Add mTLS client authentication for OTLP/OTAP receivers #1539
Conversation
This PR adds mutual TLS (mTLS) support to the OTLP and OTAP gRPC receivers, enabling client certificate authentication for enhanced security. Features: - Client CA certificate configuration (client_ca_file, client_ca_pem) - Optional system CA certificate pool inclusion - Configurable handshake timeout for DoS protection - Concurrent TLS handshake support (up to 64 parallel handshakes) - Certificate hot-reloading with configurable reload interval Configuration options: - tls.cert_file/cert_pem: Server certificate - tls.key_file/key_pem: Server private key - tls.client_ca_file/client_ca_pem: CA for client cert verification (enables mTLS) - tls.include_system_ca_certs_pool: Include system CAs for client verification - tls.handshake_timeout: Timeout for TLS handshake (default: 10s) - tls.reload_interval: Interval for certificate reload checks (default: 5m) Tests added: - mTLS client certificate verification tests - Handshake timeout enforcement test - Concurrent handshake non-blocking test - TLS reload integration test fixes
This PR adds mutual TLS (mTLS) support to the OTLP and OTAP gRPC receivers, enabling client certificate authentication for enhanced security. Features: - Client CA certificate configuration (client_ca_file, client_ca_pem) - Optional system CA certificate pool inclusion - Configurable handshake timeout for DoS protection - Concurrent TLS handshake support (up to 64 parallel handshakes) - Certificate hot-reloading with configurable reload interval Configuration options: - tls.cert_file/cert_pem: Server certificate - tls.key_file/key_pem: Server private key - tls.client_ca_file/client_ca_pem: CA for client cert verification (enables mTLS) - tls.include_system_ca_certs_pool: Include system CAs for client verification - tls.handshake_timeout: Timeout for TLS handshake (default: 10s) - tls.reload_interval: Interval for certificate reload checks (default: 5m) Tests added: - mTLS client certificate verification tests - Handshake timeout enforcement test - Concurrent handshake non-blocking test - TLS reload integration test fixes
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #1539 +/- ##
==========================================
- Coverage 83.50% 83.47% -0.04%
==========================================
Files 428 428
Lines 119410 119479 +69
==========================================
+ Hits 99713 99733 +20
- Misses 19163 19212 +49
Partials 534 534
🚀 New features to boost your workflow:
|
| arc-swap = { workspace = true, optional = true } | ||
| rustls = { workspace = true, optional = true } | ||
| rustls-pemfile = { workspace = true, optional = true } | ||
| rustls-pki-types = { workspace = true, optional = true } |
There was a problem hiding this comment.
rustls-pemfile is no longer maintained, so replaced by rustls-pki-types, which is maintained by rustls project.
There was a problem hiding this comment.
https://github.com/open-telemetry/otel-arrow/pull/1536/files can be reverted with this.
There was a problem hiding this comment.
yes, we can either revert that as part of this PR, or I can do it in a followup after this is merged. Thanks for updating the unmaintained dependency @lalitb!
| match maybe_tls_acceptor { | ||
| Some(tls_acceptor) => { | ||
| let tls_stream = create_tls_stream(listener_stream, tls_acceptor); | ||
| let tls_stream = create_tls_stream(listener_stream, tls_acceptor, handshake_timeout); |
There was a problem hiding this comment.
handshake_timeout is added to protect against slow/malicious clients that could hold connection slots indefinitely by not completing the TLS handshake.
Without a timeout, a malicious client could:
- Open a TCP connection
- Never send TLS ClientHello (or send it very slowly)
- Hold the connection slot forever, preventing legitimate clients from connecting
- Repeat this to exhaust server resources (DoS attack)
| /// - Allows concurrent handshakes to prevent slow clients from blocking others | ||
| /// - Limits memory overhead for pending handshake state | ||
| /// - May need adjustment based on actual workload characteristics | ||
| const MAX_CONCURRENT_HANDSHAKES: usize = 64; |
There was a problem hiding this comment.
Not mTLS-specific - this is a general TLS hardening to prevent DoS via connection flooding. Limits concurrent handshakes to 64, applying backpressure when exceeded. Without this limit, an attacker could overwhelm the server by initiating thousands of handshakes simultaneously.
| // If system CAs were requested but no certs were loaded (and no user CA provided), | ||
| // warn the user that mTLS is effectively disabled or might not work as expected. | ||
| // Note: client_ca_pem is empty here. | ||
| if config.include_system_ca_certs_pool == Some(true) { | ||
| log::warn!( | ||
| "include_system_ca_certs_pool is true, but no CA certificates were loaded. mTLS will be disabled." | ||
| ); | ||
| } | ||
| builder.with_no_client_auth() |
There was a problem hiding this comment.
Would it make sense to return an error here? It seems like it would be better from a security perspective not to fail open like this
| // TLS handshake failed - log and continue | ||
| log::debug!("TLS handshake failed: {}", e); | ||
| None |
There was a problem hiding this comment.
Do you think this is important enough to log at warn level? Or would that just create too much noise in the event that there were many failed handshakes?
| if skip_if_no_openssl() { | ||
| return; | ||
| } |
There was a problem hiding this comment.
These tests look great!
Could we avoid skipping them if we used something like rcgen instead of openssl? https://docs.rs/rcgen/latest/rcgen/
I'm thinking it'd nice to ensure that these tests could always run. That way we can rely on them to catch regressions w/out worrying about if openssl accidentally got removed from some test runner.
If this is feasible, we can make the change a future PR (I don't want to block this PR from getting merged for this)
| // Allow concurrent handshakes to prevent slow/malicious clients from blocking others | ||
| .buffer_unordered(MAX_CONCURRENT_HANDSHAKES) |
4 participants
Adds mutual TLS (mTLS) client certificate authentication to OTLP/OTAP receivers with parallel handshake processing and timeout protection.
What's New
1. mTLS Client Certificate Verification
WebPkiClientVerifier2. Parallel Handshake Processing
3. Handshake timeout
Configuration
Enable mTLS
System CA Pool
What's Deferred