TLS config rework #3653

chrzaszcz · 2022-05-23T11:17:31Z

The main goal is to unify the TLS configuration for all outgoing and incoming connections.

All TLS configuration sections are specified with mongoose_config_spec:tls/2, which accept client and/or server options for just_tls (Erlang SSL) and/or fast_tls.
The resulting config is stored in a map which has a new type: mongoose_tls:options()

Changes in the configuration:

verify_peer and verify_mode are replaced with just verify_mode that has the default value 'peer' for all connections.
Previously the defaults varied a lot:
- outgoing connection pools had no peer validation except Riak
- listeners had no peer validation except s2s
- global distribution had peer validation
c2s mode has the default value 'starttls' (there was no default)
server_name_indication for client connections has its own subsection

The initial config file has explicit verify_mode = "none" for c2s and HTTP listeners - this has the same effect as the initial config before the changes while making it more visible that no peer certificate verification is done. The motivation is that often c2s and/or HTTP clients don't have certificates.

Left out for now:

Checking of options conditionally required by particular SSL setups, e.g. certfile, cacertfile, keyfile. The error messages will come from the SSL library itself, just as before.

codecov · 2022-05-23T11:26:17Z

Codecov Report

Merging #3653 (41cf8b2) into master (74bf246) will increase coverage by 0.10%.
The diff coverage is 93.90%.

@@            Coverage Diff             @@
##           master    #3653      +/-   ##
==========================================
+ Coverage   81.08%   81.18%   +0.10%     
==========================================
  Files         433      433              
  Lines       31926    31910      -16     
==========================================
+ Hits        25886    25906      +20     
+ Misses       6040     6004      -36

Impacted Files	Coverage Δ
src/ejabberd.erl	`60.00% <ø> (ø)`
src/mongoose_transport.erl	`100.00% <ø> (ø)`
src/mongoose_ldap_worker.erl	`41.86% <50.00%> (ø)`
src/rdbms/mongoose_rdbms_pgsql.erl	`85.29% <66.66%> (+1.51%)`	⬆️
src/wpool/mongoose_wpool_http.erl	`88.00% <66.66%> (-3.31%)`	⬇️
src/ejabberd_s2s_in.erl	`78.48% <75.00%> (-0.10%)`	⬇️
src/just_tls.erl	`85.13% <87.50%> (+0.92%)`	⬆️
src/mongoose_tls.erl	`87.50% <92.59%> (ø)`
src/ejabberd_c2s.erl	`88.93% <96.66%> (+0.21%)`	⬆️
src/config/mongoose_config_spec.erl	`100.00% <100.00%> (ø)`
... and 35 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 74bf246...41cf8b2. Read the comment docs.

It is useful when empty sections are needed.

mongoose-im · 2022-05-25T08:17:00Z

small_tests_24 / small_tests / c10f9d1
Reports root / small

small_tests_23 / small_tests / c10f9d1
Reports root / small

dynamic_domains_pgsql_mnesia_24 / pgsql_mnesia / c10f9d1
Reports root/ big
OK: 2861 / Failed: 0 / User-skipped: 133 / Auto-skipped: 0

dynamic_domains_pgsql_mnesia_23 / pgsql_mnesia / c10f9d1
Reports root/ big
OK: 2861 / Failed: 0 / User-skipped: 133 / Auto-skipped: 0

dynamic_domains_mysql_redis_24 / mysql_redis / c10f9d1
Reports root/ big
OK: 2844 / Failed: 0 / User-skipped: 150 / Auto-skipped: 0

ldap_mnesia_24 / ldap_mnesia / c10f9d1
Reports root/ big
OK: 1506 / Failed: 0 / User-skipped: 402 / Auto-skipped: 0

ldap_mnesia_23 / ldap_mnesia / c10f9d1
Reports root/ big
OK: 1506 / Failed: 0 / User-skipped: 402 / Auto-skipped: 0

dynamic_domains_mssql_mnesia_24 / odbc_mssql_mnesia / c10f9d1
Reports root/ big
OK: 2861 / Failed: 0 / User-skipped: 133 / Auto-skipped: 0

