Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are protocols designed to provide communication security over public networks. Users exchange a symmetric session key that is used to encrypt data exchanged between the parties.
By default, a FoundationDB cluster uses unencrypted connections among client and server processes. This document describes the Transport Layer Security (TLS) capabilities of FoundationDB, which enable security and authentication through a public/private key infrastructure. TLS is compiled into each FoundationDB binary. This document will describe the basic TLS capabilities of FoundationDB and document its implementation, which is based on LibreSSL. TLS-enabled servers will only communicate with other TLS-enabled servers and TLS-enabled clients. Therefore, a cluster's machines must all enable TLS in order for TLS to be used.
To set a new cluster to use TLS, use the -t flag on make_public.py:
user@host1$ sudo /usr/lib/foundationdb/make_public.py -t /etc/foundationdb/fdb.cluster is now using address 10.0.1.1 (TLS enabled)
This will configure the new cluster to communicate with TLS.
Note
Depending on your operating system, version and configuration, there may be a firewall in place that prevents external access to certain ports. If necessary, please consult the appropriate documentation for your OS and ensure that all machines in your cluster can reach the ports configured in your :ref:`configuration file <foundationdb-conf>`.
Enabling TLS on an existing (non-TLS) cluster cannot be accomplished without downtime because all processes must have TLS enabled to communicate. At startup, each server process enables TLS if the addresses in its cluster file are TLS-enabled. As a result, server processes must be stopped and restarted to convert them to use TLS. To convert the cluster to TLS in the most conservative way:
- Stop all FoundationDB clients and :ref:`server processes <administration-running-foundationdb>` in the cluster.
- Change all cluster files to have the
:tlssuffix for each coordinator. - Restart the cluster and the clients.
The operation of TLS is configured through five settings. These settings can be provided as command-line options, client options, or environment variables, and are named as follows:
| Command-line Option | Client Option | Environment Variable | Purpose |
|---|---|---|---|
tls_certificate_file |
TLS_cert_path |
FDB_TLS_CERTIFICATE_FILE |
Path to the file from which the local certificates can be loaded |
tls_key_file |
TLS_key_path |
FDB_TLS_KEY_FILE |
Path to the file from which to load the private key |
tls_verify_peers |
TLS_verify_peers |
FDB_TLS_VERIFY_PEERS |
The byte-string for the verification of peer certificates and sessions |
tls_password |
TLS_password |
FDB_TLS_PASSWORD |
The byte-string representing the passcode for unencrypting the private key |
tls_ca_file |
TLS_ca_path |
FDB_TLS_CA_FILE |
Path to the file containing the CA certificates to trust |
The value for each setting can be specified in more than one way. The actual valued used is determined in the following order:
- An explicitly specified value as a command-line option or client option, if one is given;
- The value of the environment variable, if one has been set;
- The default value
As with all other command-line options to fdbserver, the TLS settings can be specified in the :ref:`[fdbserver] section of the configuration file <foundationdb-conf-fdbserver>`.
The settings for certificate file, key file, peer verification, password and CA file are interpreted by the software.
The default behavior when the certificate or key file is not specified is to look for a file named fdb.pem in the current working directory. If this file is not present, an attempt is made to load a file from a system-dependent location:
- Linux:
/etc/foundationdb/fdb.pem- macOS:
/usr/local/etc/foundationdb/fdb.pem- Windows:
C:\ProgramData\foundationdb\fdb.pem
The default peer verification is Check.Valid=1.
There is no default password. If no password is specified, it is assumed that the private key is unencrypted.
If a value is not specified, the software searches for certs in the default openssl certs location.
FoundationDB offers TLS based on the LibreSSL library. By default, it will be enabled automatically when participating in a TLS-enabled cluster.
For TLS to operate, each process (both server and client) must have an X509 certificate, its corresponding private key, and potentially the certificates with which is was signed. When a process begins to communicate with a FoundationDB server process, the peer's certificate is checked to see if it is trusted and the fields of the peer certificate are verified. Peers must share the same root trusted certificate, and they must both present certificates whose signing chain includes this root certificate.
If the local certificate and chain is invalid, a FoundationDB server process bound to a TLS address will not start. In the case of invalid certificates on a client, the client will be able to start but will be unable to connect any TLS-enabled cluster.
LibreSSL can read certificates and their private keys in base64-encoded DER-formatted X.509 format (which is known as PEM). A PEM file can contain both certificates and a private key or the two can be stored in separate files.
A single file can contain the information as described in both of the following sections.
A file must be supplied that contains an ordered list of certificates. The first certificate is the process' own certificate. Each following certificate must sign the one preceding it.
All but the last certificate are provided to peers during TLS handshake as the certificate chain.
The last certificate in the list is the trusted certificate.
Note
If the certificate list contains only one certificate, that certificate must be self-signed and will be used as both the certificate chain and the trusted certificate.
