derekcollison
commented
2 years ago I like this idea, want to make sure @kozlovic and @philpennock approve as well from an idea/security standpoint.
Closed RedShift1 closed 2 years ago
derekcollison
commented
2 years ago I like this idea, want to make sure @kozlovic and @philpennock approve as well from an idea/security standpoint.
kozlovic
commented
2 years ago What exactly should we then report? Exporting the whole tls.Conn.ConnectionState().PeerCertificates will be way too much content. Also note that this will be empty unless the server requires client certificate.
We may need a complete list of what we would want to report...
RedShift1
commented
2 years ago Certificate subject and fingerprints would be a good start I think. Subject is typically human readable to quickly identify a certificate, the fingerprint is the truely unique identifier that can be used for, for example, database lookups.
kozlovic
commented
2 years ago @RedShift1 @philpennock I am struggling to know what we would need to include as the new TLS details entry. I am assuming that we would report a subset of PeerCertificates slice, but from the godoc Certificate definition here: https://pkg.go.dev/crypto/x509#Certificate, what are the fields we would want exactly?
RedShift1
commented
2 years ago @RedShift1 @philpennock I am struggling to know what we would need to include as the new TLS details entry. I am assuming that we would report a subset of PeerCertificates slice, but from the godoc Certificate definition here: https://pkg.go.dev/crypto/x509#Certificate, what are the fields we would want exactly?
https://github.com/nats-io/nats-server/issues/3317#issuecomment-1202165750
kozlovic
commented
2 years ago @RedShift1 I saw your original comment, my point is that the "Subject" is actually a pkix.Name (see https://pkg.go.dev/crypto/x509/pkix#Name) and that seem a lot to return. As for the fingerprint, what would that be? A google search found this post (https://blog.abhi.host/blog/2020/02/01/Get-certificate-fingerprint-in-golang/) that seem to indicate that it would be a md5.sum of the certificate's Raw byte slice, and then make it a hex representation. Is that what it would be?
RedShift1
commented
2 years ago @RedShift1 I saw your original comment, my point is that the "Subject" is actually a pkix.Name (see https://pkg.go.dev/crypto/x509/pkix#Name) and that seem a lot to return. As for the fingerprint, what would that be? A google search found this post (https://blog.abhi.host/blog/2020/02/01/Get-certificate-fingerprint-in-golang/) that seem to indicate that it would be a md5.sum of the certificate's
Rawbyte slice, and then make it a hex representation. Is that what it would be?
Yes, the fingerprint (sometimes also called thumbprint) is the hash of the certificate. MD5 used to be common but nowadays sha256 is used, for example:
And the subject is typically presented as a string like CN=mydevice,OU=IT,C=FR.
RedShift1
commented
2 years ago Thanks!
Feature Request
When clients connect via TLS with client side certificate validation, no information about the client is available in the HTTP monitoring endpoints. This is what the data looks like right now:
Use Case:
Better insight into NATS server activity and its client connections.
Proposed Change:
Add public key, fingerprints, serial, subject to connz endpoint when query parameter
authis truthy.