internal_mnesia_24 / internal_mnesia / c10f9d1
Reports root/ big
OK: 1547 / Failed: 0 / User-skipped: 361 / Auto-skipped: 0

elasticsearch_and_cassandra_24 / elasticsearch_and_cassandra_mnesia / c10f9d1
Reports root/ big
OK: 1854 / Failed: 0 / User-skipped: 369 / Auto-skipped: 0

pgsql_mnesia_23 / pgsql_mnesia / c10f9d1
Reports root/ big
OK: 3235 / Failed: 0 / User-skipped: 142 / Auto-skipped: 0

pgsql_mnesia_24 / pgsql_mnesia / c10f9d1
Reports root/ big
OK: 3235 / Failed: 0 / User-skipped: 142 / Auto-skipped: 0

mssql_mnesia_24 / odbc_mssql_mnesia / c10f9d1
Reports root/ big
OK: 3235 / Failed: 0 / User-skipped: 142 / Auto-skipped: 0

riak_mnesia_24 / riak_mnesia / c10f9d1
Reports root/ big
OK: 1697 / Failed: 0 / User-skipped: 368 / Auto-skipped: 0

A new function, tls/2 is used for all server- and client-side options. Functional changes: - verify_peer/verify_mode are replaced with just verify_mode that has the default value 'peer' for all connections. Previously the defaults varied a lot: - outgoing connection pools had no peer validation except Riak - listeners had no peer validation except s2s - c2s mode has the default value 'starttls' (there was no default) - server_name_indication for client conenctions has its own subsection

The new option formatting translates verify_mode to verify_peer and verify_fun. Now there are only three verification modes possible: - 'none' means no verification - 'peer' requires a valid peer cert signed by a trusted CA - 'selfsigned_peer' requires a valid peer cert signed by a trusted CA or a seld-signed cert This simplifies and unifies configuration. The three options are the only useful ones as well. A new utility function, make_ssl_opts, should be used for preparing all options passed directly to Erlang SSL.

Simplify the state record, introducing tls_mode

It is easier to comprehend than multiple booleans. tls_enabled is left because it changes when TLS is enabled.

Call mongoose_transport:starttls like ejabberd_c2s does.

The modules use 'mongoose_tls' now and the options contain server- and client-related ones as before.

Also: simplify LDAP options

Also: make an explicit error if 'required' is used for MySQL

- Set 'tls.verify_mode = "none"' for c2s and http listeners. This makes the default config equivalent to the previous one. - Skip 'tls.mode = "starttls"' for c2s, as it is the default value.

- Use common helpers for just_tls/fast_tls options. This is possible because of the unified config format.

Also: specify existing cert paths, which are checked now

There needs to be a separate helper for fast/just_tls, because there are conditional defaults there.

Remove 'verify_peer = true'. The default 'verify_mode = "peer"' is equivalent to the old option.

Use the new default_c2s_tls helper

mongoose-im · 2022-05-25T12:04:42Z

small_tests_24 / small_tests / 736e02a
Reports root / small

small_tests_23 / small_tests / 736e02a
Reports root / small

dynamic_domains_pgsql_mnesia_24 / pgsql_mnesia / 736e02a
Reports root/ big
OK: 2861 / Failed: 0 / User-skipped: 133 / Auto-skipped: 0

dynamic_domains_mysql_redis_24 / mysql_redis / 736e02a
Reports root/ big
OK: 2844 / Failed: 0 / User-skipped: 150 / Auto-skipped: 0

dynamic_domains_pgsql_mnesia_23 / pgsql_mnesia / 736e02a
Reports root/ big
OK: 2861 / Failed: 0 / User-skipped: 133 / Auto-skipped: 0

ldap_mnesia_24 / ldap_mnesia / 736e02a
Reports root/ big
OK: 1506 / Failed: 0 / User-skipped: 402 / Auto-skipped: 0

dynamic_domains_mssql_mnesia_24 / odbc_mssql_mnesia / 736e02a
Reports root/ big
OK: 2861 / Failed: 0 / User-skipped: 133 / Auto-skipped: 0

ldap_mnesia_23 / ldap_mnesia / 736e02a
Reports root/ big
OK: 1506 / Failed: 0 / User-skipped: 402 / Auto-skipped: 0

