search

vaticle / typedb-driver

TypeDB Drivers for Rust, Python, Java, Node.js, C, C++, and C#.
https://typedb.com
Apache License 2.0
30 stars 32 forks source link

Invalid root CA successfully connects to cluster #342

Open flyingsilverfin opened 3 years ago

flyingsilverfin commented 3 years ago

Description

We expect that using the wrong or invalid root ca certificate to make an encrypted connection to cluster, it can succeed.

Environment

  1. OS (where TypeDB server runs): Ubuntu
  2. TypeDB version (and platform): TypeDB cluster 2.1.2

Tested in the Factory cluster environment

Reproducible Steps

  1. Test that a correct certificate works ./typedb console --cluster=typedb-cluster-0:1729 --username=admin --password--tls-enabled --tls-root-ca=<path to correct root ca>

confirm that

> database list

works

  1. copy the certificate and replace last line with all x's ./typedb console --cluster=typedb-cluster-0:1729 --username=admin --password--tls-enabled --tls-root-ca=`

confirm that

> database list

still works! When it should not...

Note that the way this was tested may end up with some gRPC magic that notices that a correct ssl certificate was used form the same origin before??

lolski commented 2 years ago

The handling of the CA is entirely up to gRPC since the only thing we do is passing the file path down to the gRPC server.

It looks suspicious indeed that a modified root CA can still be used so it's likely a bug. However I want to read up a bit on it before making an issue on their side.

alexjpwalker commented 1 year ago

Still occurs with latest Console, Cluster.

Can also be reproduced by simply renaming the root CA file.