TLS configuration query, generated keys

[nicholasthorn]

Hello,

Firstly, thanks for the excellent software & support!

I have a query about TLS configuration; I have searched through the issues / read the documentation and it didn't quite explain it - perhaps you can point me at some.

We are updating from the legacy branch to the latest version of sysrepo/netopeer stack. We had TLS working fine with legacy branch & our own generated private-key & server certificates - however on the new version as the yang models have changed it's not quite clear what to populate the keystore/asymmetric-keys/asymmetric-key/public-key node with?

In the example config this isn't provided; only the server cert. To my understanding this contains the public-key - is this correct? What do you suggest populating the public-key node with? If there are any good resources you could recommend on TLS they would be appreciated too.

Thanks!

[michalvasko]

This should be the draft of the YANG modules being used, all the information about them should be there. Also, if you are looking for examples, look at this README section.

[nicholasthorn]

Thanks. Yes, the example configuration is what I mean. The server public-key in the tls-keystore.xml doesn't map to any of the supplied keys or certificates that I can see. So it isn't clear where it comes from.

[michalvasko]

In the directory tls_certs there are 3 pairs of private keys and the corresponding certificates. The server public key is from the said certificate. I thought it would be obvious.

[nicholasthorn]

“A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.” :-)

Thanks Michal, makes sense & I've got that working.

Regarding the client.crt, in the legacy version of netopeer this was not required. My understanding is that the client cert is provided as part of the TLS handshake - rather than being preloaded into the truststore as in the example. Is it expected that clients will provide certs to be preloaded like this?

[michalvasko]

The server needs to authenticate the client somehow, it can do so based on a trusted certificate, which can be directly the client certificate or any CA certificates in its certificate chain. Not sure how it worked before, some certificate had to be trusted but maybe it was a CA one instead of the peer one.