server/client config generate from corporate-provided certificate ?

[Trevor Hubbard]

the current "config generate -i" only offers 3 options: self-signed, automatically with let's encrypt, and sso

this config seems to apply to both analyst users accessing the GUI and the clients connecting to the frontend

the sso (google in my case) oauth works fine for the analyst users accessing the GUI, but fails for the clients. the clients shouldn't need to auth to google in order to connect.

i need the non-self-signed auth for the analyst users and normal TLS-protected connections for the clients (without the clients having to auth to google for example)

in addition my company has procured and provided a regular public CA, which would work fine for both analysts and clients, but using that certificate to generate the server/client configs isn't an option

how best should i move forward?

thanks in advance for the help

[Mike Cohen]

Hi Trevor,

Clients do not (and can not) authenticate to Google so that is not required. The config wizard offers to build the most common deployment scenarios to make it easier to use but it just makes config files in the end. You are free to tweak those as needed for more complex scenarios.

The encryption protocol is described in details here 

https://velociraptor.velocidex.com/velociraptor-network-communications-30568624043a

If you have a proper CA (i.e. it chains to the global roots) then you can use it to issue certificates for the server and use those in the server's configuration by setting the tls_certificate_file path

https://github.com/Velocidex/velociraptor/blob/7a16d817f0fdb0ecfc35486c2c115c298821ff44/config/proto/config.proto#L491

Velociraptor does not support a self signed external CA - the only type of self signed certificate supported is the one issued by the internal Velociraptor CA and in that case the clients pin the certificate using their internal hard coded velociraptor CA so they will not talk to any other self signed certs.

Thanks

Mike

********************************************

 

Inmar Confidentiality Note:  This e-mail and any attachments are confidential and intended to be viewed and used solely by the intended recipient.  If you are not the intended recipient, be aware that any disclosure, dissemination, distribution, copying or use of this e-mail or any attachment is prohibited.  If you received this e-mail in error, please notify us immediately by returning it to the sender and delete this copy and all attachments from your system and destroy any printed copies.  Thank you for your cooperation.

 

Notice of Protected Rights:  The removal of any copyright, trademark, or proprietary legend contained in this e-mail or any attachment is prohibited without the express, written permission of Inmar, Inc.  Furthermore, the intended recipient must maintain all copyright notices, trademarks, and proprietary legends within this e-mail and any attachments in their original form and location if the e-mail or any attachments are reproduced, printed or distributed.

 

********************************************

--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/5e80a458-0130-40e4-b8b8-ecc5b411572bn%40googlegroups.com.

[Trevor Hubbard]

Got it working, thanks for the help.

We decided to not go with our own GoDaddy-provided cert, as the chaining and manual and just go with the client/server TLS certs provided within Velociraptor.