Open mdavidsaver opened 10 months ago
I think this work has progressed far enough to be (somewhat) more widely testable. The unittest process creates a consistent set of TLS certificates which may be useful for some manual testing. Though I would not recommend them for anything beyond some basic exploration. Some knowledge of x509 certificates will be needed to go beyond the recipe shown below.
An example of running the ticker
example server, and subscribing with pvxmonitor
.
EPICS_PVA_TLS_KEYCHAIN=test/O.linux-x86_64/server1.p12 \
./example/O.linux-x86_64/ticker cnt
EPICS_PVA_TLS_KEYCHAIN=test/O.linux-x86_64/ca.p12 \
./bin/linux-x86_64-debug/pvxmonitor cnt
Verification is easier with an IOC.
cat <<EOF > tick.db
record(calc, "\$(P=)cnt") {
field(INPA, "\$(P=)cnt")
field(CALC, "A+1")
field(SCAN, "1 second")
}
EOF
EPICS_PVA_TLS_KEYCHAIN=test/O.linux-x86_64/server1.p12
./bin/linux-x86_64/softIocPVX -d tick.db
INFO: PVXS QSRV2 is loaded and ENABLED.
Starting iocInit
...
epics> dbl
cnt
epics> pvxsr 3
...
TLS Cert. subject:CN=server1 issuer:CN=intermediateCA from: Aug 17 17:00:23 2023 GMT until: Aug 14 17:00:24 2033 GMT
Peer[fe80::7816:e3ff:fe25:5208]%5:59152 backlog=0 TX=994 RX=120 auth=ca TLS
Cred: ca/mdavidsaver@[fe80::7816:e3ff:fe25:5208]%5:59152
cnt TX=927 RX=46 Executing ioid=268443648 MONITOR
epics>
On the client side, switching from ca.p12
to client1.p12
will use client certificate authentication. Then Cred: ca/mdavidsaver...
becomes Cred: x509rootCA/client1...
.
...
TLS Cert. subject:CN=server1 issuer:CN=intermediateCA from: Aug 17 17:00:23 2023 GMT until: Aug 14 17:00:24 2033 GMT
Peer[fe80::7816:e3ff:fe25:5208]%5:40564 backlog=0 TX=1035 RX=86 auth=x509 TLS
Cred: x509rootCA/client1@[fe80::7816:e3ff:fe25:5208]%5:40564
Cert: subject:CN=client1 issuer:CN=intermediateCA from: Aug 17 17:00:24 2023 GMT until: Aug 14 17:00:25 2033 GMT
cnt TX=968 RX=46 Executing ioid=268443648 MONITOR
Update. @kasemir When built against what will become openssl 3.2.x, test/gen_test_certs.cpp
will now produce .p12
files which work with java. (see #ifdef NID_oracle_jdk_trustedkeyusage
) Note that this does not yet apply to files produced by openssl pkcs12 ...
.
:x: Build pvxs 1.0.925 failed (commit https://github.com/mdavidsaver/pvxs/commit/2dd4c3047b by @mdavidsaver)
:white_check_mark: Build pvxs 1.0.932 completed (commit https://github.com/mdavidsaver/pvxs/commit/17690ff5cf by @mdavidsaver)
Updated to add $EPICS_PVAS_TLS_OPTIONS
$EPICS_PVA_TLS_OPTIONS
as space separated list of key=value pairs. Currently supported are client_cert=optional
(default) and client_cert=required
. Where required
causes a server to set SSL_VERIFY_FAIL_IF_NO_PEER_CERT
so that the TLS handshake will fail unless a valid client cert is presented.
I have also added another make variable OPENSSL
which should function like LIBEVENT
to set an external/non-epics installation prefix path when these packages are outside of the default search paths.
Also like LIBEVENT
, OPENSSL
should only be set during PVXS builds. The result is captured and written to cfg/TOOLCHAIN_PVXS.$(T_A)
for use by dependent modules.
So if all goes well, the added dependency on libssl should not require changes to downstream Makefiles...
:white_check_mark: Build pvxs 1.0.940 completed (commit https://github.com/mdavidsaver/pvxs/commit/2ddbc86084 by @mdavidsaver)
:x: Build pvxs 1.0.1004 failed (commit https://github.com/mdavidsaver/pvxs/commit/d451688aef by @mdavidsaver)
Applying OpenSSL to PVXS.
Wire compatibility with existing (plain tcp) clients/servers is maintained. Likewise this PR is compatible with work by @kasemir adding TLS support to core.pva in the phoebus repository.
To maintain compatibility. When configured with a keychain file, client search requests include two "protocol" names:
tcp
andtls
. Server listens on a second TCP port for TLS connections, prefers to respond withtls
when both present.Adds
x509
AUTHZ method. Client advertisesx509
when configured with a client certificate. Server prefersx509
toca
. If selected, uses client certcommonName
as account name. eg.CN=foo
appears to ACF logic asfoo
. (note, this really needs an extension to the ACF logic to account for different source of accounts)TLS features/restrictions
pva/1
. (mandatory?)New Configuration:
$EPICS_PVAS_TLS_KEYCHAIN
$EPICS_PVA_TLS_KEYCHAIN
name of a PKCS12 file containing some combination of key, server/client certificate, and/or CA certificates. The file path may optionally be followed by;
and a password. eg.EPICS_PVAS_TLS_KEYCHAIN=/path/to/some.p12;secret
.$EPICS_PVAS_TLS_OPTIONS
$EPICS_PVA_TLS_OPTIONS
space separated list of key=value pairs. Currently supported areclient_cert=optional
andclient_cert=required
.$EPICS_PVAS_TLS_PORT
$EPICS_PVA_TLS_PORT
default port to listen for TLS connections$OPENSSL_CONF
Location of OpenSSL config file. Defaults to/usr/lib/ssl/openssl.cnf
on Linux. Application namepvxs
is used.$SSLKEYLOGFILE
If set, TLS session keys will be written here. eg. for use by wireshark. cf. https://github.com/mdavidsaver/cashark/pull/14 (may be disabled at build time withmake PVXS_ENABLE_SSLKEYLOGFILE=NO ...
)Building:
libevent
must be built with optional openssl support (bundled build will detect).openssl
is expected to be installed in the default search path. I have no plans to bundled openssl.TODO:
$EPICS_PVA_NAME_SERVERS
w/ URI-ishpvas://1.2.3.4:5678
.keytool
(OpenSSL parser for PKCS12 is... limited)openssl pkcs12
orkeytool
. (although Java can't current work with openssl created files)x509
AUTHZ method designauthority
alongsidemethod
andaccount
Supersedes https://github.com/mdavidsaver/pvxs-dev/pull/2