-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS #53
base: master
Are you sure you want to change the base?
TLS #53
Conversation
I think this work has progressed far enough to be (somewhat) more widely testable. The unittest process creates a consistent set of TLS certificates which may be useful for some manual testing. Though I would not recommend them for anything beyond some basic exploration. Some knowledge of x509 certificates will be needed to go beyond the recipe shown below. An example of running the
Verification is easier with an IOC.
On the client side, switching from
|
Update. @kasemir When built against what will become openssl 3.2.x, |
❌ Build pvxs 1.0.925 failed (commit 2dd4c3047b by @mdavidsaver) |
✅ Build pvxs 1.0.932 completed (commit 17690ff5cf by @mdavidsaver) |
Updated to add |
I have also added another make variable Also like So if all goes well, the added dependency on libssl should not require changes to downstream Makefiles... |
✅ Build pvxs 1.0.940 completed (commit 2ddbc86084 by @mdavidsaver) |
❌ Build pvxs 1.0.1004 failed (commit d451688aef by @mdavidsaver) |
Rebased branch, and extended the output of
The server is "anonymous" as plain PVA does not send server credentials.
Here the server is "ioc1" through use of |
Applying OpenSSL to PVXS.
Wire compatibility with existing (plain tcp) clients/servers is maintained. Likewise this PR is compatible with work by @kasemir adding TLS support to core.pva in the phoebus repository.
To maintain compatibility. When configured with a keychain file, client search requests include two "protocol" names:
tcp
andtls
. Server listens on a second TCP port for TLS connections, prefers to respond withtls
when both present.Adds
x509
AUTHZ method. Client advertisesx509
when configured with a client certificate. Server prefersx509
toca
. If selected, uses client certcommonName
as account name. eg.CN=foo
appears to ACF logic asfoo
. (note, this really needs an extension to the ACF logic to account for different source of accounts)TLS features/restrictions
pva/1
. (mandatory?)New Configuration:
$EPICS_PVAS_TLS_KEYCHAIN
$EPICS_PVA_TLS_KEYCHAIN
name of a PKCS12 file containing some combination of key, server/client certificate, and/or CA certificates. The file path may optionally be followed by;
and a password. eg.EPICS_PVAS_TLS_KEYCHAIN=/path/to/some.p12;secret
.$EPICS_PVAS_TLS_OPTIONS
$EPICS_PVA_TLS_OPTIONS
space separated list of key=value pairs. Currently supported areclient_cert=optional
andclient_cert=require
.$EPICS_PVAS_TLS_PORT
$EPICS_PVA_TLS_PORT
default port to listen for TLS connections$OPENSSL_CONF
Location of OpenSSL config file. Defaults to/usr/lib/ssl/openssl.cnf
on Linux. Application namepvxs
is used.$SSLKEYLOGFILE
If set, TLS session keys will be written here. eg. for use by wireshark. cf. Decode PVA in TLS via ALPN mdavidsaver/cashark#14 (may be disabled at build time withmake PVXS_ENABLE_SSLKEYLOGFILE=NO ...
)Building:
libevent
must be built with optional openssl support (bundled build will detect).openssl
is expected to be installed in the default search path. I have no plans to bundled openssl.TODO:
$EPICS_PVA_NAME_SERVERS
w/ URI-ishpvas://1.2.3.4:5678
.keytool
(OpenSSL parser for PKCS12 is... limited)openssl pkcs12
orkeytool
. (although Java can't current work with openssl created files)x509
AUTHZ method designauthority
alongsidemethod
andaccount
Supersedes https://github.com/mdavidsaver/pvxs-dev/pull/2