki.pki1] Trying to perform a login.
[2021-01-13T18:23:23.074Z][DEBUG][plugins.security.pki.pki1] Trying to authenticate request via peer certificate chain.
[2021-01-13T18:23:23.075Z][DEBUG][plugins.security.pki.pki1] Self-signed certificate is detected in certificate chain
[2021-01-13T18:23:23.075Z][DEBUG][plugins.security.pki.pki1] Peer certificate chain: [{"subject":{"CN":"sdh-964-client"},"issuer":{"CN":"SDH 964 Elasticsearch Intermediate CA 2"},"issuerCertType":"object","subjectaltname":"DNS:localhost","validFrom":"Jan  7 18:40:32 2021 GMT","validTo":"Dec 26 18:40:32 2070 GMT"}, {"subject":{"CN":"SDH 964 Elasticsearch Intermediate CA 2"},"issuer":{"CN":"SDH 964 Elasticsearch Root CA"},"issuerCertType":"object","validFrom":"Jan  7 18:40:36 2021 GMT","validTo":"Dec 26 18:40:36 2070 GMT"}, {"subject":{"CN":"SDH 964 Elasticsearch Root CA"},"issuer":{"CN":"SDH 964 Elasticsearch Root CA"},"issuerCertType":"object","validFrom":"Jan  7 18:40:23 2021 GMT","validTo":"Dec 26 18:40:23 2070 GMT"}]
[2021-01-13T18:23:24.026Z][DEBUG][plugins.security.pki.pki1] Successfully retrieved access token in exchange to peer certificate chain.
Debug logs scenario 2 (TLS 1.2, renegotiated connection for PKI auth to obtain full cert chain) 
[2021-01-13T18:26:49.469Z][DEBUG][plugins.security.pki.pki1] Trying to perform a login.
[2021-01-13T18:26:49.469Z][DEBUG][plugins.security.pki.pki1] Trying to authenticate request via peer certificate chain.
[2021-01-13T18:26:49.469Z][DEBUG][plugins.security.pki.pki1] Detected incomplete certificate chain with protocol 'TLSv1.2', attempting to renegotiate connection.
[2021-01-13T18:26:49.485Z][DEBUG][plugins.security.pki.pki1] Self-signed certificate is detected in certificate chain
[2021-01-13T18:26:49.485Z][DEBUG][plugins.security.pki.pki1] Peer certificate chain: [{"subject":{"CN":"sdh-964-client"},"issuer":{"CN":"SDH 964 Elasticsearch Intermediate CA 2"},"issuerCertType":"object","subjectaltname":"DNS:localhost","validFrom":"Jan  7 18:40:32 2021 GMT","validTo":"Dec 26 18:40:32 2070 GMT"}, {"subject":{"CN":"SDH 964 Elasticsearch Intermediate CA 2"},"issuer":{"CN":"SDH 964 Elasticsearch Root CA"},"issuerCertType":"object","validFrom":"Jan  7 18:40:36 2021 GMT","validTo":"Dec 26 18:40:36 2070 GMT"}, {"subject":{"CN":"SDH 964 Elasticsearch Root CA"},"issuer":{"CN":"SDH 964 Elasticsearch Root CA"},"issuerCertType":"object","validFrom":"Jan  7 18:40:23 2021 GMT","validTo":"Dec 26 18:40:23 2070 GMT"}]
[2021-01-13T18:26:49.604Z][DEBUG][plugins.security.pki.pki1] Successfully retrieved access token in exchange to peer certificate chain.
Debug logs scenario 3 (TLS 1.3, cannot renegotiate connection, PKI auth obtains incomplete cert chain) 
[2021-01-13T18:27:55.156Z][DEBUG][plugins.security.pki.pki1] Trying to perform a login.
[2021-01-13T18:27:55.156Z][DEBUG][plugins.security.pki.pki1] Trying to authenticate request via peer certificate chain.
[2021-01-13T18:27:55.157Z][DEBUG][plugins.security.pki.pki1] Detected incomplete certificate chain with protocol 'TLSv1.3', cannot renegotiate connection.
[2021-01-13T18:27:55.157Z][DEBUG][plugins.security.pki.pki1] Peer certificate chain: [{"subject":{"CN":"sdh-964-client"},"issuer":{"CN":"SDH 964 Elasticsearch Intermediate CA 2"},"issuerCertType":"undefined","subjectaltname":"DNS:localhost","validFrom":"Jan  7 18:40:32 2021 GMT","validTo":"Dec 26 18:40:32 2070 GMT"}]
[2021-01-13T18:27:55.157Z][DEBUG][plugins.security.pki.pki1] Authentication is not possible due to incomplete peer certificate chain.

@jportner
Refactor PKI unit tests
3e451ea 
Did not change assertions, just refactored in preparation for the
next commit.
@jportner
Automatically renegotiate TLS connections during PKI auth
ff190e6 
When an incomplete client cert chain is detected and the TLS
protocol version supports it (1.0-1.2), renegotiate the connection
to trigger a new TLS handshake and attempt to obtain the full
client cert chain.
@jportner jportner marked this pull request as ready for review January 13, 2021 18:40
@jportner jportner requested review from a team as code owners January 13, 2021 18:40
afharo
afharo reviewed Jan 13, 2021
View reviewed changes
src/core/server/http/router/socket.ts Outdated
return this.socket instanceof TLSSocket ? this.socket.authorizationError : undefined;
}

constructor(public readonly socket: Socket) {}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we intentionally make the socket public (it was private)?

Copy link
Contributor Author

@jportner jportner Jan 13, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😬 Nope, that was intended to be a temporary change while I was testing how renegotiate worked. Thanks for catching, I'll change that back.

Edit: done in 044a062.

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@legrego legrego mentioned this pull request Jan 14, 2021
Open
@jportner jportner merged commit a62d693 into elastic:master Jan 14, 2021
@jportner jportner deleted the issue-88100-pki-renegotiation branch January 14, 2021 14:15
This was referenced Jan 14, 2021
Merged
Merged
jportner added a commit to jportner/kibana that referenced this pull request Jan 14, 2021
@jportner
Fixes incomplete client cert chain when using PKI authentication with…
e8c0b1f 
… the login selector (elastic#88229)
jportner added a commit that referenced this pull request Jan 14, 2021
@jportner
Fixes incomplete client cert chain when using PKI authentication with…
32370a4 
… the login selector (#88229) (#88334)
jportner added a commit that referenced this pull request Jan 14, 2021
@jportner
Fixes incomplete client cert chain when using PKI authentication with…
85fa95e 
… the login selector (#88229) (#88335)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@afharo afharo afharo left review comments

@legrego legrego legrego approved these changes

@mshustov mshustov mshustov approved these changes

Assignees
No one assigned
Labels
backported release_note:fix v7.11.0 v7.12.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Client cert chain is sometimes incomplete with PKI auth via the login selector
5 participants
@jportner @kibanamachine @mshustov @legrego @afharo