Skip to content

TSL support #584

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Merged
merged 7 commits into from
May 16, 2024
Merged

TSL support #584

merged 7 commits into from
May 16, 2024

Conversation

josecelano
Copy link
Member

@josecelano josecelano commented May 15, 2024
edited
Loading

TSL support. Allow using HTTPs providing the cert and cert key.

TOML

[net]
port = 3001

[net.tsl]
ssl_cert_path = "./storage/index/lib/tls/localhost.crt"
ssl_key_path = "./storage/index/lib/tls/localhost.key"

JSON

{
  "net": {
    "port": 3001,
    "tsl": {
      "ssl_cert_path": "./storage/index/lib/tls/localhost.crt",
      "ssl_key_path": "./storage/index/lib/tls/localhost.key"
    }
  }
}

The TSL configuration is optional, but if you have that toml table ([net.tsl]), it must contain the fields. This is an invalid configuration:

[net.tsl]
ssl_cert_path = ""
ssl_key_path = ""

See torrust/torrust-tracker#853.

Subtasks

  • Migrate to axum-server.
  • Add a wrapper to axum-server with timeouts.
  • Add TSL values to the configuration.
  • Start with TSL support when enabled in the configuration.

josecelano added 2 commits May 15, 2024 16:21
@josecelano
chore: format Cargo.toml
bcebcab
@josecelano
chore(deps): [torrust#426] add cargo dependencies to use a custom axu…
b948573 
…m server with timeouts

Two levels of wrappers for the Axum server:

Custom (with timeouts) -> axum-server -> axum
@josecelano josecelano self-assigned this May 15, 2024
@josecelano josecelano linked an issue May 15, 2024 that may be closed by this pull request
TLS support #426
Closed
@josecelano josecelano requested a review from da2ce7 May 15, 2024 15:55
@josecelano
feat: use custom axum-server wrapper with timeouts
e29eb01 
- Use axum-server isntead of directly the axum crate (like in the
  tracker).
- Add wrapper to axum-server to enable timeouts.
josecelano added 3 commits May 15, 2024 17:52
@josecelano
chore(deps): add cargo dependencies to parse TSL config
5d82968
@josecelano
feat: [torrust#426] add TSL info to the [net] section in the config t…
969ffff 
…oml file

```toml
[net]
port = 3001

[net.tsl]
ssl_cert_path = "./storage/index/lib/tls/localhost.crt"
ssl_key_path = "./storage/index/lib/tls/localhost.key"
```

```json
{
  "net": {
    "port": 3001,
    "tsl": {
      "ssl_cert_path": "./storage/index/lib/tls/localhost.crt",
      "ssl_key_path": "./storage/index/lib/tls/localhost.key"
    }
  }
}
```

The TSL configuration is optional, but if you have that table (dict), it must contain the fields. This is an invalid configuration:

```
[net.tsl]
ssl_cert_path = ""
ssl_key_path = ""
```

See torrust/torrust-tracker#853.
@josecelano
feat: [torrust#426] add TSL support
284d235 
You can provide a certificate and certificate key files to run the API
with HTTPs.
@josecelano
Copy link
Member Author

I can run the API with a self-signed certificate as described in:

cargo run
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.09s
     Running `target/debug/torrust-index`
Loading default configuration file: `./share/default/config/index.development.sqlite3.toml` ...
2024-05-15T18:38:14.092322751+01:00 [torrust_index::bootstrap::logging][INFO] logging initialized.
2024-05-15T18:38:14.114368143+01:00 [torrust_index::web::api::server][INFO] Using https. Cert path: ./storage/index/lib/tls/localhost.crt.
2024-05-15T18:38:14.114382073+01:00 [torrust_index::web::api::server][INFO] Using https. Key path: ./storage/index/lib/tls/localhost.key.

However, I can't load any page.

