Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CORE-8654] Add flag to re-enable TLS client renegotiation #24772

Open
wants to merge 4 commits into
base: dev
Choose a base branch
from
Open

[CORE-8654] Add flag to re-enable TLS client renegotiation #24772

wants to merge 4 commits into from
+72 −8

Conversation

michael-redpanda
Copy link
Contributor

This PR adds a new tunable flag tls_enable_renegotiation. This flag is used to re-enable TLS client initiated renegotiation which, by default is disabled.

Customers should avoid enabling this flag unless absolutely necessary.

Other than this PR, there will be no further public documentation about this flag.

Backports Required

  • none - not a bug fix
  • none - this is a backport
  • none - issue does not exist in previous branches
  • none - papercut/not impactful enough to backport
  • v24.3.x
  • v24.2.x
  • v24.1.x

Release Notes

  • None

@michael-redpanda
bazel: Updated seastar ref
0b5e13d 
Updated to version of Seastar that disables TLS renegotiation by
default.

Signed-off-by: Michael Boquard <michael@redpanda.com>
@michael-redpanda michael-redpanda requested a review from a team January 10, 2025 13:19
@michael-redpanda michael-redpanda self-assigned this Jan 10, 2025
@michael-redpanda michael-redpanda requested review from IoannisRP and a team and removed request for a team and IoannisRP January 10, 2025 13:19
@michael-redpanda michael-redpanda requested a review from a team as a code owner January 10, 2025 13:19
@michael-redpanda michael-redpanda requested review from aanthony-rp and removed request for a team January 10, 2025 13:19
BenPope
BenPope previously approved these changes Jan 10, 2025
View reviewed changes
Copy link
Member

@BenPope BenPope left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

tests/rptest/tests/tls_version_test.py Outdated Show resolved Hide resolved
tests/rptest/tests/tls_version_test.py Outdated Show resolved Hide resolved
@vbotbuildovich
Copy link
Collaborator

Retry command for Build#60590

please wait until all jobs are finished before running the slash command

/ci-repeat 1
tests/rptest/tests/tiered_storage_model_test.py::TieredStorageTest.test_tiered_storage@{"cloud_storage_type_and_url_style":[2,"virtual_host"],"test_case":{"name":"(TS_Read == True, SegmentRolledByTimeout == True)"}}

pgellert
pgellert reviewed Jan 10, 2025
View reviewed changes
tests/rptest/tests/tls_version_test.py Outdated Show resolved Hide resolved
tests/rptest/tests/tls_version_test.py Outdated Show resolved Hide resolved
@vbotbuildovich
Copy link
Collaborator

vbotbuildovich commented Jan 10, 2025
edited
Loading

CI test results

test results on build#60590
test_id test_kind job_url test_status passed
rm_stm_tests_rpunit.rm_stm_tests_rpunit unit https://buildkite.com/redpanda/redpanda/builds/60590#0194505f-b371-45ba-a89f-0aca3e9583af FLAKY 1/2
rm_stm_tests_rpunit.rm_stm_tests_rpunit unit https://buildkite.com/redpanda/redpanda/builds/60590#0194505f-b372-4f0d-8b0d-94490222edfa FLAKY 1/2
rptest.tests.compaction_recovery_test.CompactionRecoveryUpgradeTest.test_index_recovery_after_upgrade ducktape https://buildkite.com/redpanda/redpanda/builds/60590#019450a8-07c2-45ab-8de6-a9e3fc794268 FLAKY 5/6
rptest.tests.tiered_storage_model_test.TieredStorageTest.test_tiered_storage.cloud_storage_type_and_url_style=.CloudStorageType.ABS.2.virtual_host.test_case=.TS_Read==True.SegmentRolledByTimeout==True ducktape https://buildkite.com/redpanda/redpanda/builds/60590#019450ac-2c65-4b00-ab03-d3d2590bff4b FAIL 0/1
test results on build#60611
test_id test_kind job_url test_status passed
rptest.tests.tls_version_test.TLSRenegotiationTest.test_tls_renegotiation.enable_renegotiation=True ducktape https://buildkite.com/redpanda/redpanda/builds/60611#01945253-b074-40b1-b13c-5727235c065f FAIL 0/1
rptest.tests.tls_version_test.TLSRenegotiationTest.test_tls_renegotiation.enable_renegotiation=True ducktape https://buildkite.com/redpanda/redpanda/builds/60611#0194525c-196e-4af8-8e64-991ae8750448 FAIL 0/1

Deflaimun
Deflaimun reviewed Jan 10, 2025
View reviewed changes
src/v/config/configuration.cc Outdated
"TLS client renegotiation was removed in TLSv1.3 due to vulnerabilities "
"found in the protocol. By default, this is disabled for TLSv1.2 and "
"below. It can be re-enabled by setting this property to true and "
"restarting Redpanda. This is considered unsafe.",
Copy link
Contributor

@Deflaimun Deflaimun Jan 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if this is unsafe/bad practice, in which scenarios would the users need to enable this flag? We should add this possibility here.

backwards compatibility with legacy systems?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct - in case their TLS client for some reason just will not work if it can't perform a client initiated TLS renegotiation. I can't think of any that exist and this is more of an escape hatch just in case.

