search

influxdata / telegraf

Agent for collecting, processing, aggregating, and writing metrics, logs, and other arbitrary data.
https://influxdata.com/telegraf
MIT License
14.68k stars 5.59k forks source link

[inputs.influxdb_listener] add support for Certificate Revocation Lists (CRL) #10496

Open andoks opened 2 years ago

andoks commented 2 years ago

Feature Request

When using telegraf as a secure reverse proxy for device communication with InfluxDB using mTLS, I would like to be able to revoke individual devices access to the system by specifying a CRL to the plugin.

Proposal:

Make the influxdb_listener support a list of revoked certificates that are not allowed access, even though the certificates are signed by the specified CA certificate.

Current behavior:

AFAIK, to revoke access to a device, the CA certificate must be changed, and new certificates must be created for all the devices for which access should not be revoked.

Desired behavior:

By specifying a list of certificates that are denied access, it is not necessary to updated all the devices that shall retain access with new certificates

Use case:

If a device is decommissioned, stolen or compromised, its access can be revoked without having to update all the other devices with new certificates

references

https://community.influxdata.com/t/revoking-client-certificates-in-telegraf-influxdb-listener/22180

powersj commented 2 years ago

@andoks,

Thanks for the PR and links to the previous conversations. What do you see the config option in Telegraf looking like? A list of certs or something else?

Thanks

andoks commented 2 years ago

@powersj, this is only a feature-request so far, I have not worked on implementing the feature.

In my project the things we consider to be of importance are:

  1. possible to update the certificate revocation list (CRL) dynamically without changing the telegraf config file
  2. possible to update the list without having to restart telegraf
  3. that it is possible to remove entries from the revocation list (preferably without having to restart telegraf)
  4. that it is possible to add entry to the revocation list with only the information that the client sends to telegraf when connecting (in case the client certificate is lost, and a client with a compromised certificate tries to connect, we can take some kind of fingerprint from the log entries and add the client to the certificate revocation list only using that fingerprint)
  5. that the revocation event is logged explicitly with context information (IP etc) for tracking purposes

I think there are standard formats for CRLs (like the ones mentioned here: https://www.edulib.com/keystores-manager/resources/doc/html/CERTivity/ch04s08.html that I found googling). Having a field in the the config that specifies the location of this file, and telegraf parsing this file could be one solution. An alternative could be to have a folder with the revoked certificates pointed to from the config, but that would require users to never lose any of the certificates they create, which is less practical IMO.

andoks commented 1 year ago

One alternative for some may be to use Caddy as a reverse_proxy, with client_auth to implement MTLS, and the tls.client_auth.revocation plugin to support CRLs