Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default Value of fail_if_no_peer_cert #13253

Open
tigercl opened this issue Jun 14, 2024 · 10 comments
Open

Default Value of fail_if_no_peer_cert #13253

tigercl opened this issue Jun 14, 2024 · 10 comments
Labels
BUG internal

Comments

@tigercl
Copy link
Contributor

tigercl commented Jun 14, 2024
edited
Loading

What happened?

Now when I enable "Verify Peer" for SSL Listener, the default value of "Force Verify Peer Certificate"(fail_if_no_peer_cert) will be false.

image

Since this is not a common option, users may not change it. But it may have some security risks: when set to false, even if the user has enabled two-way authentication, the client can still connect successfully without providing a certificate.

This means that attackers may be able to easily access the user's server, because when enabling two-way authentication, users usually no longer enable password-based authentication.

What did you expect to happen?

I hope EMQX can change the default value of fail_if_no_peer_cert to True, so that users can explicitly change it to False when needed.

How can we reproduce it (as minimally and precisely as possible)?

No response

Anything else we need to know?

No response

EMQX version

EMQX 5.7

OS version

macOS 13

Log files
@tigercl tigercl added the BUG label Jun 14, 2024
@zmstone
Copy link
Member

zmstone commented Jun 14, 2024

@ysfscream this is more of a frontend enhancement?

@id
Copy link
Collaborator

id commented Jun 14, 2024
edited
Loading

Why do we even have this option? Is there a scenario when a user may want to allow plain tcp connection on SSL port?

@tigercl
Copy link
Contributor Author

tigercl commented Jun 14, 2024

@zmstone I don't think so, the default value of this option in the configuration file is also false.

@zmstone
Copy link
Member

zmstone commented Jun 14, 2024

Why do we even have this option? Is there a scenario when a user may want to allow plain tcp connection on SSL port?

Good point.

@zmstone
Copy link
Member

zmstone commented Jun 14, 2024

@zmstone I don't think so, the default value of this option in the configuration file is also false.

We can change default value from backend, but frontend is independent implementation.

@zmstone
Copy link
Member

zmstone commented Jun 14, 2024

Here is my proposal.
In 5.8, we will only expose "verify peer" option in config and in dashboard, always force client to send certificate when "verify_peer".
For backward compatibility, we will hide fail_if_no_peer_cert from backend schema.

@tigercl
Copy link
Contributor Author

tigercl commented Jun 14, 2024
edited
Loading

@id When fail_if_no_peer_cert is false, the client still establishes a TLS connection to the server, it just won't be asked for a client certificate.

The only scenario I can think of is that all the user's clients access from the same TLS port, some of them provide client certificates for two-way authentication, and these clients will skip the password authentication of EMQX. The other part does not provide client certificates, after establishing a TLS connection, they must pass password authentication to actually access EMQX.

However, I think only HTTP authentication currently supports this process.

@tigercl
Copy link
Contributor Author

tigercl commented Jun 14, 2024

Here is my proposal. In 5.8, we will only expose "verify peer" option in config and in dashboard, always force client to send certificate when "verify_peer". For backward compatibility, we will hide fail_if_no_peer_cert from backend schema.

emmm What happens to listeners that had fail_if_no_peer_cert set to false?

@zmstone
Copy link
Member

zmstone commented Jun 14, 2024

Here is my proposal. In 5.8, we will only expose "verify peer" option in config and in dashboard, always force client to send certificate when "verify_peer". For backward compatibility, we will hide fail_if_no_peer_cert from backend schema.

emmm What happens to listeners that had fail_if_no_peer_cert set to false?

it will be discarded

@qzhuyan
Copy link
Contributor

qzhuyan commented Jun 17, 2024

Why do we even have this option? Is there a scenario when a user may want to allow plain tcp connection on SSL port?

Peer sending its cert is sometimes optional for TLS client (not limited to MQTT).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
BUG internal
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@id @zmstone @qzhuyan @tigercl