How to Replace Transport Layer Protocols Dependent on Some Applications with Rats-TLS？

[shouquan851]

I want to replace the transport layer protocols that some applications rely on with Rats-TLS. For example, replace TLS in Nginx with Rats-TLS or configure JDBC connections in MySql to use Rats-TLS. What should I do? Thanks.

[jiazhang0]

This is a good question to challenge the usage of rats-tls or librats in practice. In fact, rats-tls is a SDK wrapping openssl tls apis to implement a set of easy-to-use APIs to be called by a higher level component to establish a trusted and secure channel between endpoints. This suits for the new components developed for the purpose of network confidential computing from the beginning, rather than the existing scenarios you mentioned.

If librats (rather than rats-tls) tries to reach out to your scenarios, it should:

• provide a hook library to intercept the openssl library
• load this hook library with LD_PRELOAD when launching mysql or nginx server
• the hook library intercepts the tls certificate verification callback and calls librats to check and verify the tee evidence embedded in the tls certification extensions

If you are interested in developing such a hook library for librats, please contact me via my email for a detailed discussion.

[imlk0]

Hi @shouquan851, rats-tls is not currently ready to painlessly replace the TLS implementation in an arbitrary program. You need quite a few code changes even if you have the source code of the program.

However, you may benefit from this unmerged PR, which provided a experimental and painless way to replace TLS with rats-tls. The basic idea of this PR is to hook the libssl.so linked by the target program with some LD_PRELOAD magic. Thereforce it also has some limitations, i.e., it only works on program which implements TLS using openssl and also links to libssl.so dynamically. This PR has been tested on nginx, and you can read the samples/openssl-hook/README.md file for more information.

For the JDBC connections, AFAIK, these connections are TCP/IP connections. So one solution is to wrap them in TLS first, and then utilize the PR I mentioned above. I'm not familiar with the details of the JDBC implementation, so I don't know if there is a option to configure it to use TLS. And if not, you can also address the first step with a TLS tunnel. You may would like to take a look at the openssl-listen and openssl-connect options of the socat tool.

[jiazhang0]

@imlk0 Cool!