internal_mnesia_24 / internal_mnesia / 736e02a
Reports root/ big
OK: 1547 / Failed: 0 / User-skipped: 361 / Auto-skipped: 0

pgsql_mnesia_24 / pgsql_mnesia / 736e02a
Reports root/ big
OK: 3235 / Failed: 0 / User-skipped: 142 / Auto-skipped: 0

mysql_redis_24 / mysql_redis / 736e02a
Reports root/ big
OK: 3230 / Failed: 0 / User-skipped: 147 / Auto-skipped: 0

elasticsearch_and_cassandra_24 / elasticsearch_and_cassandra_mnesia / 736e02a
Reports root/ big
OK: 1854 / Failed: 0 / User-skipped: 369 / Auto-skipped: 0

mssql_mnesia_24 / odbc_mssql_mnesia / 736e02a
Reports root/ big
OK: 3235 / Failed: 0 / User-skipped: 142 / Auto-skipped: 0

riak_mnesia_24 / riak_mnesia / 736e02a
Reports root/ big
OK: 1697 / Failed: 0 / User-skipped: 368 / Auto-skipped: 0

pgsql_mnesia_23 / pgsql_mnesia / 736e02a
Reports root/ big
OK: 3235 / Failed: 0 / User-skipped: 142 / Auto-skipped: 0

Several tests started being skipped.

mongoose-im · 2022-05-26T06:45:26Z

small_tests_24 / small_tests / 669c0ae
Reports root / small

small_tests_23 / small_tests / 669c0ae
Reports root / small

dynamic_domains_pgsql_mnesia_23 / pgsql_mnesia / 669c0ae
Reports root/ big
OK: 2906 / Failed: 0 / User-skipped: 88 / Auto-skipped: 0

dynamic_domains_pgsql_mnesia_24 / pgsql_mnesia / 669c0ae
Reports root/ big
OK: 2905 / Failed: 1 / User-skipped: 88 / Auto-skipped: 0

service_domain_db_SUITE:db:db_domains_with_unknown_host_type_are_ignored_by_core

{error,
  {{badmatch,{error,not_found}},
   [{service_domain_db_SUITE,
      db_domains_with_unknown_host_type_are_ignored_by_core,1,
      [{file,
         "/home/circleci/project/big_tests/tests/service_domain_db_SUITE.erl"},
       {line,451}]},
    {test_server,ts_tc,3,[{file,"test_server.erl"},{line,1783}]},
    {test_server,run_test_case_eval1,6,
      [{file,"test_server.erl"},{line,1292}]},
    {test_server,run_test_case_eval,9,
      [{file,"test_server.erl"},{line,1224}]}]}}

Report log

dynamic_domains_mssql_mnesia_24 / odbc_mssql_mnesia / 669c0ae
Reports root/ big
OK: 2906 / Failed: 0 / User-skipped: 88 / Auto-skipped: 0

dynamic_domains_mysql_redis_24 / mysql_redis / 669c0ae
Reports root/ big
OK: 2889 / Failed: 0 / User-skipped: 105 / Auto-skipped: 0

ldap_mnesia_23 / ldap_mnesia / 669c0ae
Reports root/ big
OK: 1507 / Failed: 0 / User-skipped: 401 / Auto-skipped: 0

internal_mnesia_24 / internal_mnesia / 669c0ae
Reports root/ big
OK: 1592 / Failed: 0 / User-skipped: 316 / Auto-skipped: 0

ldap_mnesia_24 / ldap_mnesia / 669c0ae
Reports root/ big
OK: 1507 / Failed: 0 / User-skipped: 401 / Auto-skipped: 0

pgsql_mnesia_24 / pgsql_mnesia / 669c0ae
Reports root/ big
OK: 3292 / Failed: 1 / User-skipped: 97 / Auto-skipped: 0

