Verizon Media is trying out this new plugin internally, and plans to open source it in the core TS repo. Below is the README, feedback is welcome. ------------------------------------------------------------------- Check to ensure that at least one of the names in the client provided certificate exists in the configured allow list. Otherwise, the TLS handshake will fail.
Allow lists can be configured in a YAML file. The YAML file should contain one or more key-value pairs. Each key will be a list of one or more SNI server names, separated by bars (|) or commas (,) . You may also use <other> and <none> in these server name lists. The value for the key is one or more X509 certificate names. if the value is just one certificate name, it can be given as a simple YAML string value. If there are multiple cert names, they should be given as a YAML sequence. A cert names can have a single asterisk (*) in it as a wild card. The client provided certificate is allowed if its name or any name in the signing certificate authority chain matches one of the names in the value. If the client sends an SNI server name in the handshake, its cert is matched against the names for the key containing the SNI server name. If there are no names given for the cleint's SNI server name, the cert is matched against the names for <other>. If the client gives no SNI server name, the cert is matched against the names for <none>. When there are no names to match against, the cert is not allowed, and the TLS handshake fails. By default, there are no names for <none> and <other>. Here is an example YAML file: ===== # They have no secrets, allow all certs. wikileaks.org: "*" # Donuts are for closer certs. donuts.com: closers.com # Suspicious SNIs. wearing-dark-sunglasses.com|fake-beard.com,<other>: - nuns.org - oprah-winfrey.com # Very suspicious clients, need a really good cert. <none>,pineapple-on-pizza.com: god.com # ATM didn't really fail, it's just reserved for people who don't want to talk # to losers who use IP (thus no cert names, fail all handshakes with this SNI # server name). llluminati.com: "" aol.com|huffpost.com: - aol.com - huffpost.com - "*.aol.com" - "*.huffpost.com" - bernie-sanders.*.com ===== Note that cert names that start with * need to be in double quotes. This is because a value that starts with * is some weird YAML syntax. The path for the YAML config file is specified as the one and only plugin parameter. If the path is not absolute, it is relative to the trafficserver config dir. The file name must have a .yaml exetension. For simple cases, and compatibility with earlier versions of this plugin, you don't need a YAML configuration file. You can specify the allowed cert names as plugin parameters. All client certs will have to match these names, regardless of SNI server name or if there is no SNI server name. (You should never use double quotes around any name in this case.) For versions of OpenSSL prior to 1.1.1e, there are hypothetical handshake scenarios where the SNI server name is not correctly reported by OpenSSL. But we have not seen these scenarios occur in our production environment.
