Transport Layer Security

Introduction

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are protocols designed to provide communication security over public networks. Users exchange a symmetric session key that is used to encrypt data exchanged between the parties.

By default, a FoundationDB cluster uses unencrypted connections among client and server processes. This document describes the Transport Layer Security (TLS) capabilities of FoundationDB, which enable security and authentication through a public/private key infrastructure. TLS is compiled into each FoundationDB binary. This document will describe the basic TLS capabilities of FoundationDB and document its implementation, which is based on LibreSSL. TLS-enabled servers will only communicate with other TLS-enabled servers and TLS-enabled clients. Therefore, a cluster’s machines must all enable TLS in order for TLS to be used.

Setting Up FoundationDB to use TLS

Enabling TLS in a new cluster

To set a new cluster to use TLS, use the -t flag on make_public.py:

user@host1$ sudo /usr/lib/foundationdb/make_public.py -t
/etc/foundationdb/fdb.cluster is now using address 10.0.1.1 (TLS enabled)

This will configure the new cluster to communicate with TLS.

Note

Depending on your operating system, version and configuration, there may be a firewall in place that prevents external access to certain ports. If necessary, please consult the appropriate documentation for your OS and ensure that all machines in your cluster can reach the ports configured in your configuration file.

Converting an existing cluster to use TLS

Enabling TLS on an existing (non-TLS) cluster cannot be accomplished without downtime because all processes must have TLS enabled to communicate. At startup, each server process enables TLS if the addresses in its cluster file are TLS-enabled. As a result, server processes must be stopped and restarted to convert them to use TLS. To convert the cluster to TLS in the most conservative way:

  1. Stop all FoundationDB clients and server processes in the cluster.
  2. Change all cluster files to have the :tls suffix for each coordinator.
  3. Restart the cluster and the clients.

Configuring TLS

The operation of TLS is configured through five settings. These settings can be provided as command-line options, client options, or environment variables, and are named as follows:

Command-line Option Client Option Environment Variable Purpose
tls_certificate_file TLS_cert_path FDB_TLS_CERTIFICATE_FILE Path to the file from which the local certificates can be loaded
tls_key_file TLS_key_path FDB_TLS_KEY_FILE Path to the file from which to load the private key
tls_verify_peers TLS_verify_peers FDB_TLS_VERIFY_PEERS The byte-string for the verification of peer certificates and sessions
tls_password TLS_password FDB_TLS_PASSWORD The byte-string representing the passcode for unencrypting the private key
tls_ca_file TLS_ca_path FDB_TLS_CA_FILE Path to the file containing the CA certificates to trust

The value for each setting can be specified in more than one way. The actual valued used is determined in the following order:

  1. An explicitly specified value as a command-line option or client option, if one is given;
  2. The value of the environment variable, if one has been set;
  3. The default value

As with all other command-line options to fdbserver, the TLS settings can be specified in the [fdbserver] section of the configuration file.

The settings for certificate file, key file, peer verification, password and CA file are interpreted by the software.

Default Values

Certificate file default location

The default behavior when the certificate or key file is not specified is to look for a file named fdb.pem in the current working directory. If this file is not present, an attempt is made to load a file from a system-dependent location as follows:

  • Linux: /etc/foundationdb/fdb.pem
  • macOS: /usr/local/etc/foundationdb/fdb.pem
  • Windows: C:\ProgramData\foundationdb\fdb.pem

Default Peer Verification

The default peer verification is Check.Valid=1.

Default Password

There is no default password. If no password is specified, it is assumed that the private key is unencrypted.

Parameters and client bindings

The default LibreSSL-based implementation

FoundationDB offers TLS based on the LibreSSL library. By default, it will be enabled automatically when participating in a TLS-enabled cluster.

For TLS to operate, each process (both server and client) must have an X509 certificate, its corresponding private key, and the certificates with which it was signed. When a process begins to communicate with a FoundationDB server process, the peer’s certificate is checked to see if it is trusted and the fields of the peer certificate are verified. Peers must share the same root trusted certificate, and they must both present certificates whose signing chain includes this root certificate.

If the local certificate and chain is invalid, a FoundationDB server process bound to a TLS address will not start. In the case of invalid certificates on a client, the client will be able to start but will be unable to connect any TLS-enabled cluster.

Formats

LibreSSL can read certificates and their private keys in base64-encoded DER-formatted X.509 format (which is known as PEM). A PEM file can contain both certificates and a private key or the two can be stored in separate files.

Required files

A single file can contain the information as described in both of the following sections.

The certificate file

A file must be supplied that contains an ordered list of certificates. The first certificate is the process’ own certificate. Each following certificate must sign the one preceding it.

All but the last certificate are provided to peers during TLS handshake as the certificate chain.

The last certificate in the list is the trusted certificate.

Note

If the certificate list contains only one certificate, that certificate must be self-signed and will be used as both the certificate chain and the trusted certificate.