muc_SUITE:hibernation:hibernated_room_can_be_queried_for_archive

{error,{{assertion_failed,assert,is_groupchat_message,
              [<<"Restorable message">>],
              undefined,"undefined"},
    [{escalus_new_assert,assert_true,2,
               [{file,"/home/circleci/project/big_tests/_build/default/lib/escalus/src/escalus_new_assert.erl"},
                {line,84}]},
     {muc_SUITE,wait_for_mam_result,3,
          [{file,"/home/circleci/project/big_tests/tests/muc_SUITE.erl"},
           {line,4383}]},
     {muc_SUITE,'-hibernated_room_can_be_queried_for_archive/1-fun-0-',3,
          [{file,"/home/circleci/project/big_tests/tests/muc_SUITE.erl"},
           {line,4124}]},
     {escalus_story,story,4,
            [{file,"/home/circleci/project/big_tests/_build/default/lib/escalus/src/escalus_story.erl"},
             {line,72}]},
     {muc_SUITE,hibernated_room_can_be_queried_for_archive,1,
          [{file,"/home/circleci/project/big_tests/tests/muc_SUITE.erl"},
           {line,4120}]},
     {test_server,ts_tc,3,[{file,"test_server.erl"},{line,1783}]},
     {test_server,run_test_case_eval1,6,
            [{file,"test_server.erl"},{line,1292}]},
     {test_server,run_test_case_eval,9,
            [{file,"test_server.erl"},{line,1224}]}]}}

Report log

mysql_redis_24 / mysql_redis / 669c0ae
Reports root/ big
OK: 3275 / Failed: 0 / User-skipped: 102 / Auto-skipped: 0

elasticsearch_and_cassandra_24 / elasticsearch_and_cassandra_mnesia / 669c0ae
Reports root/ big
OK: 1899 / Failed: 0 / User-skipped: 324 / Auto-skipped: 0

pgsql_mnesia_23 / pgsql_mnesia / 669c0ae
Reports root/ big
OK: 3280 / Failed: 0 / User-skipped: 97 / Auto-skipped: 0

mssql_mnesia_24 / odbc_mssql_mnesia / 669c0ae
Reports root/ big
OK: 3280 / Failed: 0 / User-skipped: 97 / Auto-skipped: 0

riak_mnesia_24 / riak_mnesia / 669c0ae
Reports root/ big
OK: 1760 / Failed: 1 / User-skipped: 323 / Auto-skipped: 0

pubsub_SUITE:dag+basic:subscribe_options_separate_request_test

{error,{{badmatch,{{<<"pubsub#deliver">>,<<"boolean">>,[]},
           <<"pubsub#deliver">>}},
    [{pubsub_tools,'-verify_form_values/2-fun-0-',2,
             [{file,"/home/circleci/project/big_tests/tests/pubsub_tools.erl"},
            {line,650}]},
     {lists,foreach,2,[{file,"lists.erl"},{line,1342}]},
     {pubsub_SUITE,'-subscribe_options_separate_request_test/1-lc$^1/1-1-',
             2,
             [{file,"/home/circleci/project/big_tests/tests/pubsub_SUITE.erl"},
            {line,505}]},
     {pubsub_SUITE,'-subscribe_options_separate_request_test/1-fun-2-',2,
             [{file,"/home/circleci/project/big_tests/tests/pubsub_SUITE.erl"},
            {line,507}]},
     {escalus_story,story,4,
            [{file,"/home/circleci/project/big_tests/_build/default/lib/escalus/src/escalus_story.erl"},
             {line,72}]},
     {test_server,ts_tc,3,[{file,"test_server.erl"},{line,1783}]},
     {test_server,run_test_case_eval1,6,
            [{file,"test_server.erl"},{line,1292}]},
     {test_server,run_test_case_eval,9,
            [{file,"test_server.erl"},{line,1224}]}]}}

Report log

dynamic_domains_pgsql_mnesia_24 / pgsql_mnesia / 669c0ae
Reports root/ big
OK: 2906 / Failed: 0 / User-skipped: 88 / Auto-skipped: 0