Deflaimun
Deflaimun reviewed Jan 10, 2025
View reviewed changes
src/v/config/configuration.cc Outdated
Comment on lines 3665 to 3668
"TLS client renegotiation was removed in TLSv1.3 due to vulnerabilities "
"found in the protocol. By default, this is disabled for TLSv1.2 and "
"below. It can be re-enabled by setting this property to true and "
"restarting Redpanda. This is considered unsafe.",
Copy link
Contributor

@Deflaimun Deflaimun Jan 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"TLS client renegotiation was removed in TLSv1.3 due to vulnerabilities "
"found in the protocol. By default, this is disabled for TLSv1.2 and "
"below. It can be re-enabled by setting this property to true and "
"restarting Redpanda. This is considered unsafe.",
"TLS client renegotiation, removed in TLSv1.3 due to vulnerabilities "
"in the protocol, is disabled for TLSv1.2 and earlier. "
"It can be re-enabled by setting this property to true and "
"restarting Redpanda. This is considered unsafe.",

@michael-redpanda michael-redpanda force-pushed the tls-renegotiation/core-8654/cluster-config-tls-reneg branch from acc9670 to d008988 Compare January 10, 2025 18:44
@michael-redpanda
Copy link
Contributor Author

Force push d008988:

  • Addressed PR comments

pgellert
pgellert previously approved these changes Jan 10, 2025
View reviewed changes
kbatuigas
kbatuigas reviewed Jan 10, 2025
View reviewed changes
src/v/config/configuration.cc Outdated
, tls_enable_renegotiation(
*this,
"tls_enable_renegotiation",
"TLS client initiated renegotiation is considered unsafe and is by "
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"TLS client initiated renegotiation is considered unsafe and is by "
"TLS client-initiated renegotiation is considered unsafe and is by "

kbatuigas
kbatuigas reviewed Jan 10, 2025
View reviewed changes
src/v/config/configuration.cc Outdated
"tls_enable_renegotiation",
"TLS client initiated renegotiation is considered unsafe and is by "
"default disabled. Only re-enable it if you are experiencing issues "
"with your TLS enabled client. This option has no effect on TLSv1.3 "
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"with your TLS enabled client. This option has no effect on TLSv1.3 "
"with your TLS-enabled client. This option has no effect on TLSv1.3 "

kbatuigas
kbatuigas reviewed Jan 10, 2025
View reviewed changes
src/v/config/configuration.cc Outdated
"TLS client initiated renegotiation is considered unsafe and is by "
"default disabled. Only re-enable it if you are experiencing issues "
"with your TLS enabled client. This option has no effect on TLSv1.3 "
"connections as client initiated renegotiation was removed.",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"connections as client initiated renegotiation was removed.",
"connections as client-initiated renegotiation was removed.",

@michael-redpanda
config: Added tls_enable_renegotiation
2e71f57 
New config that can be used to re-enable TLS renegotiation if a client
absolutely needs that enabled.  Has no effect on TLSv1.3 connections.

Signed-off-by: Michael Boquard <michael@redpanda.com>
@michael-redpanda
tls: Use new tls_enable_renegotiation config
d10ed83 
Signed-off-by: Michael Boquard <michael@redpanda.com>
@michael-redpanda
dt/tls: Added tests to validate renegotiation
6667f45 
Signed-off-by: Michael Boquard <michael@redpanda.com>
@michael-redpanda michael-redpanda force-pushed the tls-renegotiation/core-8654/cluster-config-tls-reneg branch from d008988 to 6667f45 Compare January 10, 2025 20:52
@michael-redpanda
Copy link
Contributor Author

Force push 6667f45:

  • Updated wording of config

@vbotbuildovich
Copy link
Collaborator

vbotbuildovich commented Jan 10, 2025
edited
Loading

Retry command for Build#60611

please wait until all jobs are finished before running the slash command


/ci-repeat 1
tests/rptest/tests/tls_version_test.py::TLSRenegotiationTest.test_tls_renegotiation@{"enable_renegotiation":true}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aanthony-rp aanthony-rp Awaiting requested review from aanthony-rp aanthony-rp was automatically assigned from redpanda-data/core-enterprise

@IoannisRP IoannisRP Awaiting requested review from IoannisRP

@BenPope BenPope Awaiting requested review from BenPope

@Deflaimun Deflaimun Awaiting requested review from Deflaimun

@pgellert pgellert Awaiting requested review from pgellert

@kbatuigas kbatuigas Awaiting requested review from kbatuigas

At least 1 approving review is required to merge this pull request.

Assignees

@michael-redpanda michael-redpanda

Labels
area/build area/redpanda
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@michael-redpanda @vbotbuildovich @BenPope @Deflaimun @pgellert @kbatuigas