Each of these certificates must be in the form:

--------BEGIN CERTIFICATE--------
xxxxxxxxxxxxxxx
--------END CERTIFICATE--------

The key file

The key file must contain the private key corresponding to the process’ own certificate. The private key must be in PKCS#8 format, which means that it must be surrounded by:

-----BEGIN PRIVATE KEY-----
xxxxxxxxxxxxxxx
-----END PRIVATE KEY-----

It can optionally be encrypted by the password provided to tls_password.

Certificate creation

If your organization already makes use of certificates for access control and securing communications, you should ask your security expert for organizational procedure for obtaining and verifying certificates. If the goal of enabling TLS is to make sure that only known machines can join or access the FoundationDB cluster and for securing communications, then creating your own certificates can serve these purposes.

The following set of commands uses the OpenSSL command-line tools to create a self-signed certificate and private key. The certificate is then joined with the private key in the output fdb.pem file:

user@host:> openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out cert.crt
user@host:> cat cert.crt private.key > fdb.pem

Peer verification

A FoundationDB server or client will only communicate with peers that present a certificate chain that meets the verification requirements. By default, the only requirement is that the provided certificate chain ends in a certificate signed by the local trusted certificate.

Certificate field verification

With a peer verification string, FoundationDB servers and clients can adjust what is required of the certificate chain presented by a peer. These options can make the certificate requirements more rigorous or more lenient. You can specify multiple verification strings by providing additional tls_verify_peers command line arguments or concatenating them with |. All , or | in the verify peers fields should be escaped with \.

Turning down the validation

If the default checking of the certificate chain is too stringent, the verification string can contain settings to weaken what certificates are accepted.

Setting Result
Check.Valid=0 Sets the current process to disable all further verification of a peer certificate.
Check.Unexpired=0 Disables date checking of peer certificates. If the clocks in the cluster and between the clients and servers are not to be trusted, setting this value to 0 can allow communications to proceed.

Adding verification requirements

Requirements can be placed on the fields of the Issuer and Subject DNs in the peer’s own certificate. These requirements take the form of a comma-separated list of conditions. Each condition takes the form of field[<>]?=value. Only certain fields from a DN can be matched against.

Field Well known name
CN Common Name
C County
L Locality
ST State
O Organization
OU Organizational Unit
UID Unique Identifier
DC Domain Component

The field of each condition may optionally have a DN prefix, which is otherwise considered to be for the Subject DN.

Prefix DN
S., Subject., or none Subject
I., or Issuer. Issuer
R., or Root. Root

Additionally, the verification can be restricted to certificates signed by a given root CA with the field Root.CN. This allows you to have different requirements for different root chains.

The value of a condition must be specified in a form derived from a subset of RFC 4514. Specifically, the “raw” notation (a value starting with the # character) is not accepted. Other escaping mechanisms, including specifying characters by hex notation, are allowed. The specified field’s value must exactly match the value in the peer’s certificate.

By default, the fields of a peer certificate’s DNs are not examined.

In addition to DNs, restrictions can be placed against X509 extensions. They are specified in the same fashion as DN requirements. The supported extensions are:

Field Well known name
subjectAltName Subject Alternative Name

Within a subject alternative name requirement, the value specified is required to have the form prefix:value, where the prefix specifies the type of value being matched against. The following prefixes are supported:

Prefix Well known name
DNS Domain Name
URI Uniform Resource Identifier
IP IP Address
EMAIL Email Address

The following operators are supported:

Operator Match Type
= Exact Match
>= Prefix Match
<= Suffix Match

Verification Examples

Let’s consider a certificate, whose abridged contents is:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 12938646789571341173 (0xb38f4eb406a5eb75)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=California, L=Cupertino, O=Apple Inc., OU=FDB Team
        Subject: C=US, ST=California, L=Cupertino, O=Apple Inc., OU=FDB Team
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:test.foundationdb.org
                DNS:prod.foundationdb.com

A verification string of:

Check.Unexpired=0,I.C=US,C=US,S.O=Apple Inc.

Would pass, and:

  • Skip the check on all peer certificates that the certificate is not yet expired
  • Require that the Issuer has a Country field of US
  • Require that the Subject has a Country field of US
  • Require that the Subject has a Organization field of Apple Inc.

A verification string of:

S.OU>=FDB,S.OU<=Team,S.subjectAltName=DNS:test.foundationdb.org

Would pass, and:

  • Require that the Subject has an Organization field that starts with FDB
  • Require that the Subject has an Organization field that ends with Team
  • Require that the Subject has a Subject Alternative Name extension, which has one or more members of type DNS with a value of test.foundationdb.org.

A verification string of:

S.subjectAltName>=DNS:prod.,S.subjectAltName<=DNS:.org

Would pass, and:

  • Require that the Subject has a Subject Alternative Name extension, which has one or more members of type DNS that begins with the value prod..
  • Require that the Subject has a Subject Alternative Name extension, which has one or more members of type DNS that ends with the value .com.