Premwoik

Looks good to me :)

src/config/mongoose_config_utils.erl

src/mongoose_tls.erl

src/ejabberd_receiver.erl

mongoose-im · 2022-05-26T14:29:45Z

small_tests_24 / small_tests / 41cf8b2
Reports root / small

small_tests_23 / small_tests / 41cf8b2
Reports root / small

dynamic_domains_pgsql_mnesia_23 / pgsql_mnesia / 41cf8b2
Reports root/ big
OK: 2906 / Failed: 0 / User-skipped: 88 / Auto-skipped: 0

dynamic_domains_pgsql_mnesia_24 / pgsql_mnesia / 41cf8b2
Reports root/ big
OK: 2906 / Failed: 0 / User-skipped: 88 / Auto-skipped: 0

dynamic_domains_mysql_redis_24 / mysql_redis / 41cf8b2
Reports root/ big
OK: 2889 / Failed: 0 / User-skipped: 105 / Auto-skipped: 0

ldap_mnesia_24 / ldap_mnesia / 41cf8b2
Reports root/ big
OK: 1507 / Failed: 0 / User-skipped: 401 / Auto-skipped: 0

ldap_mnesia_23 / ldap_mnesia / 41cf8b2
Reports root/ big
OK: 1507 / Failed: 0 / User-skipped: 401 / Auto-skipped: 0

dynamic_domains_mssql_mnesia_24 / odbc_mssql_mnesia / 41cf8b2
Reports root/ big
OK: 2906 / Failed: 0 / User-skipped: 88 / Auto-skipped: 0

internal_mnesia_24 / internal_mnesia / 41cf8b2
Reports root/ big
OK: 1592 / Failed: 0 / User-skipped: 316 / Auto-skipped: 0

pgsql_mnesia_24 / pgsql_mnesia / 41cf8b2
Reports root/ big
OK: 3280 / Failed: 0 / User-skipped: 97 / Auto-skipped: 0

pgsql_mnesia_23 / pgsql_mnesia / 41cf8b2
Reports root/ big
OK: 3291 / Failed: 1 / User-skipped: 97 / Auto-skipped: 0

pep_SUITE:pep_tests:unsubscribe_after_presence_unsubscription

{error,
  {{badmatch,
     [{xmlel,<<"message">>,
        [{<<"from">>,
        <<"alice_unsubscribe_after_presence_unsubscription_1757@localhost">>},
         {<<"to">>,
        <<"bob_unsubscribe_after_presence_unsubscription_1757@localhost/res1">>},
         {<<"type">>,<<"headline">>}],
        [{xmlel,<<"event">>,
           [{<<"xmlns">>,
           <<"http://jabber.org/protocol/pubsub#event">>}],
           [{xmlel,<<"items">>,
            [{<<"node">>,<<"FoXKdeIcDkeCBE6l4skPZA==">>}],
            [{xmlel,<<"item">>,
               [{<<"id">>,<<"salmon">>}],
               [{xmlel,<<"entry">>,
                  [{<<"xmlns">>,
                  <<"http://www.w3.org/2005/Atom">>}],
                  []}]}]}]},
         {xmlel,<<"headers">>,
           [{<<"xmlns">>,<<"http://jabber.org/protocol/shim">>}],
           []}]}]},
   [{pep_SUITE,'-unsubscribe_after_presence_unsubscription/1-fun-0-',2,
      [{file,"/home/circleci/project/big_tests/tests/pep_SUITE.erl"},
       {line,384}]},
    {escalus_story,story,4,
      [{file,
         "/home/circleci/project/big_tests/_build/default/lib/escalus/src/escalus_story.erl"},
       {line,72}]},
    {test_server,ts_tc,3,[{file,"test_server.erl"},{line,1754}]},
    {test_server,run_test_case_eval1,6,
      [{file,"test_server.erl"},{line,1263}]},
    {test_server,run_test_case_eval,9,
      [{file,"test_server.erl"},{line,1195}]}]}}

