add VerifyConnection func to NewTLSConf as InsecureSkipVerify:false doesn't work

Signed-off-by: Matthew R. Kasun <[email protected]>

netclient/functions/daemon.go

@@ -2,11 +2,11 @@ package functions
 
 import (
 	"context"
+	"crypto/ed25519"
 	"crypto/tls"
 	"crypto/x509"
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"os/signal"
 	"strings"
@@ -23,6 +23,7 @@ import (
 	"github.com/gravitl/netmaker/netclient/daemon"
 	"github.com/gravitl/netmaker/netclient/ncutils"
 	"github.com/gravitl/netmaker/netclient/wireguard"
+	ssl "github.com/gravitl/netmaker/tls"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 
@@ -267,21 +268,22 @@ func setupMQTTSub(server string) mqtt.Client {
 
 // NewTLSConf sets up tls to connect to broker
 func NewTLSConfig(cfg *config.ClientConfig, server string) *tls.Config {
-	var ca []byte
-	var err error
-	certpool := x509.NewCertPool()
+	var file string
 	if cfg != nil {
-		ca, err = ioutil.ReadFile("/etc/netclient/" + cfg.Server.Server + "/root.pem")
-		if err != nil {
-			logger.Log(0, "could not read CA file %v\n", err.Error())
-		}
+		server = cfg.Server.Server
+		file = "/etc/netclient/" + cfg.Server.Server + "/root.pem"
 	} else {
-		ca, err = ioutil.ReadFile("/etc/netclient/" + server + "/root.pem")
-		if err != nil {
-			logger.Log(0, "could not read CA file %v\n", err.Error())
-		}
+		file = "/etc/netclient/" + server + "/root.pem"
+	}
+	certpool := x509.NewCertPool()
+	ca, err := os.ReadFile(file)
+	if err != nil {
+		logger.Log(0, "could not read CA file %v\n", err.Error())
+	}
+	ok := certpool.AppendCertsFromPEM(ca)
+	if !ok {
+		logger.Log(0, "failed to append cert")
 	}
-	certpool.AppendCertsFromPEM(ca)
 	//clientKeyPair, err := tls.LoadX509KeyPair("/etc/netclient/"+cfg.Server.Server+"/client.pem", "/etc/netclient/client.key")
 	//if err != nil {
 	//	log.Fatalf("could not read client cert/key %v \n", err)
@@ -290,9 +292,29 @@ func NewTLSConfig(cfg *config.ClientConfig, server string) *tls.Config {
 		RootCAs:    certpool,
 		ClientAuth: tls.NoClientCert,
 		//ClientAuth:         tls.VerifyClientCertIfGiven,
-		ClientCAs:          nil,
+		ClientCAs: nil,
+		//InsecureSkipVerify: false  fails ---- so need to use VerifyConnection
 		InsecureSkipVerify: true,
-		//Certificates:       []tls.Certificate{clientKeyPair},
+		VerifyConnection: func(cs tls.ConnectionState) error {
+			if cs.ServerName != server {
+				logger.Log(0, "VerifyConnection - certifiate mismatch")
+				return errors.New("certificate doesn't match server")
+			}
+			ca, err := ssl.ReadCert("/etc/netclient/" + cs.ServerName + "/root.pem")
+			if err != nil {
+				logger.Log(0, "VerifyConnection - unable to read ca", err.Error())
+				return errors.New("unable to read ca")
+			}
+			for _, cert := range cs.PeerCertificates {
+				if cert.IsCA {
+					if string(cert.PublicKey.(ed25519.PublicKey)) != string(ca.PublicKey.(ed25519.PublicKey)) {
+						logger.Log(0, "VerifyConnection - public key mismatch")
+						return errors.New("cert public key does not match ca public key")
+					}
+				}
+			}
+			return nil
+		},
 	}
 }
 

scripts/nm-quick.sh

@@ -50,7 +50,7 @@ elif [ -f /etc/fedora-release ]; then
 	dnf update
 fi
 
-dependencies=( "docker.io" "docker-compose" "wireguard" "jq" )
+dependencies=( "docker.io" "docker-compose" "wireguard" "jq" "openssl" )
 
 for dependency in ${dependencies[@]}; do
     is_installed=$(dpkg-query -W --showformat='${Status}\n' ${dependency} | grep "install ok installed")
@@ -137,10 +137,17 @@ echo "setting mosquitto.conf..."
 
 wget -q -O /root/mosquitto.conf https://raw.githubusercontent.com/gravitl/netmaker/master/docker/mosquitto.conf
 
-echo "setting certificates for mosquitto"
-wget -q -O /root/mosquitto.conf https://raw.githubusercontent.com/gravitl/netmaker/master/certs/generate_server_certificates
-server=$(echo "broker."$NETMAKER_BASE_DOMAIN)
-./generate_server_certificates $server
+echo "creating certificates for mosquitto"
+server=$( echo "broker."$NETMAKER_BASE_DOMAIN)
+mkdir certs
+
+openssl genpkey -algorithm Ed25519 -out certs/root.key
+openssl req -new -key certs/root.key -out certs/root.csr -subj '/CN=CA Root'
+openssl x509 -req -in certs/root.csr -days 365 -signkey certs/root.key -CAcreateserial -out certs/root.pem
+
+openssl genpkey -algorithm Ed25519 -out certs/server.key
+openssl req -new -out certs/server.csr -key certs/server.key -subj  $subject 
+openssl x509 -req -in certs/server.csr -days 365 -CA certs/root.pem -CAkey certs/root.key -CAcreateserial -out certs/server.pem
 
 echo "setting docker-compose..."
 

tls/tls.go

@@ -95,9 +95,12 @@ func NewCName(commonName string) pkix.Name {
 
 // creates a new certificate signing request for a
 func NewCSR(key ed25519.PrivateKey, name pkix.Name) (*x509.CertificateRequest, error) {
+	dnsnames := []string{}
+	dnsnames = append(dnsnames, name.CommonName)
 	derCertRequest, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{
 		Subject:   name,
 		PublicKey: key.Public(),
+		DNSNames:  dnsnames,
 	}, key)
 	if err != nil {
 		return nil, err