-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Documentation: improve TLS docs. #70
Comments
There's a great writeup of TLS from @hickeng in vmware/vic#3087 (comment). |
Too late for GA. TLS is well-covered by @hickeng 's rewrites. Reinstate the security overview to the doc in a post-GA update. |
Definitely something that we should try to squeeze into 1.1. |
Comment from vmware/vic#3486, that needs checking.Following a question from @mreferre: We do currently state that --no-tlsverify only creates/uploads server certs, and that clients are unverified. However, the writeup of --no-tls states pretty much the same about the client side and doesn't say much about the absence of a server cert. We need to make it 100% clear that with --no-tls there is no server cert. In other words, with --no-tlsverify, any client can connect, but at least the connection between the client and server is a secure one. With --no-tls, any client can connect, and the connection itself is insecure. |
@stuclem @mreferre is correct in his characterization, and if it's not apparent in the current docs the we should make it so. The primary vulnerabilities by config are:
|
Thanks @hickeng. Bumping this up to a To Do. |
Added the detail about encrypted/unencrypted comms, and moved all of the security options into the Security section (i.e. moved the so-called advanced ones out of the Advanced Options section) in stuclem@7902648. Moving back to backlog and 1.1 refresh as more work required after GA. |
This is a bigger job than we have time for in 1.1.1. Pushing out to 1.2, where it will be addressed as a part of #26. |
For convenience, here is @hickeng 's text from vmware/vic#3087 (comment): Certificates in generalA certificate is made up of two parts and I try to refer to those two parts as a single entity, but do fall into plurals on occasion:
The naming conventions are as follows for paired certificate and key files: Docker and certificate usageThere are four certificates in play with a tlsverify configuration:
As a convenience, vic-machine generates one CA that is used for both (3) and (4), and uses that to sign both (1) and (2). This means that the clients must be given the public part of the CA in order to be able to trust the server, as well as the client certificate, for each VCH they use (unless sharing access across VCHs). In a production deployment I would expect: DOCKER_CERT_PATHDocker requires the following names to be used if certificates are to be automatically consumed from DOCKER_CERT_PATH on the client machine: vic-machine TLS options:--no-tls: this is a horrible deployment choice for anything but a lab but was common prior to the addition of the tlsverify mechanism in 0.7.0 - hopefully Admiral will be updated soon to allow for the tlsverify configuration --no-tlsverify: the certificate generated with this option is a server certificate and should exist on the VCH endpoint VM and should not be needed by Admiral - the fact it's not saved in 0.7.0 is entirely my fault (see PR at the bottom of this comment). This certificate allows the client to confirm the servers identity (as with banking websites, etc) so long as the client can validate the certificate chain - this may require the CA be provided to the client if using self-signed certificates. The server certificate files should now be named as expected by the docker client. This does not require the client to verify it's identity for the server. --tls-cname: supplying this option also creates a certificate authority and client certificates signed by that authority so allow the server (endpointVM) to confirm the clients identity. The client certificate files should be the ones that Admiral requires.
If generating authority (CA), client, and server certificates then the same CA is used for both client and server. In this case the ca.pem file needs to be: Some of this info is already in the docs, but we need to check that all of it is there. |
From @stuclem on November 8, 2016 12:27
The TLS docs need more work.
Comment from @hickeng by email:
I suggest we separate (the TLS doc) in the following manner:
--> what certificates are required for each of these (certificate authority, server certificate and key, client certificate and key), which role needs which certificates and how they're used in installation.
--> explicitly not talking about how those certificates are obtained
Then a separate section on the fact that we generate trivial versions of these certificates as a convenience when possible (--tls-cname or --client-network-ip), and that if wanting more control over the certificates than we provide for that the certificates can be generated by standard means (e.g. openssl for linux) or obtained from a certificate provider (https://en.wikipedia.org/wiki/Certificate_authority#Providers)
See also:
Copied from original issue: vmware/vic#3055
The text was updated successfully, but these errors were encountered: