It’s funny what you can find when you start digging around in source code. This might become a regular column on the EITR Blog if I keep finding interesting things like this…
It’s like TLS… but Mutual
A few weeks ago, I was looking at the level of effort involved in adding a
feature to Salt Project which would allow retrieving files from web servers
secured with Mutual TLS (mTLS).
Salt can handle web sources just fine in states like
archive.extracted, as shown below:
get_important_file: file.managed: - name: /var/tmp/so_important.txt - source: https://docs.eitr.tech/stuff/important.txt - use_etag: True install_cool_thing: archive.extracted: - name: /opt/awesome - source: https://repo.eitr.tech/apps/superawesome-1.0.0.tar.gz - use_etag: True
…but what if those files are sensitive? Or maybe you just want to increase the
security of your file delivery mechanisms. Well, there isn’t a way to provide
a client certificate and key directly to
as state parameters. However, it seems there is an undocumented feature nestled
down in the
http.query utility that allows the desired behavior in
archive.extracted, and potentially other states as well.
So Much Mutual-ness! Mutual-ality? Mutual… osity.
http utility will attempt to pull the
cert key from the minion
configuration and use that as a client certificate and key if none is provided
to the function directly… which it isn’t in the case of the aforementioned
states since you can’t pass it directly as a paramter at this time. The value
cert key is expected to be a list where the first item is the path to
the certificate and the second item is the path to the key. Assuming your
Certificate Authority (CA) trust chains are loaded system-wide, that’s all you
need. If you do need to pass the CA, the
ca_bundle minion configuration option
can be passed.
So, we’d end up with a new minion configuration that looked something like this:
# /etc/salt/minion.d/mtls.conf cert: - /etc/ssl/certs/srv.crt - /etc/ssl/private/srv.key # optional ca_bundle: /etc/ssl/certs/ca-certificates.crt
Pretty cool! Now our minion can provide its TLS certificate to the web server when it attempts to retrieve our super important, awesome files and the server can verify that the system is allowed to grab them.
Stay Mutual, San Diego
Well… that’s all for that undocumented feature. I hope you found it useful. If you’re interested in other Salt use cases with mTLS, you should check out this Cloudflare Blog post where they announce that an mTLS-based transport system is on the way!
Nicholas Hughes helps businesses integrate cloud and cybersecurity automation into their IT lifecycle processes in order to amplify the efforts of the existing workforce, prevent employee burnout, and free them to do the more important tasks that might be currently neglected. As part of his daily duties as a founding partner and CEO of EITR Technologies LLC., he’s responsible for all of those super awesome elements of the CEO job that you read about as a kid, like setting the strategic direction of the company and modeling corporate values. Additionally, Nick stills performs technical consulting work with specializations in Automation & Orchestration, Cloud Infrastructure, Cloud Security, and Systems Architecture. He has nearly 20 years of experience in a wide breadth of roles within Information Technology, which is invaluable to clients seeking comprehensive technical solutions to business problems. Nick highly values pragmatism, logical thinking, and integrity in both his business and personal life… which is a decidedly boring set of core values that reap great results when applied to the task at hand. He also has a wonderful wife and two boys who keep him on his toes.