Verifying that agent to agent communication is secured with TLS encryption

170 views
Skip to first unread message

Priyanka Sengupta

unread,
May 26, 2020, 10:04:15 AM5/26/20
to Consul
I followed the guide here: https://learn.hashicorp.com/consul/security-networking/certificates

But the page does not mention how to verify that it worked. Does anyone have any advice to that end?

What I tried:

#1; using the ssl client of openssl shows that the server is presenting no certificate (I used 8300 because that is the port for server RPC communications)

openssl s_client -connect node-name.node.consul:8300 

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---


#2: Adding garbage to the certificate file and then restarting consul is throwing an error. Thus, it appears to be using the certificate, but I cannot validate that consul is actually using the certificates and communications are encrypted. 
[ERROR] agent: Error starting agent: error="Failed to load cert/key pair: tls: failed to find any PEM data in certificate input"


Spencer Owen

unread,
May 26, 2020, 11:48:22 AM5/26/20
to consu...@googlegroups.com
You could try a tcp dump on port 8300 to see if the data is encrypted

```
tcpdump -s 0 -w - tcp port 8300 | tcpflow -C -r -
```

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/consul/issues
Community chat: https://gitter.im/hashicorp-consul/Lobby
---
You received this message because you are subscribed to the Google Groups "Consul" group.
To unsubscribe from this group and stop receiving emails from it, send an email to consul-tool...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/consul-tool/04890fdd-e495-4cb0-b519-76b56400fc93%40googlegroups.com.

Hans Hasselberg

unread,
May 26, 2020, 3:36:15 PM5/26/20
to consu...@googlegroups.com
Hello everyone,

checking the RPC port is a little bit complicated because of the custom protocol. Once 1.8 is out you will be able to use vanilla openssl, but for now you have to send a special byte first in order to verify that TLS is being used. I wrote a small go program to print CA and cert information of the server: https://gist.github.com/i0rek/8b42adca01cb11932759ae0c56752a46. It should be pretty straightforward. Let me know if it helps.

Thanks,
Hans

Priyanka Sengupta

unread,
May 27, 2020, 5:44:36 PM5/27/20
to Consul
Thank you! I will give this a show. I tried this exact thing w/out tcpflow and it looked garbled with and without encryption though...
To unsubscribe from this group and stop receiving emails from it, send an email to consu...@googlegroups.com.

Priyanka Sengupta

unread,
May 27, 2020, 5:49:10 PM5/27/20
to Consul
Hi Hans,

Oh interesting! I tried this out but I am getting "error while handshake remote error: tls: bad certificate"!

Seems like something is wrong. Any ideas? I do see the consul data center functioning, ie. services are registering.

I pasted your code and ran it on the servber. I changed the "localhost" to the ip-address of my localhost because that is I had to use bind_addr = "{{ GetInterfaceIP \"eth0\" }}" when setting up consul server. Could this be the issue?

Is there a way to try out 1.8 before it is out? :)

Thanks,
Priyanka
To unsubscribe from this group and stop receiving emails from it, send an email to consu...@googlegroups.com.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/consul/issues
Community chat: https://gitter.im/hashicorp-consul/Lobby
---
You received this message because you are subscribed to the Google Groups "Consul" group.
To unsubscribe from this group and stop receiving emails from it, send an email to consu...@googlegroups.com.

Hans Hasselberg

unread,
May 28, 2020, 3:29:21 AM5/28/20
to consu...@googlegroups.com
Hello Priyanka,

you want to point it to the RPC endpoint of the server, the default port is 8300. This is how it looks for me:

$ go run main.go -dst localhost:8101
Cert Subject: CN=server.dc1.consul NotBefore: 2020-05-28 07:23:50 +0000 UTC NotAfter: 2021-05-28 07:23:50 +0000 UTC

If that doesn't work, maybe you could share your consul version and server configuration to help with debugging.

To unsubscribe from this group and stop receiving emails from it, send an email to consul-tool...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/consul-tool/0412d0b5-3aff-41ec-9a01-df67beb23147%40googlegroups.com.
Message has been deleted

Priyanka Sengupta

unread,
May 28, 2020, 10:31:59 AM5/28/20
to Consul
Hi Hans,

My server configuration has this:
datacenter = "demo_dc"
bind_addr = "{{ GetInterfaceIP \"eth0\" }}"
addresses {
    http = "{{ GetInterfaceIP \"eth0\" }}"
}

The RPC endpoint of the server is 8300: (Due to the bind_addr param above, I have X'ed out the IP address)
$ netstat -ntlp | grep 8300
tcp        0      0 XX.XXX.XXX.XXX:8300     0.0.0.0:*               LISTEN      27383/consul

I also created the server certificate like so:
$ consul tls cert create -server -dc demo_dc -additional-ipaddress=XX.XXX.XXX.XXX

But I still get the error:
$ go run hello.go -dst XX.XXX.XXX.XXX:8300
error while handshake remote error: tls: bad certificate
exit status 1

The consul version: 1.7.2

- Priyanka
Reply all
Reply to author
Forward
0 new messages