Re: [libvirt-users] certificate pinning
Re-adding the libvirt-users list - please don't take discussions off-list. On Mon, Dec 10, 2018 at 01:10:18PM +0300, Anastasiya Ruzhanskaya wrote:
I already found out how to set up all the certificates and tls works fine for me. What if I want to put a proxy between client and server in libvirt? He has his own CA, and this is only one more CA I would like libvirt to trust to. Is it somehow achievable? I see that libvirt takes certificates only from predefined paths. For me doesn't work if I just incert another CA certificate to the cacert.pem file. Do you know any approaches how it can be made in another way?
The cacert.pem file can contain multiple certificates, just concatenate all the CA pem files.
пн, 10 дек. 2018 г. в 12:38, Daniel P. Berrangé <berrange@redhat.com>:
Hello! Does libvirt uses certificate pinning in tls? I want to setup a
On Sat, Dec 08, 2018 at 11:19:40AM +0300, Anastasiya Ruzhanskaya wrote: transparent
proxy (mitmproxy) and can't do this even after I added mitmproxy ca certificate to the trusted certificates in ubuntu.
Libvirt doesn't ever use the global certificates stores, because public CAs are not relevant to libvirt deployments - indeed trusting the global cert store in the OS would lower security by opening it upto arbitrary CAs. See this doc for where libvirt finds CA certs
https://libvirt.org/remote.html#Remote_certificates
Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
And how libvirt checks that it trusts the CA? Just simply inspects the cacert.pem file? Or it has some information inside about by which CA were signed client and server certificates and then compares against stored values? I mean can I just concatenate after signing or I need to combine two CAs before generating libvirt's client and server certificates? пн, 10 дек. 2018 г. в 13:11, Daniel P. Berrangé <berrange@redhat.com>:
Re-adding the libvirt-users list - please don't take discussions off-list.
On Mon, Dec 10, 2018 at 01:10:18PM +0300, Anastasiya Ruzhanskaya wrote:
I already found out how to set up all the certificates and tls works fine for me. What if I want to put a proxy between client and server in libvirt? He has his own CA, and this is only one more CA I would like libvirt to trust to. Is it somehow achievable? I see that libvirt takes certificates only from predefined paths. For me doesn't work if I just incert another CA certificate to the cacert.pem file. Do you know any approaches how it can be made in another way?
The cacert.pem file can contain multiple certificates, just concatenate all the CA pem files.
пн, 10 дек. 2018 г. в 12:38, Daniel P. Berrangé <berrange@redhat.com>:
Hello! Does libvirt uses certificate pinning in tls? I want to setup a
On Sat, Dec 08, 2018 at 11:19:40AM +0300, Anastasiya Ruzhanskaya wrote: transparent
proxy (mitmproxy) and can't do this even after I added mitmproxy ca certificate to the trusted certificates in ubuntu.
Libvirt doesn't ever use the global certificates stores, because public CAs are not relevant to libvirt deployments - indeed trusting the
global
cert store in the OS would lower security by opening it upto arbitrary CAs. See this doc for where libvirt finds CA certs
https://libvirt.org/remote.html#Remote_certificates
Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On Mon, Dec 10, 2018 at 01:22:32PM +0300, Anastasiya Ruzhanskaya wrote:
And how libvirt checks that it trusts the CA? Just simply inspects the cacert.pem file? Or it has some information inside about by which CA were signed client and server certificates and then compares against stored values? I mean can I just concatenate after signing or I need to combine two CAs before generating libvirt's client and server certificates?
Libvirt will check that the server's certificate is signed by any one of the CAs listed. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Ok, thank you. I will play around with it. I also noticed, that libvirt does not use this SNI extension. Actually,this not needed here, as we have only one location for server certificate, but this requires some modifications in mitmproxy, as for example tls in web browsers always include this SNI extensions. Are there maybe other big differences in tls implementation in libvirt or maybe some assumptions that are taken during tls handhake process? пн, 10 дек. 2018 г. в 13:25, Daniel P. Berrangé <berrange@redhat.com>:
On Mon, Dec 10, 2018 at 01:22:32PM +0300, Anastasiya Ruzhanskaya wrote:
And how libvirt checks that it trusts the CA? Just simply inspects the cacert.pem file? Or it has some information inside about by which CA were signed client and server certificates and then compares against stored values? I mean can I just concatenate after signing or I need to combine two CAs before generating libvirt's client and server certificates?
Libvirt will check that the server's certificate is signed by any one of the CAs listed.
Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On Mon, Dec 10, 2018 at 01:36:37PM +0300, Anastasiya Ruzhanskaya wrote:
Ok, thank you. I will play around with it.
I also noticed, that libvirt does not use this SNI extension. Actually,this not needed here, as we have only one location for server certificate, but this requires some modifications in mitmproxy, as for example tls in web browsers always include this SNI extensions.
SNI is not relevant to libvirt as it does not use HTTP / virtual hosting. It is a completely custom binary protocol
Are there maybe other big differences in tls implementation in libvirt or maybe some assumptions that are taken during tls handhake process?
Libvirt just uses gnutls which is a standard impl. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
participants (2)
-
Anastasiya Ruzhanskaya -
Daniel P. Berrangé