search

MatrixAI / js-quic

QUIC Networking for TypeScript & JavaScript
https://matrixai.github.io/js-quic/
Apache License 2.0
13 stars 1 forks source link

TLS Rotation for QUICServer and QUICClient #3

Closed CMCDragonkai closed 1 year ago

CMCDragonkai commented 1 year ago

Specification

TLS certs may be changed while the server is running, or while we are using the client. We need to be able to swap out the TLS certs without impacting old connections.

QUICServer

The QUICServer manages multiple QUICConnection connections. Each QUICConnection is created with a QUICConfig POJO.

This mean when we swap out the TLS, we don't change the existing QUICConnection. We only change how new QUICConnection will get created.

So our QUICServer needs to new methods such as:

QUICServer.setTLSConfig(keyPrivatePem: PrivateKeyPEM, certChainPem: CertificatePEMChain);

This function would "update" the config POJO object. New connections would be initiated with the new TLS configuration. Existing connections would continue to use the old QuicheConfig object and would not be affected by the updated config POJO.

Tests should test starting with 1 cert, and creating connections, and while they are running, create a new cert, rotate the cert, and then create new connections using the new cert, while the old connections are still valid.

QUICClient

The QUICClient is one to one to a single QUICConnection. This means, a client cannot have its TLS config rotated live. Instead it's simply a matter of creating new QUIC clients with the new TLS config.

During testing of the QUICServer.setTLSConfig, tests should start new QUIC clients with the new TLS configuration too.

Remember, when updating the TLS configuration... we are really doing 2 things:

  1. Updating how the server/client presents themselves.
  2. Updating what the server/client accepts as acceptable certificates.

In our PK P2P situation, we won't just use the OS default certificate store. We will actually want to verify that the other certs is one that we trust.

This means when PK is using it, it actually has to disable the peer verification and put in its own custom verification: https://github.com/cloudflare/quiche/issues/326#issuecomment-577281881.

This technically means we don't really care about the certificate store.

image

These 2 functions in the config are not relevant to us.

Additional context

Tasks

  1. Add in setTLSConfig to QUICServer.
  2. Test rotation of certificates
  3. Explore if we want to also be able to rotate the trusted certificate authorities too.
tegefaulkes commented 1 year ago

Tasks 1 and 2 are done. I'm skipping task 3 for now unless we really need it.

CMCDragonkai commented 1 year ago

What's difference between rotating certs and rotating CA certs?

tegefaulkes commented 1 year ago

This has been updated. We can now modify the whole QUICConfig using QUICServer.updateConfig(config: Partial<QUICConfig>)

We can use this to update the TLS certs and the CA cert. Setting the CA cert can't be set using a cert from memory for now. I still need to add that.