Is there a way to configure the gRPC Java client and/or server in order to support a zero downtime rollout of mTLS from plaintext?
Use case: Say you have a cluster of gRPC java server running with plaintext with active gRPC java client connected to them. Service discovery is via DNS, so if you upgraded the server to support mTLS the new instances would come up and be published via DNS to the clients.
Option 1: Configure the clients to support both, so when the the client gets a new IP from the DNS lookup, it would work with either plaintext or mTLS, perhaps by trying mTLS first and falling back to plaintext. Can this be configured?
Option 2: Configure the server (on a single port) to do both. Then you'd rollout upgrades to the clients with mTLS enabled to replace the existing plaintext ones. Then when done, disable the server fallback to plaintext. Can this be configured?
Interesting use-case!
Option 1: Configure the clients to support both, so when the the client gets a new IP from the DNS lookup, it would work with either plaintext or mTLS, perhaps by trying mTLS first and falling back to plaintext. Can this be configured?
This would just be the client code (in the application) trying with mTLS first and on failure try plaintext for the channel. How do you expect this to be configured? Do you think the client would decide to use (or not) mTLS based on the IP address?
Option 2: Configure the server (on a single port) to do both. Then you'd rollout upgrades to the clients with mTLS enabled to replace the existing plaintext ones. Then when done, disable the server fallback to plaintext. Can this be configured?
The server needs to use a TLS handler or plaintext for all incoming connections. Do you want the server also to do some kind of fallback or examine the initial packets to see if there is a ClientHello or such and based on that decide to use the TLS handler or not?
For xDS configured gRPC servers one can configure it to do mTLS (or TLS) based on the client IP addresses as configured in the FilterChainMatch configuration for the server. See https://github.com/grpc/proposal/blob/master/A36-xds-for-servers.md#filterchainmatch
Related
I have a pair of public/private certificates, which are very important and can not be stored on my computer, but only in secure premises.
I need to use such certificates to send requests to multiple providers (in my case those are banks).
What I want to do is set up a proxy server which would hold such certificates.
Then I would be able to send requests through that proxy and it will establish mTLS connection with banks using those certificates.
So my questions are:
Is it possible?
Do I understand correctly that such approach could be called "reverse termintaion proxy"?
Ideally, I would like to do that using nginx. It is possible?
I've found some info in the nginx documentation, but not sure whether it is what I am looking for
I have sTunnel running on my client and server and can't seem to get my head round how I can have it running in a sort of "silent mode" whereby if I were abroad I could fire up the sTunnel connection on my client, connect to my server and then my browsing traffic connection would behave as if I were in the UK (an encrypted proxy).
On the client conf I have:
accept = localhost:xxx (I understand this means the local sTunnel installation listens on xxx port and grabs any traffic sent on that port).
connect = serverip:xxx (This is the instruction of where it needs to be forwarded, i.e the server).
On my server:
accept: clientIP:xxx (the source IP address of my client)
connect: localhost:xxx (the loopback address of the server)
What am I failing to see here? As I see it I can only use this tunnel if I explicitly target a port with my browser and even then wouldn't it only make it as far as the sTunnel server and not onward to the website intended? Do I need to setup proxy settings in the browser?
thanks a lot
I'm not sure stunnel is what you're looking for here.
What you describe would be best accomplished with OpenSSH, and its dynamic SOCKS5 proxy functionality, e.g. ssh -D1080 from the client.
This generally doesn't require any extra settings on the server-side (unless it was specifically disabled by your system administrator), and then on your roaming client-side, you simply establish an SSH connection to your server as per usual, but add an extra -D1080 parameter to your ssh invocation.
Or, if using PuTTY, set up dynamic port forwarding within Connection, SSH, Tunnels, Source port of 1080 and Destination of Dynamic, click Add.
Subsequently, change the settings of your browser to use SOCKS proxy at localhost, port 1080, and also make sure to specify SOCKS v5 and ensure that the checkbox for resolving hostnames remotely is set, too.
I want to secure the communication between a server and multiple clients.
The communication goes this way:
The client connects to a specific page at the server and checks for a software version.
If the version on client is not the latest, the client
connects to specific page and downloads the software update
I want to secure the 3rd part, so this connection must be over https. What I have done is to install m2crypto to the client and the server and with a python script, generate a pair of private/public keys.
The point is the server to use the client's public key to sign the data to send.
How do I configure my server (apache) so that the connection is over https?
I am about to setup SmarterMail v9.0 on our Windows 2008 server (IIS7) and would first like to know what some security considerations are when opening up port 25 and/or 587 - ie how to prevent relaying, etc.
