search

rucio / webui

RucioWebUI (v2.0)
Apache License 2.0
4 stars 15 forks source link

Auth: x509 on TLS 1.2 and TLS 1.3 is not supported by all browsers #424

Open maany opened 3 months ago

maany commented 3 months ago

Description

TLS 1.3 introduces post-handshake auth workflow. Currently, Chrome does not support post-handshake auth and switching the Apache of Rucio Auth Server and Rucio WebUI to TLSv1.2 makes the x509 auth workflow function as expected on Chrome.

However, if we use TLSv1.2 servers with Firefox, the browser blocks the requests in light of weaker security.

We need to detect the HTTP-Agent on the WebUI and make requests to different x509 endpoints on the rucio server, one which supports TLSv1.2(chrome, safari) and other with support for TLSv1.3 (firefox)

Steps to reproduce

No response

Rucio WebUI Version

35.0.0

Additional Information

No response

maany commented 2 weeks ago

@MytsV please add the relevant discussion around the issue and the research here.

maany commented 2 weeks ago

This issue will be resolved in conjunction with

https://github.com/rucio/containers/issues/352 https://github.com/rucio/rucio/issues/7148

MytsV commented 5 days ago

@MytsV please add the relevant discussion around the issue and the research here.

Testing has shown that modifying the TLS settings doesn't ensure proper authentication in both Chrome and Firefox. Thus, I tried modifying the Apache config (addressed in https://github.com/rucio/containers/issues/352) of the Rucio server to exclude client certificate verification. This has changed the source of the error and made it less cryptic.

Further research has shown that, by default, Firefox doesn't include credentials in preflight CORS requests. This can be modified through network.cors_preflight.allow_client_cert setting, which is not a desired outcome.

Fetch API provides a way to override default behaviour of browsers regarding credentials in CORS requests. Setting a credentials: include has made the requests fail with a similar error across all browsers.

The last error to overcome was related to the preflight response headers. The Access-Control-Allow-Headers was set to *, which when credentials are set to include is treated as a literal character, not a wildcard (source). Hence https://github.com/rucio/rucio/issues/7148 addresses setting proper values to this header in the response.