Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add X.509 certificate authentication to reflector
Support for X.509 certificate handling and TLS encryption has been added to SvxLink/Async. That is used to authenticate as well as encrypt connections to the SvxReflector server. The TCP connection is encrypted using TLS and the UDP connection is encrypted using a custom shared key scheme. The cipher used by default is AES128 GCM. The implementation is based on OpenSSL. Both the server and the client requires authentication. The AUTH_KEY authentication method that were previously used is deprecated. The certificate generation process is mostly automated. The contents of the certificate can be customized using the configuration variables with name prefix CERT_. Default values are good in most cases. CERT_EMAIL may be good to specify so that the SvxLink node owner can be contacted. Ask the reflector sysop what the convention is. The reflector server need to be updated to use this version of SvxLink on a reflector client. If the server is older and only support the version 2 protocol, you must use TYPE=ReflectorV2 in the ReflectorLogic config. All PKI (Public Key Infrastructure) files will be stored in the directory given by the CERT_PKI_DIR configuration variable. The path defaults to something like /var/lib/svxlink/pki but the exact default path depend on build configuration. In any case, that path need to be created and made writable for SvxLink. That should be done automatically by "make install". Signing client certificates are done on the reflector server via a PTY command (e.g. echo CA SIGN SM0XYZ >/dev/shm/reflector_ctrl). There are more subcommands for listing and removing certificates/CSRs but those have not been fully implemented yet. However, those operations can be performed using standard OS utilities like 'ls' and 'rm' within the PKI subdirectory. In short, this is how to implement the new authentication scheme in a reflector network: - Update the reflector server - Ensure that COMMAND_PTY is set up in the reflector config - Set up SERVER_CERT/COMMON_NAME to be the public hostname of the reflector server - When the reflector server start it will generate a CA root certificate, an issuing (signing) certificate and a signed server certificate for the reflector server. The root certificate will be used as the CA bundle by default. - Update reflector clients - When the client starts it will generate a private key and a CSR (certificate signing request) - When the client connect to the server it will download the CA bundle and send the CSR to the reflector server - The reflector sysop use the "CA SIGN callsign" command to sign the CSR, creating a certificate - The signed certificate will be sent to the client - The client will reconnect using the signed client certificate - The reflector sysop can now remove the specific user configuration for that client in the reflector. Both older clients and updated clients will be able to connect to the updated reflector. AUTH_KEY will still work for both old and updated clients. Building SvxLink require a new dependency on OpenSSL so the development package for that library need to be installed (e.g. install package libssl-dev if on a Debian based distro). These are some features of the new implementation: - TLS encryption implemented in the Async::TcpConnection class - Subject Alternative Name support - Client check remote host name of reflector server - New classes: Async::Digest, Async::SslKeypair, Async::SslCertSigningReq, Async::SslContext, Async::X509, Async::X509Extensions, Async::X509ExtSubjectAltName - Send signed CA bundle to client if requested - Add SSL to the AsyncHttpServer_demo - Intermediate signing cert support - OpenSSL 1.1.0l compatibility - The reflector server use CN in the cert as callsign - The CSR CN is checked so that it really looks like a callsign - Ensure that the public key is the same for an updated CSR - Create the PKI subdirectory with "make install" - UDP encryption - Reflector server send signed certificate to client - The reflector client autogenerate key and csr And also some other fixes: - Don't show unauthenticated nodes in HTTP /status - Better info message for client side reflector protocol downgrade - Implement more robust protocol version negotiation in reflector - Bugfix in TcpConnection constructor - Support connecting v3 client to v2 server through the new ReflectorV2 logic plugin
- Loading branch information