search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.29k stars 1.73k forks source link

Document mitigations for Cloudflare Warp `tsh` breakages #39768

Open codingllama opened 5 months ago

codingllama commented 5 months ago

Cloudflare Warp can cause tsh logins to fail as follows (observed in Teleport v13.4.14 and v14):

❯ tsh login --proxy=hello.myproxy.com:443

ERROR REPORT:
Original Error: *tls.CertificateVerificationError tls: failed to verify certificate: x509: certificate signed by unknown authority
Stack Trace:
github.com/gravitational/teleport/api@v0.0.0/client/alpn.go:148 github.com/gravitational/teleport/api/client.(*ALPNDialer).DialContext
github.com/gravitational/teleport/lib/utils/proxy/proxy.go:71 github.com/gravitational/teleport/lib/utils/proxy.directDial.DialTimeout
github.com/gravitational/teleport/lib/utils/proxy/proxy.go:58 github.com/gravitational/teleport/lib/utils/proxy.directDial.Dial
github.com/gravitational/teleport/lib/client/api.go:3136 github.com/gravitational/teleport/lib/client.makeProxySSHClientWithTLSWrapper
github.com/gravitational/teleport/lib/client/api.go:3055 github.com/gravitational/teleport/lib/client.makeProxySSHClient
github.com/gravitational/teleport/lib/client/api.go:3002 github.com/gravitational/teleport/lib/client.(*TeleportClient).connectToProxy
github.com/gravitational/teleport/lib/client/api.go:2979 github.com/gravitational/teleport/lib/client.(*TeleportClient).ConnectToProxy.func1
runtime/asm_arm64.s:1172 runtime.goexit
User Message: Unable to connect to ssh proxy at admin.teleport.tech.hextech.io:443. Confirm connectivity and availability.
tls: failed to verify certificate: x509: certificate signed by unknown authority

This is due to Warp changing the Teleleport certificate.

The certificate may be observed via openssl s_client -showcerts -connect www.example.com:443 < /dev/null | openssl x509 -noout -text (Cloudflare should appear in the Subject instead of the expected values).

What would you like Teleport to do?

Document mitigations for Cloudflare Warp, including:

  1. SSL_CERT_FILE or SSL_CERT_DIR (considering that SSL_CERT_FILE can make tsh fail due to the modified chain)
  2. Upgrade to Teleport version v15.1 or newer (https://github.com/gravitational/teleport/pull/38108)
  3. Cloudflare Warp bypass and/or exposing a non-mangled path to the internt.

What problem does this solve?

See above.

If a workaround exists, please include it.

See above.

codingllama commented 5 months ago

Assuming v15.1 solves this completely the issue might be moot once v14 and v13 are out of the release cycle.