Report log

mysql_redis_24 / mysql_redis / 41cf8b2
Reports root/ big
OK: 3286 / Failed: 1 / User-skipped: 102 / Auto-skipped: 0

pep_SUITE:pep_tests:unsubscribe_after_presence_unsubscription

{error,
  {{badmatch,
     [{xmlel,<<"message">>,
        [{<<"from">>,
        <<"alice_unsubscribe_after_presence_unsubscription_1882@localhost">>},
         {<<"to">>,
        <<"bob_unsubscribe_after_presence_unsubscription_1882@localhost/res1">>},
         {<<"type">>,<<"headline">>}],
        [{xmlel,<<"event">>,
           [{<<"xmlns">>,
           <<"http://jabber.org/protocol/pubsub#event">>}],
           [{xmlel,<<"items">>,
            [{<<"node">>,<<"dA6osqnCKKUAOhyhAui9mQ==">>}],
            [{xmlel,<<"item">>,
               [{<<"id">>,<<"salmon">>}],
               [{xmlel,<<"entry">>,
                  [{<<"xmlns">>,
                  <<"http://www.w3.org/2005/Atom">>}],
                  []}]}]}]},
         {xmlel,<<"headers">>,
           [{<<"xmlns">>,<<"http://jabber.org/protocol/shim">>}],
           []}]}]},
   [{pep_SUITE,'-unsubscribe_after_presence_unsubscription/1-fun-0-',2,
      [{file,"/home/circleci/project/big_tests/tests/pep_SUITE.erl"},
       {line,384}]},
    {escalus_story,story,4,
      [{file,
         "/home/circleci/project/big_tests/_build/default/lib/escalus/src/escalus_story.erl"},
       {line,72}]},
    {test_server,ts_tc,3,[{file,"test_server.erl"},{line,1783}]},
    {test_server,run_test_case_eval1,6,
      [{file,"test_server.erl"},{line,1292}]},
    {test_server,run_test_case_eval,9,
      [{file,"test_server.erl"},{line,1224}]}]}}

Report log

elasticsearch_and_cassandra_24 / elasticsearch_and_cassandra_mnesia / 41cf8b2
Reports root/ big
OK: 1899 / Failed: 0 / User-skipped: 324 / Auto-skipped: 0

mssql_mnesia_24 / odbc_mssql_mnesia / 41cf8b2
Reports root/ big
OK: 3285 / Failed: 1 / User-skipped: 97 / Auto-skipped: 0

muc_SUITE:register:user_submits_registration_form

{error,
  {{assertion_failed,assert,is_iq_result,
     [{xmlel,<<"iq">>,
        [{<<"type">>,<<"set">>},
         {<<"id">>,<<"be06fb69ab8b5254f6472921a644e8cf">>},
         {<<"to">>,<<"muc.localhost">>}],
        [{xmlel,<<"query">>,
           [{<<"xmlns">>,<<"jabber:iq:register">>}],
           [{xmlel,<<"x">>,
            [{<<"xmlns">>,<<"jabber:x:data">>},
             {<<"type">>,<<"submit">>}],
            [{xmlel,<<"field">>,
               [{<<"type">>,<<"hidden">>},
                {<<"var">>,<<"FORM_TYPE">>}],
               [{xmlel,<<"value">>,[],
                  [{xmlcdata,<<"jabber:iq:register">>}]}]},
             {xmlel,<<"field">>,
               [{<<"type">>,<<"text-single">>},
                {<<"var">>,<<"nick">>}],
               [{xmlel,<<"value">>,[],
                  [{xmlcdata,
                     <<"thirdwitchroom-2f07ede86e">>}]}]}]}]}]}],
     {xmlel,<<"iq">>,
       [{<<"from">>,<<"muc.localhost">>},
        {<<"to">>,
         <<"alice_user_submits_registration_form_1921@localhost/res1">>},
        {<<"type">>,<<"error">>},
        {<<"xml:lang">>,<<"en">>},
        {<<"id">>,<<"be06fb69ab8b5254f6472921a644e8cf">>}],
       [{xmlel,<<"query">>,
          [{<<"xmlns">>,<<"jabber:iq:register">>}],
          [{xmlel,<<"x">>,
             [{<<"xmlns">>,<<"jabber:x:data">>},
            {<<"type">>,<<"submit">>}],
             [{xmlel,<<"field">>,
              [{<<"type">>,<<"hidden">>},
               {<<"var">>,<<"FORM_TYPE">>}],
            ...

Report log

riak_mnesia_24 / riak_mnesia / 41cf8b2
Reports root/ big
OK: 1742 / Failed: 0 / User-skipped: 323 / Auto-skipped: 0