smallstep / hello-mtls Goto Github PK

:wave: Docs demonstrating mutual TLS configurations in various technologies

License: Apache License 2.0

JavaScript 95.65% Shell 4.35%

mtls certificate documentation postgres ngnix golang node-js

hello-mtls's Introduction

Hello mTLS

This package contains documentation on how to configure a broad array of technologies to perform mutual TLS. It is part of the Hello mTLS project, designed to raise developer awareness about public key infrastructure as a potential solution to common security problems.

If you notice any outdated, missing, or errant docs, pull requests are strongly encouraged!

Contributing

Documentation for each technology lives in its corresponding directory in the docs/ folder.

To get rolling on local development, clone this repository and start the local dev server:

$ yarn install
$ yarn start

You will be able to preview all changes at http://localhost:3000.

Adding new technologies

If you are adding a new technology, your best bet is to refer to existing configurations in this repository, but here is a high-level breakdown of each directory's contents.

config.yaml

This file configures basic information like the technology name and external links to documentation.

logo.png

This is a 256 x 256px transparent PNG of the technology's logo. If missing, a standard placeholder will be used.

topics/

Several optional markdown files provide prose describing how to perform different aspects of mTLS using the technology:

server_auth.md — Server TLS authentication
client_auth.md — Client TLS authentication
client.md — Client requests using TLS
renewal.md — TLS cetificate renewal

Properties with corresponding names in the topics object in config.yaml also accept a links array for any relevant external resources.

If your documentation makes use of the name of a certificate's identity, its certificate filename, its private key filename, or the root certificate filename, please use these template tokens. They will be interpolated with the appropriate values at build time in different contexts:

{{ server_name }} — Name of the identity like server.internal.net
{{ server_cert }} — Filename of the server's certificate like server.crt
{{ server_key }} — Filename of the server's private key like server.key
{{ server_port }} — Port number that that the server binds in the server auth docs
{{ client_name }} — Name of the identity like clientuser
{{ client_cert }} — Filename of the client's certificate like client.crt
{{ client_key }} — Filename of the client's private key like client.key
{{ ca_cert }} — Filename of the root CA certificate like ca.crt

Do not use markdown headlines.

Testing changes

Run yarn test locally to test that your changes are valid before opening a pull request.

License

Code in this repository is licensed under Apache License, Version 2.0.

All documentation content is licensed under Creative Commons Attribution 4.0 International License.

Support

Please don't hesitate to reach out on our Discord with any questions.

hello-mtls's People

Contributors

Stargazers

Watchers

hello-mtls's Issues

Python stdlib (client)

I think this is in the http.client module?

Update Kafka docs to use `step certificate p12`

Description

Hello mTLS for Kafka requires the use of OpenSSL to create PKCS#12 certificates. But now step has now support for this kind of certificates using step certificate p12 command, see smallstep/cli#372.

We can now change kafka docs to use step instead of OpenSSL.

Kafka (server)

https://docs.confluent.io/current/kafka/authentication_ssl.html

Golang (server and client)

Django (server)

Why have this repo if nobody is going to maintain it?

IIS (server)

Require links to contain display text

Not just URLs

Configure mTLS on Schema Registry

I'd like to see documentation for Schema Registry.

This software can:

Accept TLS connections
Authenticate clients with TLS
Request TLS connections with client certificates

MySQL (server and client)

This may not be one docs directory for both, but instead mysql and mysql-client directories.

Resources linked on website can't be found (404)

Hi,

The resources linked from the website for all the examples currently seem to be missing.

$ http -h HEAD https://smallstep.com/hello-mtls/doc/server/express | head -n1
HTTP/1.1 404 Not Found

Node.js axios (client)

RabbitMQ (server and client)

User is looking to implement TLS on RabbitMQ.

Found this:
https://www.rabbitmq.com/ssl.html

Ruby (client)

Using Net::HTTP

Standardize port numbers?

@sourishkrout An item for discussion I noticed after reviewing the golang doc.

Should we standardize the server port number across all docs? For example, the nginx doc suggests binding :443, and the curl doc connects over bare domain (:443). But, go binds to :9443 and the client requests from :9443.

So, if in the process of going through a tutorial or onboarding flow, someone selects nginx as the server and go as the client, they'll be told to listen on :443 but make a request to the server at :9443. Or if they do go server and curl client, it's the opposite.

Any ideas? Seems like :9443 could work across the board without needing superuser privileges, but it's pretty awkward to configure nginx or some other thing that's obviously a web server on that port.

Or maybe we somehow provide a way (maybe in config.yaml) for docs that offer servers to also specify the port they bind to, then use a {{ port }} variable in client docs to feed in the port from the configured server?

