meshtls: Add a boring backend
#1351
Conversation
olix0r
changed the title
|
Related cloudflare/boring#55 |
In #1351, we add an alternate identity/mtls implementation that uses `boring`. To setup for that, this change introduces a new `meshtls` crate that serves as a facade for application crates to depend on, independently of the actual crypto implementation. This change does not change any runtime logic and sets up for #1351 to enable an alternate TLS implementation as a build-time configuration.
In #1351, we add an alternate identity/mtls implementation that uses `boring`. To setup for that, this change introduces a new `meshtls` crate that serves as a facade for application crates to depend on, independently of the actual crypto implementation. This change does not change any runtime logic and sets up for #1351 to enable an alternate TLS implementation as a build-time configuration.
This branch adds a simple nix-env configuration for building the proxy locally on NixOS. This does *not* yet introduce a derivation for *packaging* the proxy as a Nix package, just a nix-env for local development for Nix users. Actually packaging the proxy for Nix could be fun, but it's not really necessary, since the proxy is not currently distributed as a package for other package managers --- it's distributed as a docker image. If we were going to actually distribute something as a Nix package, it would be the Linkerd CLI (which could be worth doing!). This branch *does* include the necessary configuration to build `cloudflare/boring`, which is added as a dependency by @olix0r's PR #1351. I've confirmed that it is possible to build that branch with these configs, but I opened this as a separate PR against `main` so that we can merge it separately. Currently, we do have to build `boringssl` from source, rather than depending on it from nixpkgs, which is kind of a bummer, but this can be fixed later.
This change adds a `meshtls-boring` proxy feature that can be used to compile the proxy with an alternate TLS implementation. The `meshtls-rustls` feature should be disabled to take advantage of this alternate backend. In its current mode, the boring backend is compatible with the existing identity credentials and algorithms (specifically TLSv1.3 and ECDSA-P256-SHA256 with CHACHA20-POLY1305-SHA256). In future changes--once `boring` has been updated--we can: - Improve error handling, especially for SSL errors - Relax deny.toml changes needed by bindgen features - Add a FIPS mode Co-authored-by: Arnar Páll <[email protected]>
olix0r
changed the title
boring backend
|
@hawkw @arnarpall This change should be mergeable now (once CI clears). We run our normal end-to-end tests against the boring module and I've tested this branch manually as well. This change does not include the FIPS functionality being discussed in cloudflare/boring#52; and it sounds like even once that change merges (if it lands in its current state), it will be difficult to build in that mode (as a FIPS-compliant boring library will have to be provided externally). I haven't taken advantage of any of the recently changed error functionality either. We'll pick that up once boring does a proper crate release. |
Truly awesome work. I believe I could rework my original boring pull request once this one is merged where we hook into the boring build process to enable fips mode without having to to provide it externally. I'd like to get to a point where this is as transparent as possible |
| # boring-sys pulls in an old version via bindgen. See | ||
| # https://github.com/cloudflare/boring/pull/55. | ||
| { name = "ansi_term" }, |
There was a problem hiding this comment.
nit/tioli: it seems like this might, potentially, be better expressed as a skip-tree entry for bindgen? that way, we still get an error on duplicate deps if they're from another crate.
not actually important, of course.
There was a problem hiding this comment.
this would also ignore all other bindgen deps, though. I think the skip is narrower.
| // XXX(ver) This function reads from the environment and/or the filesystem. This likely is | ||
| // at best wasteful and at worst unsafe (if another thread were to mutate these environment | ||
| // variables simultaneously, for instance). Unfortunately, the boring APIs don't really give | ||
| // us an alternative AFAICT. |
There was a problem hiding this comment.
do you know if this is something that can be fixed upstream in the boring crate, or is it a boringssl behavior that we can't avoid?
There was a problem hiding this comment.
boring could probably have other constructors that don't load default trust anchors. I don't think it actually matters for us, in practice, though.
There was a problem hiding this comment.
that's fair; it seems like something that could be worth opening an issue for, but maybe not worth putting effort into implementing?
| // XXX(ver) if we disable use of TLSv1.2, connections just hang. | ||
| //conn.set_options(ssl::SslOptions::NO_TLSV1_2); |
There was a problem hiding this comment.
should we report a bug for this upstream?