With curl:

*   Trying 127.0.0.1:3001...
* Connected to localhost (127.0.0.1) port 3001 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version number
* Closing connection 0
curl: (35) OpenSSL/3.0.8: error:0A00010B:SSL routines::wrong version number

With Firefox:

image

I've tried with these files:

  • ssl_cert_path = "./storage/index/lib/tls/localhost.crt
  • ssl_key_path = "./storage/index/lib/tls/localhost.key"

Generated with:

openssl req -x509 -out localhost.crt -keyout localhost.key \
  -newkey rsa:2048 -nodes -sha256 \
  -subj '/CN=localhost' -extensions EXT -config <( \
   printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")

And also with certificates from https://github.com/programatik29/axum-server/tree/master/examples/self-signed-certs:

  • ssl_cert_path = "./storage/index/lib/tls/cert.pem"
  • ssl_key_path = "./storage/index/lib/tls/key.pem"

This is an example from axum-server:

https://github.com/programatik29/axum-server/blob/master/examples/from_std_listener_rustls.rs

I think I'm doing the same.

@da2ce7 any idea?

@josecelano josecelano mentioned this pull request May 15, 2024
Closed
@josecelano josecelano marked this pull request as ready for review May 15, 2024 18:17
@josecelano josecelano marked this pull request as draft May 15, 2024 18:18
@josecelano
Copy link
Member Author

I made it work by commenting on the TimeoutAcceptor. It's a custom acceptor that introduces timeouts for the first client request after opening the HTTP connection.

    match tls {
        Some(tls) => custom_axum::from_tcp_rustls_with_timeouts(socket, tls)
            .handle(handle)
            //.acceptor(TimeoutAcceptor)
            .serve(router.into_make_service_with_connect_info::<std::net::SocketAddr>())
            .await
            .expect("API server should be running"),
        None => custom_axum::from_tcp_with_timeouts(socket)
            .handle(handle)
            .acceptor(TimeoutAcceptor)
            .serve(router.into_make_service_with_connect_info::<std::net::SocketAddr>())
            .await
            .expect("API server should be running"),
    };

I added this TimeAcceptor to the Tracker, but I did not check that the TSL worked fine. I have to open an issue there to check it. I will probably not work. I'm going to remove that TimeoutAcceptor for HTTPs in order to merge this PR and I will open a new issue to fix that problem. We probably need to fix that TimeoutAcceptor to make it work with TSL.

@josecelano josecelano mentioned this pull request May 16, 2024
Open
@josecelano josecelano marked this pull request as ready for review May 16, 2024 15:28
@josecelano
Copy link
Member Author

ACK 5d9e068

This was referenced May 16, 2024
Open
Open
@josecelano josecelano added this to the v3.0.0 milestone May 16, 2024
@josecelano
feat: [torrust#426] disable TimeoutAccceptor when TSL is enabled
1afe234 
TSL does work with the TimeoutAccetor.

How to enabled TSL for development with:

```
[net]
port = 3001

[net.tsl]
ssl_cert_path = "./storage/index/lib/tls/localhost.crt"
ssl_key_path = "./storage/index/lib/tls/localhost.key"
```

You can fin the certificates in `./share/tsl`.

This means there is no timeout for the first client request when you use
TSL. The way to test tiemouts is:

1. Open a connection using telnet: `telnet 127.0.0.1 3001`
2. Wait 5 seconds.

The connection should be closed after 5 seconds. That's what the
TimeoutAcceptor does. Without the TimeoutAcceptor the connection will
remain open until the client closes it.
@josecelano josecelano mentioned this pull request May 16, 2024
Closed
@josecelano josecelano merged commit b2d864a into torrust:develop May 16, 2024
12 of 13 checks passed
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@da2ce7 da2ce7 Awaiting requested review from da2ce7

Assignees

@josecelano josecelano

Labels
Enhancement / Feature Request Something New
Projects
None yet
Milestone
v3.0.0
Development

Successfully merging this pull request may close these issues.

TLS support
1 participant
@josecelano