Sensu-go: Improve validation around CA certificate

Created on 7 Nov 2018  路  2Comments  路  Source: sensu/sensu-go

CA certificates provided to the agent (and possibly other components) are not properly validated, since they need to be in the PEM format.

1) We need to verify the boolean value returned by AppendCertsFromPEM: https://github.com/sensu/sensu-go/blob/be7ea1d67eb990cfb0373d11882d34a375bb9190/types/tls.go#L55
2) The agent accepts a TLS config (https://github.com/sensu/sensu-go/blob/be7ea1d67eb990cfb0373d11882d34a375bb9190/agent/config.go#L88) but it's not possible to specify it through the sensu-agent flags
3) We need to make sure the documentation specifies that only certificates in PEM format are accepted.

bug

Most helpful comment

@cwjohnston: After investigation, I'm putting the work for sensuctl in a separate issue. See #2541. Everything mentioned by @palourde in the original issue will be part of 5.0.2 though.

After working on this, I also plan to open a more general TLS ticket to address some higher level issues.

All 2 comments

We also need to support specifying a trusted CA cert for sensuctl via flags and/or configuration file

@cwjohnston: After investigation, I'm putting the work for sensuctl in a separate issue. See #2541. Everything mentioned by @palourde in the original issue will be part of 5.0.2 though.

After working on this, I also plan to open a more general TLS ticket to address some higher level issues.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

palourde picture palourde  路  3Comments

echlebek picture echlebek  路  3Comments

palourde picture palourde  路  5Comments

grepory picture grepory  路  5Comments

amdprophet picture amdprophet  路  4Comments