-
Notifications
You must be signed in to change notification settings - Fork 492
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Address SNI binding and bypass for TLS listeners #72
Comments
Also RFC 6066, which strongly suggests that the HTTP host should be bound to the SNI name.
|
How do the major proxy implementations handle this? |
Contour intends to stop this from happening, but in practice it's very easy to do it accidentally, via implementation details. There are some use cases to do this (basically, allowing Domain fronting and similar use cases), but I think that they are specialised enough that we should default to not supporting that and figure it out later. The key thing here is that, if we include the possibility of client certificates as part of the TLS config, SNI/HTTP Host mismatch is a big security risk. If you allow the TLS negotation to succeed for host foo, including the client certificate exchange, and that exchange is being used for authentication, then allowing the inner HTTP transaction to go to a different host completely bypasses it. The use case here is that I'm using a Gateway for In this case, requests with an SNI of I would argue this is very unexpected behaviour that creates a big problem for a user that they may not realise is a problem. I think this problem is dependent on how we set up the constructs. As @jpeach said earlier, there needs to be a tight binding between TLS certificate config and the allowed hostnames associated with that certificate, for HTTP Routes. If we're talking about TCP with SNI routing only, then there is no Host, and thus this problem is not visible at this layer. (The service forwarded to may have it, but that is not our responsibility). |
It's not clear why this is not an artifact of the a specific implementation as opposed to something that surfaces at the API layer. Can you sketch what the Kubernetes API validation would look like that would prevent this? As an aside, it seems like in for the |
The first thing that we need in the issue is agreement that binding the HTTP Host/Authority to the certificate is the correct behavior. My contention that this is the case is supported by RFC 6066 and RFC 2818 Now, as to the API implications of this, I think that the first step is for the API to be able express the relationship between a virtual host and its TLS configuration. Once we can do this, then controller implementation has been told the users intention, and can do a lot more to ensure the correct results. |
Example: every certificate comes with the set of hostnames that SHOULD be used |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
@jpeach Do we still need to do anything here or did the Gateway restructuring help? If so, what would we need for v1alpha1? |
Consensus seems to be we need to add some documentation here. |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
/remove-lifecycle rotten |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
@jpeach @youngnick It seems that we have consensus here and we need to add documentation. Since both of you have the most context here, do either of you mind taking this up and drive it to completion? |
I can take this one. /assign |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
/lifecycle frozen |
@robscott @youngnick While this is a clarification, can this be considered a borderline breaking change by any chance? |
I agree that we should sort this out in v1a2, since it could be a breaking change. I'll add it to the milestone to make sure we don't miss it. |
/assign @youngnick |
Updating this with a bit more context. I'm going to quote from Contour's docs here, since @jpeach wrote this very precisely:
If we don't enforce a very tight binding between the SNI hostname and the HTTP hostname, then it's possible to trivially circumvent any certificate-based authentication at least in Envoy's implementation, like this:
Now, there are legitimate uses for this kind of domain fronting, mainly around caching and content distribution, but those uses are pretty niche. In almost all cases, if you are specifying a terminated TLS session via a HTTPRoute, those hostnames should match (in the domain-name match sense we already have defined in the spec). So, by mandating this, we remove some weird security things, and make the API behave more like people would expect. I think this comes under the heading of removing weird edge cases that most people won't want until someone actually asks for them. |
What would you like to be added:
In the current API, certificates are a property of the Listener and Routes are a property of the Gateway. Since there is no direct relationship between the certificates and the backend service (i.e. the Route), this structure encourages the separation of SNI routing from HTTP request routing. This can lead to a number of different security issues.
Why is this needed:
Operators need the ability to pin the set of certificates to be used for a specific backend service. That is, for a TLS session bound to SNI name
foo.example.com
, always forward HTTP requests to the backend session that is bound to thefoo.example.com
host name.For a more thorough discussion of SNI bypass, see https://hal.inria.fr/hal-01202712/document
xref #49
The text was updated successfully, but these errors were encountered: