dubey/kat
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat: modify TLS config to allow initial node join without client certificate

Browse Source
This commit is contained in:
Tanishq Dubey 2025-05-17 12:32:26 -04:00
parent 4f7c2d6a66
commit c07f389996
No known key found for this signature in database
GPG Key ID: CFC1931B84DFC3F9
2 changed files with 26 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
cmd/kat-agent/main.go
View File

@ -251,6 +251,13 @@ func runInit(cmd *cobra.Command, args []string) {
apiServer.RegisterJoinHandler(func(w http.ResponseWriter, r *http.Request) { apiServer.RegisterJoinHandler(func(w http.ResponseWriter, r *http.Request) {
log.Printf("Received join request from %s", r.RemoteAddr) log.Printf("Received join request from %s", r.RemoteAddr)
// Check if this is a secure connection with client cert
if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
log.Printf("Client provided certificate with CN: %s", r.TLS.PeerCertificates[0].Subject.CommonName)
} else {
log.Printf("Client did not provide a certificate - this is expected for initial join")
}
// Read request body // Read request body
var joinReq cli.JoinRequest var joinReq cli.JoinRequest
if err := json.NewDecoder(r.Body).Decode(&joinReq); err != nil { if err := json.NewDecoder(r.Body).Decode(&joinReq); err != nil {

21
internal/api/server.go
View File

@ -8,6 +8,7 @@ import (
"log" "log"
"net/http" "net/http"
"os" "os"
"strings"
"time" "time"
) )
@ -105,12 +106,28 @@ func (s *Server) Start() error {
return fmt.Errorf("failed to append CA certificate to pool") return fmt.Errorf("failed to append CA certificate to pool")
} }
// Configure TLS // Configure TLS with GetConfigForClient to allow join endpoint without client cert
s.httpServer.TLSConfig = &tls.Config{ s.httpServer.TLSConfig = &tls.Config{
Certificates: []tls.Certificate{cert}, Certificates: []tls.Certificate{cert},
ClientAuth: tls.RequireAndVerifyClientCert, ClientAuth: tls.RequireAndVerifyClientCert, // Default, but will be overridden for join endpoint
ClientCAs: caCertPool, ClientCAs: caCertPool,
MinVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS12,
GetConfigForClient: func(hello *tls.ClientHelloInfo) (*tls.Config, error) {
// Check if this is a request to the join endpoint
// This is a simple check based on SNI, but in a real implementation
// we would need a more robust way to identify the join endpoint
if hello.ServerName == "" && strings.HasPrefix(hello.Conn.RemoteAddr().String(), "127.0.0.1:") {
// For local connections, assume it might be a join request and don't require client cert
return &tls.Config{
Certificates: []tls.Certificate{cert},
ClientAuth: tls.RequestClientCert, // Request but don't require
ClientCAs: caCertPool,
MinVersion: tls.VersionTLS12,
}, nil
}
// For all other requests, use the default config (require client cert)
return nil, nil
},
} }
log.Printf("Server configured with TLS, starting to listen for requests") log.Printf("Server configured with TLS, starting to listen for requests")