Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Option to skip device certificate expiry validation in Mender Gateway

Description

A major customer gets its device certificates from its IT department. However, their IT department do not usually give out certificates which lasts more than 3 years, as per policy. With IoT devices this becomes a challenge because IoT devices can last for decades and they don’t seem to have a way to rotate device certificates (which are stored in hardware - HSM).

While this is bad security practice they are asking for an option to allow Mender Gateway (our new mTLS Ambassador) to validate device certificates successfully even though they are expired.

Acceptance criteria

  • There is a configuration option in Mender Gateway to allow expired device certificates

  • If this option is enabled, expired device certificates are considered valid, as long as no other certificates are expired (including the CA that signed the device certificate)

  • All other certificate verification is still carried out if this is enabled

  • This can be enabled for specific tenants in Hosted Mender and specific tenants on-premise Mender Enterprise

Implementation details

  • Lower the tls.Config.ClientAuth level to tls.RequireAnyClientCert

    • NOTE: This will skip any actual client certificate verification checks

  • Implement the tls.Config.VerifyPeerCertificate to perform the certificate verification checks (see here for the crypto/tls implementation)

    • The raw certificates need to be parsed again (see here).

    • Use the parsed client certificate (first in the chain) NotAfter claim to override the x509.VerifyOptions.CurrentTime

    • NOTE: The verifiedChains argument will be nil because of missing verification

Affects versions

None

Environment

None

Activity

Show:

eystein.maloy.stenbergJune 28, 2024 at 11:16 PM

Okey, thanks for being so quick but I didn’t expect you to actually implement it too slightly smiling face

This was just a proposal to a customer and they should pay for it if they wanted it enough. But now that you’ve already done it, let’s just complete.

Alf-Rune SiqvelandJune 28, 2024 at 1:02 PM

Peter GrzybowskiJune 28, 2024 at 9:44 AM

5SP is ok for me. we need to check the error from the validation and if it is only “certificate expired” then we act. my only problem is: I am unsure how much of the other checks are passed/performed when certificate is expired – this can lead to security holes.

Alf-Rune SiqvelandJune 28, 2024 at 9:26 AM

Yes, I asked the backend team to look at it and 5SP seems like a reasonable estimate.

We should be very clear about this being an insecure option since this will forever keep compromised certificates valid.

eystein.maloy.stenbergJune 27, 2024 at 7:48 PM

Just to confirm, the complete estimate is 5 SP?

Fixed

Details

Assignee

Reporter

Labels

Story Points

Priority

Days in progress

0

Sprint

Backlog

yes

Zendesk Support

Checklist

Created June 25, 2024 at 10:01 PM
Updated July 1, 2024 at 5:39 PM
Resolved July 1, 2024 at 2:15 PM

Flag notifications