Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS termination #168

Open
3 of 5 tasks
mostafa opened this issue Feb 26, 2023 · 1 comment
Open
3 of 5 tasks

TLS termination #168

mostafa opened this issue Feb 26, 2023 · 1 comment
Labels
enhancement New feature or request epic To be broken down into multiple tasks triage Triage based on the content

Comments

@mostafa
Copy link
Member

mostafa commented Feb 26, 2023
edited
Loading

This project has the following parts:

Now that both the client and server connections use the net/tcp stdlib (#343), they both can use the crypto/tls stdlib and also the boringcrypto library.

When an incoming connection connects, the TLS handshake will happen underneath and the code accesses the data in plaintext. The plaintext data will pass around in the core and plugins until it reaches the server that gatewayd also connected to via TLS. The plugins use mTLS to talk with the core. So, this is how it works:

%%{init: {'theme': 'base'} }%%
sequenceDiagram
    participant Client
    participant GatewayD
    participant PostgreSQL

    note right of Client: Client optionally requests TLS
    rect rgb(250, 250, 250)
        note left of GatewayD: GatewayD terminates TLS request
        Client->>GatewayD: SSLRequest (plaintext)

        alt TLS is accepted
            GatewayD-->>Client: S (start TLS handshake)
        else TLS is rejected
            GatewayD-->>Client: N (optionally, start plaintext auth)
        end

        opt TLS handshake
            Client->>GatewayD: Client Hello
            GatewayD->>Client: Server Hello
            Client->>GatewayD: Establish secure channel over TCP
        end
    end
    rect rgb(240, 240, 240)
        note right of Client: Auth with PostgreSQL
        Client-->>PostgreSQL: Send StartupMessage over encrypted or plaintext channel
        PostgreSQL-->>Client: Authenticated
    end
Loading
@mostafa mostafa converted this from a draft issue Feb 26, 2023
@mostafa mostafa self-assigned this Feb 26, 2023
@mostafa mostafa added the enhancement New feature or request label Feb 26, 2023
@mostafa mostafa added the triage Triage based on the content label Apr 30, 2023
@mostafa mostafa mentioned this issue Sep 23, 2023
Open
2 tasks
@mostafa mostafa moved this from ✨ New to 📋 Backlog in GatewayD Core Public Roadmap Oct 31, 2023
@mostafa mostafa added this to the v0.8.x milestone Oct 31, 2023
@mostafa mostafa moved this from 📋 Backlog to 🚧 In progress in GatewayD Core Public Roadmap Nov 1, 2023
@mostafa mostafa mentioned this issue Nov 1, 2023
Open
@mostafa mostafa added the epic To be broken down into multiple tasks label Nov 6, 2023
@mostafa
Copy link
Member Author

mostafa commented Nov 7, 2023

Client-side TLS termination is implemented in v0.8.x milestone and the rest will be picked up later.

@mostafa mostafa moved this from 🚧 In progress to 📋 Backlog in GatewayD Core Public Roadmap Nov 7, 2023
@mostafa mostafa removed this from the v0.8.x milestone Nov 7, 2023
@mostafa mostafa removed their assignment Dec 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request epic To be broken down into multiple tasks triage Triage based on the content
Projects
GatewayD Core Public Roadmap
Status: 📋 Backlog
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mostafa