Postgres (server and client)

This may not be one docs directory for both, but instead postgres and psql directories.

https://www.postgresql.org/docs/10/auth-methods.html#AUTH-CERT
https://www.postgresql.org/docs/9.5/ssl-tcp.html
https://serverfault.com/a/811706

Address CVEs on helloMTLS

https://github.com/smallstep/hello-mtls/network/alerts

Ruby on Rails? (server)

I'm not actually sure if Rails can terminate TLS or do client auth? Tutorials often point to authenticating at Nginx or Apache.

Tiller/Helm (server and client)

.NET/C# (server and client)

This could probably be split into multiple issues. I'm not sure what the options are here.

ZooKeeper (server and client)

https://cwiki.apache.org/confluence/display/ZOOKEEPER/ZooKeeper+SSL+User+Guide
https://juplo.de/encrypt-communication-between-kafka-and-zookeeper-with-tls/

PHP (server and client)

This could be split into multiples. Not sure what popular options are... Laravel, Symfony, ??? Or maybe TLS just terminates at the Apache/nginx web server for PHP, not sure whether they encourage running your own pure PHP server and reverse proxying these days.

Objective C/Swift (client)

Flask (server)

Consider friendly unauthorized messages in Golang client auth doc

@sourishkrout, this is in reference to this comment:

https://github.com/smallstep/hello-mtls/pull/23/files#r326783119

Thoughts?

TiDB

I'd like to see documentation for TiDB.

Mosquitto MQTT

I'd like to see documentation for Mosquitto.

This software can:

[X ] Accept TLS connections
[X ] Authenticate clients with TLS
[ X] Request TLS connections with client certificates

MySQL example doesn't validate name in the cert

MySQL actually supports this with the SUBJECT clause:

https://dev.mysql.com/doc/refman/8.0/en/create-user.html#create-user-tls

Prometheus

I'd like to see documentation for Prometheus.

Python requests (client)

If I remember correctly, they use a third party lib as their trust store, so it could be a little tricky.

Node.js (server)

This one can make mention of Express too, but options/config should be roughly the same as raw https.

Beam, Flink, Spark (client)

There's lots of tech used to make transforms on Kafka data. These could be split into other issues.

MongoDB (server)

I'd like to see documentation for MongoDB.

Java (server and client)

I'm clueless here as to what the broadest tech is, so this should be split into other issues for clients and servers (Spring, Struts, ???).

Relatedly, we could probably break out issues for Scala and friends.

Nginx example would not work in browser

https://smallstep.com/hello-mtls/doc/server/nginx

In this example ssl_client_certificate contains only root certificate without intermediate certs.
This way server wouldn't be able to check client certs coming from browser (browser sends leaf cert only, not the whole bundle)

Server needs to have intermediates too in its ssl_client_certificate file.

Redis (server and client)

This may not be one docs directory for both, but instead redis and redis-cli directories.

Usage documentation

Add README content for importing docs, rendering with the ContentBlock component, and enabling syntax highlighting.

Q: mTLS Between Step-CA And MariaDB?

Hi All,

Is it possible to do mTLS between Step-CA and a MariaDB Database Backend, or only "one-way" TLS from Step-CA to the MariaDB Backend?

If it is possible, did I simply miss the documentation on this (& could someone please point me in the right direction)? 😄

Please note that I am not asking about Step-CA facilitating mTLS between a MariaDB Database and another 3^rd-Party application (I know how to do that, and have done so within our existing PKI), but between Step-CA itself and a MariaDB Database.

Thanks in advance

Dulux-Oz

Fastly (client)

You can give Fastly a cert for client auth with your origin. I'm not sure if you can supply your own CA cert to their trust store, though, for auth-ing the origin?

Find a way to host logos and export through library

Switch to mustache templates for markdown

This will make the markdown more portable than relying on lodash templates.

Add renewal documentation for Traefik

We currently don't show content on renewals, but when we do (a large project), we should add an ACME renewal flow for Traefik:

Traefik is a modern reverse-proxy with integrated support for ACME. It's easy to get a certificate from Let's Encrypt andy other ACME compatible CAs like step-ca in Traefik, using the tls-alpn-01 ACME challenge type.

Most importantly, Traefik will need to trust your root CA certificate. Either use the LEGO_CA_CERTIFICATES environment variable to provide the full path to your {{ ca_cert }} when running Traefik, or install your root certificate in your system's trust store.

In your Traefik static configuration, you'll need to add a certificatesResolvers block:

[certificatesResolvers]
  [certificatesResolvers.myresolver]
    [certificatesResolvers.myresolver.acme]
      caServer = "https://step-ca.internal/acme/acme/directory"
      email = "[email protected]"
      storage = "acme.json"
      tlsChallenge = true

Then, when you add routers to your dynamic configuration for HTTPS traffic, you need to set tls and tls.certResolver:

## Dynamic configuration
[http]
  [http.routers]
    [http.routers.router1]
      ...
      [http.routers.router1.tls]
        certResolver = "myresolver"

cc @tashian