Thank you.
You must not accept email from untrusted users/sources which is not bound for domains you control.
An open relay is a mail server which allows anyone on the Internet to email anyone else, without verifying that either the source or the destination is known - thus, a relay.
You can check that the source is known by looking for a trusted IP subnet, or by requiring authentication before mail can be sent (via LOGIN over TLS, GSSAPI [called "Integrated Windows Authentication" or whatever], X.509 client certs, or the like).
You can check that the destination is known by comparing it to the list of domains for which your mail server will be the "last stop" (or a relay to another domain you control).
Either a known source or a known destination should be sufficient, but you may also want to make sure that mail inbound for your domains is at least borderline valid (originates from a domain with an MX server, for instance).
Separately, you must be conscious of DoS issues (rate limit inbound mail), and the ability to use your server to send backscatter spam. Backscatter is when I connect to your mail server and say, "why yes, I am unsuspecting_target#not_my_domain.com, please queue up this message for not_an_address#yourdomain.com". Then your mail server delivers a "bounce" message to the unsuspecting target. To mitigate this, you can verify that the recipient is known before accepting mail, or limit the rate at which mail can be accepted from one host, or try to check that the host delivering a message is authorized to use that envelope sender.
These are all well-solved problems.
Apart from enhanced authentication options offered by SSH, is there any difference between basic working of SSH and SSL protocols ?
I am asking since we can use SFTP or FTP over SSL, both would require authentication.
What is the difference between SSH and SSL and why would we care?
SSL stands for "Secure Sockets Layer". We care because it enables browsers to transmit data to and from a web server in a secure cryptographic way to make life hard for third party spies monitoring all internet traffic.
SSH stands for "Secure Shell". We care because it enables a networked computer 1 to provide access to a shell on networked computer 2. The user can have a level of confidence that spies listening to the insecure channel cannot decrypt data sent between the networked computers.
SSL and SSH both have to do with providing a system to encrypt and decrypt data over an insecure channel.
When a browser visits a URL which begins with "https://", the browser speaks HTTP over an SSL connection.
SSL enabled Web Servers (for example Apache HTTP Server) can be configured to use SSL to become a "secure web server". A website served up by a secure web server will cause users to access the URL through the "https://" protocol instead of "http://". With the https protocol the users can have a level of confidence that third party spies monitoring the internet channel will only receive encrypted content.
SSL is a Protocol that could be implemented in the 6th layer (Presentation layer) of the OSI Model.
SSH has its own transport protocol independent from SSL, so that means SSH DOES NOT use SSL under the hood.
Cryptographically, both Secure Shell and Secure sockets Layer are equally secure.
An SSL Termination Proxy can handle incoming SSL connections, decrypting the SSL and passing on the unencrypted request to other servers.
SSL lets you use a PKI (public-key infrastructure) via signed certificates. With SSH you have to exchange the key fingerprints manually through another protocol like ftp or carrier pigeon.
The main difference is that SSL lets you use a PKI (via signed certificates). In SSH you have to exchange the key fingerprints out-of-band. But you might want to do without a PKI anyway, in which case it's a tie.
For a nice explanation, see http://www.snailbook.com/faq/ssl.auto.html
SSH and SSL are similar protocols that both use most of the same cryptographic primitives under the hood, so they are both as secure as each other. One advantage of SSH is that using key-pair authentication is actually quite easy to do, and built right into the protocol.
With SSL it's a bit of a mess involving CA certificates and other things. After you have the PKI in place you also need to configure your services to use the PKI for authentication instead of its internal password database; this is a nightmare on some services and a piece of cake on others. It also means you need to go to the hassle of signing all of your user's keys so they can log in with them.
Most competent users can grok SSH keys in no time but it takes a bit longer to get their heads around SSL keys (the extra CA certs and key certs confused me when I first discovered it).
Pick what's supportable. SSH+SFTP is great for Unix people, but FTP over SSL is probably easier to do if your users are Windows-based and are pretty clueless about anything other than Internet Exploiter (and you don't mind risking that your users will choose insecure passwords).
Cryptographically they are both equally secure (given that same ciphers are used). Other than that they are entirely different protocols...
First of all, TLS server authentication is optional since its protocol supports fully anonymous server authentication. In SSH this is mandatory.
TLS uses X.509 certificates for client and server authentication, which would require some sort of PKI. SSH does not scale in this point but offers a wider range of authentication methods: password, public key, etc.
Another difference is that SSH allows multiple connections and supports remote program execution, terminal management, TCP tunneling and so on.