Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reload expired client certificates #2123

Closed
wants to merge 1 commit into from
Closed

Reload expired client certificates #2123

wants to merge 1 commit into from

Conversation

mjdiffy
Copy link

@mjdiffy mjdiffy commented Jun 8, 2022
edited

When the client credentials used for mutual authentication expire, all requests
to a DoH server which enforces validitiy will fail. To mitigate this, we can
try to reload the existing credentials from disk. This assumes that the
credentials have been rotated outside of the dnscrypt-proxy process and thus a
reload will pick up the newest versions.

The simplest way to do this is to simply rebuild the transport upon receiving
an error which contains the string "bad certificate".

Resolves #2114

Reload expired client certificates
615ec73 
When the client credentials used for mutual authentication expire, all requests
to a DoH server which enforces validitiy will fail. To mitigate this, we can
try to reload the existing credentials from disk. This assumes that the
credentials have been rotated outside of the dnscrypt-proxy process and thus a
reload will pick up the newest versions.

The simplest way to do this is to simply rebuild the transport upon receiving
an error which contains the string "bad certificate".
@mjdiffy mjdiffy marked this pull request as ready for review June 8, 2022 22:53
@mjdiffy mjdiffy mentioned this pull request Jun 8, 2022
Open
@mjdiffy
Copy link
Author

mjdiffy commented Jun 8, 2022

To test my changes, I no longer had a mutually-authenticated DoH server which does enforce certificate validity, so I pointed it to another random HTTPS endpoint which did. However, it doesn't speak DoH, so I didn't expect valid outputs when it got there:

➜  dnscrypt-proxy git:(master) ✗ go run . --config ~/dnscrypt-proxy.toml
[2022-06-08 15:27:37] [NOTICE] dnscrypt-proxy 2.1.1
[2022-06-08 15:27:37] [NOTICE] Enabling TLS authentication
Reload expired client certificates
[2022-06-08 15:27:37] [NOTICE] Now listening to 127.0.0.1:53443 [UDP]
[2022-06-08 15:27:37] [NOTICE] Now listening to 127.0.0.1:53443 [TCP]
[2022-06-08 15:27:37] [NOTICE] Firefox workaround initialized
[2022-06-08 15:27:38] [WARNING] TLS certificate failure - Check the validity of the client certificate; reloading existing certificate
[2022-06-08 15:27:38] [WARNING] TLS certificate failure - Check the validity of the client certificate; reloading existing certificate
[2022-06-08 15:27:38] [WARNING] TLS certificate failure - Check the validity of the client certificate; reloading existing certificate
[2022-06-08 15:27:38] [WARNING] TLS certificate failure - Check the validity of the client certificate; reloading existing certificate
[2022-06-08 15:27:38] [ERROR] Get "https://<redacted>": remote error: tls: bad certificate
[2022-06-08 15:27:38] [NOTICE] dnscrypt-proxy is waiting for at least one server to be reachable
[2022-06-08 15:27:48] [WARNING] TLS certificate failure - Check the validity of the client certificate; reloading existing certificate
[2022-06-08 15:27:48] [WARNING] TLS certificate failure - Check the validity of the client certificate; reloading existing certificate
[2022-06-08 15:27:48] [WARNING] TLS certificate failure - Check the validity of the client certificate; reloading existing certificate
[2022-06-08 15:27:48] [WARNING] TLS certificate failure - Check the validity of the client certificate; reloading existing certificate
[2022-06-08 15:27:58] [WARNING] TLS certificate failure - Check the validity of the client certificate; reloading existing certificate

At this point, I flipped the certificate file to a non-expired version, and it reloaded properly, but now I had the issue of pointing at a non-DoH server, but at least what I was after worked!

[2022-06-08 15:27:58] [WARNING] [dohproxy_v6]: dns: bad rdata
[2022-06-08 15:27:59] [WARNING] [dohproxy_v4]: dns: bad rdata
[2022-06-08 15:28:09] [WARNING] [dohproxy_v6]: dns: bad rdata
[2022-06-08 15:28:09] [WARNING] [dohproxy_v4]: dns: bad rdata
# ...

@jedisct1
Copy link
Member

jedisct1 commented Jun 8, 2022

Thanks!

It may work as a quick hack, but this is not something that can be merged as-is.

If a single server has a permanent certificate error, that would cause the entire configuration to be reloaded every time it gets a query. Not great if more than one server is in use, and that can even be considered a remotely exploitable security issue.

@jedisct1
Copy link
Member

jedisct1 commented Jun 8, 2022

Also, the same issue may affect ODoH relays.

@jedisct1 jedisct1 closed this Jul 22, 2022
@DNSCrypt DNSCrypt locked and limited conversation to collaborators Aug 21, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[DoH][TLS Client Authentication] Reload expired client certificates
2 participants
@mjdiffy @jedisct1