minio/pkg/event/target
Andreas Auernhammer fbd1c5f51a
certs: refactor cert manager to support multiple certificates (#10207)
This commit refactors the certificate management implementation
in the `certs` package such that multiple certificates can be
specified at the same time. Therefore, the following layout of
the `certs/` directory is expected:
```
certs/
 │
 ├─ public.crt
 ├─ private.key
 ├─ CAs/          // CAs directory is ignored
 │   │
 │    ...
 │
 ├─ example.com/
 │   │
 │   ├─ public.crt
 │   └─ private.key
 └─ foobar.org/
     │
     ├─ public.crt
     └─ private.key
   ...
```

However, directory names like `example.com` are just for human
readability/organization and don't have any meaning w.r.t whether
a particular certificate is served or not. This decision is made based
on the SNI sent by the client and the SAN of the certificate.

***

The `Manager` will pick a certificate based on the client trying
to establish a TLS connection. In particular, it looks at the client
hello (i.e. SNI) to determine which host the client tries to access.
If the manager can find a certificate that matches the SNI it
returns this certificate to the client.

However, the client may choose to not send an SNI or tries to access
a server directly via IP (`https://<ip>:<port>`). In this case, we
cannot use the SNI to determine which certificate to serve. However,
we also should not pick "the first" certificate that would be accepted
by the client (based on crypto. parameters - like a signature algorithm)
because it may be an internal certificate that contains internal hostnames. 
We would disclose internal infrastructure details doing so.

Therefore, the `Manager` returns the "default" certificate when the
client does not specify an SNI. The default certificate the top-level
`public.crt` - i.e. `certs/public.crt`.

This approach has some consequences:
 - It's the operator's responsibility to ensure that the top-level
   `public.crt` does not disclose any information (i.e. hostnames)
   that are not publicly visible. However, this was the case in the
   past already.
 - Any other `public.crt` - except for the top-level one - must not
   contain any IP SAN. The reason for this restriction is that the
   Manager cannot match a SNI to an IP b/c the SNI is the server host
   name. The entire purpose of SNI is to indicate which host the client
   tries to connect to when multiple hosts run on the same IP. So, a
   client will not set the SNI to an IP.
   If we would allow IP SANs in a lower-level `public.crt` a user would
   expect that it is possible to connect to MinIO directly via IP address
   and that the MinIO server would pick "the right" certificate. However,
   the MinIO server cannot determine which certificate to serve, and
   therefore always picks the "default" one. This may lead to all sorts
   of confusing errors like:
   "It works if I use `https:instance.minio.local` but not when I use
   `https://10.0.2.1`.

These consequences/limitations should be pointed out / explained in our
docs in an appropriate way. However, the support for multiple
certificates should not have any impact on how deployment with a single
certificate function today.

Co-authored-by: Harshavardhana <harsha@minio.io>
2020-09-03 23:33:37 -07:00
..
testdata NATS TLS specify CA and client TLS authentication (#8389) 2019-11-15 09:13:23 -08:00
amqp.go fix: only show active/available ARNs in server startup banner (#9392) 2020-04-21 09:38:32 -07:00
common.go fix: re-use connections in webhook/elasticsearch (#9461) 2020-04-28 13:57:56 -07:00
elasticsearch.go Support https and basic-auth for elasticsearch notification target (#10332) 2020-08-23 09:43:48 -07:00
kafka.go fix: only show active/available ARNs in server startup banner (#9392) 2020-04-21 09:38:32 -07:00
kafka_scram_client.go added support for SASL/SCRAM on Kafka bucket notifications. (#9168) 2020-03-20 11:10:27 -07:00
mqtt.go fix: only show active/available ARNs in server startup banner (#9392) 2020-04-21 09:38:32 -07:00
mysql.go Update go-sql-driver pkg to support `checkConnLiveness` (#9766) 2020-06-04 16:11:42 -07:00
mysql_test.go Replace Minio refs in docs with MinIO and links (#7494) 2019-04-09 11:39:42 -07:00
nats.go fix: only show active/available ARNs in server startup banner (#9392) 2020-04-21 09:38:32 -07:00
nats_test.go Add nancy vulnerability scanner (#10289) 2020-08-19 14:25:21 -07:00
nats_tls_test.go Add nancy vulnerability scanner (#10289) 2020-08-19 14:25:21 -07:00
nsq.go fix: a type in NSQ notification target environment key (#10118) 2020-07-23 12:19:36 -07:00
nsq_test.go enable full linter across the codebase (#9620) 2020-05-18 09:59:45 -07:00
postgresql.go fix: connection_string should override other params (#10180) 2020-08-03 09:16:00 -07:00
postgresql_test.go Replace Minio refs in docs with MinIO and links (#7494) 2019-04-09 11:39:42 -07:00
queuestore.go notification queue limit has no maxLimit (#9380) 2020-04-18 01:20:56 -07:00
queuestore_test.go Fix queueStore stops working with concurrent PUT/DELETE requests (#8381) 2019-10-11 17:46:03 -07:00
redis.go Implement CLIENT SETNAME for Redis connections (#9876) 2020-06-19 13:28:28 -07:00
store.go fix: throttling of events during their replay (#9188) 2020-03-23 12:34:39 -07:00
webhook.go certs: refactor cert manager to support multiple certificates (#10207) 2020-09-03 23:33:37 -07:00