API: Update the ssl context after each accepting incoming connection

[yhabteab]

resolves #8501

[Al2Klimov]

1. Call GetCrlPath() only once at all
2. Call Utility::GetFileCreationTime() at most once per accept.
3. If you just start Icinga 2 with an empty CRL configured, don't touch the CRL after start and establish your first connection, will Icinga 2 update the context?

[yhabteab]

If you just start Icinga 2 with an empty CRL configured, don't touch the CRL after start and establish your first connection, will Icinga 2 update the context?

So, if I don't configure the CRL path in api.cnf at all, no context update is performed. But if I configure that and the CRL does not contain any revoked certificates at all, the context is updated only once before connecting to an endpoint.

[Al2Klimov]

Only once? Where?

[yhabteab]

Only once? Where?

Well here!

[Al2Klimov]

... and here:

icinga2/lib/remote/apilistener.cpp

Line 179 in 9b6326c

UpdateSSLContext();

Do you consider your additional update neccessary?

[yhabteab]

No, but I can't prevent it either!

[Al2Klimov]

You're writing this new code. Of course you can prevent it.

[Al2Klimov]

You've just addressed incoming connections here. What about outgoing ones?

[yhabteab]

If the incoming connection has been checked and successfully validated at the master, why do I have to add an additional check for the outgoing one. We only need to update the master and not the ones connected to it, because this has no effect at all if the master doesn't notice anything.

[Al2Klimov]

Also address outgoing connections.

[Al2Klimov]

I don't see any actual changes.

[yhabteab]

Also address outgoing connections.

Master and agent disabled and I have revoked the certificates from the agent. After that I started both and master noticed that the crt is revoked. Agent turned off and undo crt revokation, agent started again, crt validation was successful and no error messages for revoked crts.

[Al2Klimov]

Fine. Undo the commit message change.

[yhabteab]

Do you know why the Github actions fail?

[Al2Klimov]

Figure it out.

[Al2Klimov]

Write a test protocol.

[yhabteab]

Testprotocol:

Before: See #8501

After:

Revoke the certificate while the master and the agent are stopped and then start them both.

Master Log:

[2020-12-07 12:30:11 +0100] information/ApiListener: New client connection for identity 'ha-cluster' from [::1]:49781 (certificate validation failed: code 23: certificate revoked)
[2020-12-07 12:30:11 +0100] information/JsonRpcConnection: Received certificate request for CN 'ha-cluster' signed by our CA.
[2020-12-07 12:30:11 +0100] information/JsonRpcConnection: The certificate for CN 'ha-cluster' is valid and uptodate. Skipping automated renewal.

And now update the CRL in my case, I will undo the crt revocation.

[2020-12-07 12:35:21 +0100] warning/JsonRpcConnection: API client disconnected for identity 'ha-cluster'
[2020-12-07 12:35:31 +0100] information/ApiListener: New client connection for identity 'ha-cluster' from [::1]:49823
[2020-12-07 12:35:31 +0100] information/ApiListener: Sending config updates for endpoint 'ha-cluster' in zone 'ha-cluster'.

[julianbrost]

Can you please test what happens in the following scenarios:

• Removing the CRL file completely
• Invalid CRL file (truncated file for example)

[yhabteab]

• Removing the CRL file completely

[2020-12-07 12:56:28 +0100] critical/SSL: Error loading crl file '~/var/lib/icinga2/ca/ha-master.crl': 33558530, "error:02001002:system library:fopen:No such file or directory"
[2020-12-07 12:56:28 +0100] critical/config: Error: Cannot add certificate revocation list to SSL context for crl path: '~/var/lib/icinga2/ca/ha-master.crl'.

• Invalid CRL file (truncated file for example)

[2020-12-07 13:01:15 +0100] critical/SSL: Error loading crl file '~/var/lib/icinga2/ca/ha-master.crl': 218529960, "error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag"
[2020-12-07 13:01:15 +0100] critical/config: Error: Cannot add certificate revocation list to SSL context for crl path: '~/var/lib/icinga2/ca/ha-master.crl'.

[julianbrost]

What is the general behavior in this case? Will Icinga terminate? If not, will if accept new connections? If it does, are these verified against the old CRL?

[yhabteab]

So, if you enter CRL path, which does not exist at all, or the CRL file is invalid Icinga2 will terminate while compiling the api.conf file with this error message.

[julianbrost]

Please use git rebase to reorder your commits. Currently the first commit already uses GetFileCreationTime which is only introduced in the second one.

[julianbrost]

So as this generates a whole new context, this implicitly also reloads certificates and private keys, but only when a CRL exists and is changed. I think this is fine, as nothing bad should happen there unless someone manually messes around with stuff.