There was a problem hiding this comment.
maybe? this is probably a bug in boringssl and not the rust bindings, if it's a bug.
| //! A new SSL context is created for each connection. This is probably | ||
| //! unnecessary, but it's simpler for now. We can revisit this if needed. |
There was a problem hiding this comment.
not a blocker at all, just curious: how much do we know about what this actually means? e.g. do we know what a "SSL context" in boring consists of, and what are the implications of creating them?
There was a problem hiding this comment.
Some allocations + everything in the connector/acceptor constructors (i.e. trust anchors, private key, certs).
This release updates the proxy's `rustls`, `ring`, and `webpki` dependencies. Additionally, the proxy can now be built to use a `boringssl` backend instead of the default `rustls` backend, but this functionality is disabled in default builds. --- * meshtls: replace build script with `compile_error!` macro (linkerd/linkerd2-proxy#1357) * ci: Split actions into several workflows (linkerd/linkerd2-proxy#1356) * ci: Make job names uniform (linkerd/linkerd2-proxy#1358) * meshtls: allow building without any TLS impls enabled (linkerd/linkerd2-proxy#1359) * `app-core` should not enable `meshtls-rustls` (linkerd/linkerd2-proxy#1360) * Restore rustls credential tests (linkerd/linkerd2-proxy#1363) * build(deps): bump hex from 0.3 to 0.4 (linkerd/linkerd2-proxy#1364) * ci: Split jobs into 'fast' and 'slow' workflows (linkerd/linkerd2-proxy#1365) * meshtls: Move TLS e2e tests into the meshtls crate (linkerd/linkerd2-proxy#1366) * rustls: Tidy std::task imports (linkerd/linkerd2-proxy#1367) * build(deps): bump serde_json from 1.0.68 to 1.0.69 (linkerd/linkerd2-proxy#1368) * build(deps): bump libc from 0.2.106 to 0.2.107 (linkerd/linkerd2-proxy#1369) * meshtls: Add a `boring` backend (linkerd/linkerd2-proxy#1351) * meshtls-rustls: update to `rustls` 0.20 and `tokio-rustls` 0.23 (linkerd/linkerd2-proxy#1362)
This release updates the proxy's `rustls`, `ring`, and `webpki` dependencies. Additionally, the proxy can now be built to use a `boringssl` backend instead of the default `rustls` backend, but this functionality is disabled in default builds. --- * meshtls: replace build script with `compile_error!` macro (linkerd/linkerd2-proxy#1357) * ci: Split actions into several workflows (linkerd/linkerd2-proxy#1356) * ci: Make job names uniform (linkerd/linkerd2-proxy#1358) * meshtls: allow building without any TLS impls enabled (linkerd/linkerd2-proxy#1359) * `app-core` should not enable `meshtls-rustls` (linkerd/linkerd2-proxy#1360) * Restore rustls credential tests (linkerd/linkerd2-proxy#1363) * build(deps): bump hex from 0.3 to 0.4 (linkerd/linkerd2-proxy#1364) * ci: Split jobs into 'fast' and 'slow' workflows (linkerd/linkerd2-proxy#1365) * meshtls: Move TLS e2e tests into the meshtls crate (linkerd/linkerd2-proxy#1366) * rustls: Tidy std::task imports (linkerd/linkerd2-proxy#1367) * build(deps): bump serde_json from 1.0.68 to 1.0.69 (linkerd/linkerd2-proxy#1368) * build(deps): bump libc from 0.2.106 to 0.2.107 (linkerd/linkerd2-proxy#1369) * meshtls: Add a `boring` backend (linkerd/linkerd2-proxy#1351) * meshtls-rustls: update to `rustls` 0.20 and `tokio-rustls` 0.23 (linkerd/linkerd2-proxy#1362)
This change adds a
meshtls-boringproxy feature that can be used tocompile the proxy with an alternate TLS implementation. The
meshtls-rustlsfeature should be disabled to take advantage of thisalternate backend.
In its current mode, the boring backend is compatible with the existing
identity credentials and algorithms (specifically TLSv1.3 and
ECDSA-P256-SHA256 with CHACHA20-POLY1305-SHA256).
In future changes--once
boringhas been updated--we can:Co-authored-by: @arnarpall