Each of these certificates must be in the form:
--------BEGIN CERTIFICATE-------- xxxxxxxxxxxxxxx --------END CERTIFICATE--------
The key file must contain the private key corresponding to the process' own certificate. The private key must be in PKCS#8 format, which means that it must be surrounded by:
-----BEGIN PRIVATE KEY----- xxxxxxxxxxxxxxx -----END PRIVATE KEY-----
It can optionally be encrypted by the password provided to tls_password.
If your organization already makes use of certificates for access control and securing communications, you should ask your security expert for organizational procedure for obtaining and verifying certificates. If the goal of enabling TLS is to make sure that only known machines can join or access the FoundationDB cluster and for securing communications, then creating your own certificates can serve these purposes.
The following set of commands uses the OpenSSL command-line tools to create a self-signed certificate and private key. The certificate is then joined with the private key in the output fdb.pem file:
user@host:> openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out cert.crt user@host:> cat cert.crt private.key > fdb.pem
A FoundationDB server or client will only communicate with peers that present a certificate chain that meets the verification requirements. By default, the only requirement is that the provided certificate chain ends in a certificate signed by the local trusted certificate.
With a peer verification string, FoundationDB servers and clients can adjust what is required of the certificate chain presented by a peer. These options can make the certificate requirements more rigorous or more lenient. You can specify multiple verification strings by providing additional tls_verify_peers command line arguments or concatenating them with |. All , or | in the verify peers fields should be escaped with \.
If the default checking of the certificate chain is too stringent, the verification string can contain settings to weaken what certificates are accepted.
| Setting | Result |
|---|---|
Check.Valid=0 |
Sets the current process to disable all further verification of a peer certificate. |
Check.Unexpired=0 |
Disables date checking of peer certificates. If the clocks in
the cluster and between the clients and servers are not to be
trusted, setting this value to 0 can allow communications
to proceed. |
Requirements can be placed on the fields of the Issuer and Subject DNs in the peer's own certificate. These requirements take the form of a comma-separated list of conditions. Each condition takes the form of field[<>]?=value. Only certain fields from a DN can be matched against.
| Field | Well known name |
|---|---|
CN |
Common Name |
C |
County |
L |
Locality |
ST |
State |
O |
Organization |
OU |
Organizational Unit |
UID |
Unique Identifier |
DC |
Domain Component |
The field of each condition may optionally have a DN prefix, which is otherwise considered to be for the Subject DN.
| Prefix | DN |
|---|---|
S., Subject., or none |
Subject |
I., or Issuer. |
Issuer |
R., or Root. |
Root |
Additionally, the verification can be restricted to certificates signed by a given root CA with the field Root.CN. This allows you to have different requirements for different root chains.
The value of a condition must be specified in a form derived from a subset of RFC 4514. Specifically, the "raw" notation (a value starting with the # character) is not accepted. Other escaping mechanisms, including specifying characters by hex notation, are allowed. The specified field's value must exactly match the value in the peer's certificate.
By default, the fields of a peer certificate's DNs are not examined.
In addition to DNs, restrictions can be placed against X509 extensions. They are specified in the same fashion as DN requirements. The supported extensions are:
| Field | Well known name |
|---|---|
subjectAltName |
Subject Alternative Name |
Within a subject alternative name requirement, the value specified is required to have the form prefix:value, where the prefix specifies the type of value being matched against. The following prefixes are supported.
The following operators are supported:
| Operator | Match Type |
|---|---|
= |
Exact Match |
>= |
Prefix Match |
<= |
Suffix Match |
Let's consider a certificate, whose abridged contents is:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 12938646789571341173 (0xb38f4eb406a5eb75)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=California, L=Cupertino, O=Apple Inc., OU=FDB Team
Subject: C=US, ST=California, L=Cupertino, O=Apple Inc., OU=FDB Team
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:test.foundationdb.org
DNS:prod.foundationdb.com
A verification string of:
Check.Unexpired=0,I.C=US,C=US,S.O=Apple Inc.
Would pass, and:
- Skip the check on all peer certificates that the certificate is not yet expired
- Require that the Issuer has a Country field of
US - Require that the Subject has a Country field of
US - Require that the Subject has a Organization field of
Apple Inc.
A verification string of:
S.OU>=FDB,S.OU<=Team,S.subjectAltName=DNS:test.foundationdb.org
Would pass, and:
- Require that the Subject has an Organization field that starts with
FDB - Require that the Subject has an Organization field that ends with
Team - Require that the Subject has a Subject Alternative Name extension, which has one or more members of type DNS with a value of
test.foundationdb.org.
A verification string of:
S.subjectAltName>=DNS:prod.,S.subjectAltName<=DNS:.org
Would pass, and:
- Require that the Subject has a Subject Alternative Name extension, which has one or more members of type DNS that begins with the value
prod.. - Require that the Subject has a Subject Alternative Name extension, which has one or more members of type DNS that ends with the value
.com.