ROX-31430: delegate TLS to host implementation #168
Conversation
|
I would recommend using native_tls and leaving FIPS compliance to the host operating system. |
I've changed the approach but haven't pushed out the commit yet, I'm getting a weird error when connecting to sensor with native_tls. I will update the PR once I get everything working correctly. Thanks for the suggestion @neverpanic! |
Molter73
force-pushed
the
mauro/ROX-31430/fips-compliance
branch
5 times, most recently
from
9e479d3 to
9152bb4
Compare
Molter73
changed the title
Molter73
force-pushed
the
mauro/ROX-31430/fips-compliance
branch
from
9152bb4 to
0d718b7
Compare
With this patch, we move away from using the tonic provided TLS implementation to injecting a manually built native-tls configuration, then using that to create a hyper HttpsConnector and finally telling tonic to use that connector for handling the underlying HTTPs connections needed for gRPC. In case no TLS certificates are provided, plain HTTP is used.
Molter73
force-pushed
the
mauro/ROX-31430/fips-compliance
branch
from
0d718b7 to
9f1b0d8
Compare
| let certs = { | ||
| let config = self.config.borrow(); | ||
| let Some(certs) = config.certs() else { | ||
| return Ok(None); |
There was a problem hiding this comment.
This part I don't follow, certs could just be None and passed further?
| }; | ||
| certs.to_owned() | ||
| }; | ||
| let (ca, cert, key) = tokio::try_join!( |
There was a problem hiding this comment.
Do I see it correctly, that try_join! macro joins concurrent activity? If yes, why is it needed here?
| Ok(Some(connector.into())) | ||
| } | ||
|
|
||
| fn get_https_connector( |
There was a problem hiding this comment.
This sounds like a very lightweight function, can't it be a part of get_tls_connector?
| let channel = Channel::from_shared(url)?; | ||
| let channel = match connector { | ||
| Some(connector) => channel.connect_with_connector(connector).await?, | ||
| None => channel.connect().await?, |
There was a problem hiding this comment.
I assume this would be an attempt to talk over an unencrypted channel, right? If that's the case, worth adding a warning log message.
3 participants
Description
With this patch, we move away from using the tonic provided TLS implementation to injecting a manually built native-tls connector, then using that to create a hyper HttpsConnector and finally telling tonic to use that connector for handling the underlying HTTPs connections needed for gRPC. In case no TLS certificates are provided, plain HTTP is used.
With native-tls TLS will be handled by the OS implementation, which in linux will default to openssl. This is important for FIPS compliance, since having a FIPS compliant openssl implementation will automatically allow us to be FIPS compliant by proxy.
Checklist
Automated testing
If any of these don't apply, please comment below.
Testing Performed
Run fact on a stackrox deployment and validated it connected to sensor correctly.