1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
|
// Copyright (c) Tailscale Inc & contributors
// SPDX-License-Identifier: BSD-3-Clause
package prober
import (
"context"
"crypto/tls"
"crypto/x509"
"errors"
"fmt"
"io"
"net/http"
"net/netip"
"slices"
"time"
)
const expiresSoon = 7 * 24 * time.Hour // 7 days from now
// Let’s Encrypt promises to issue certificates with CRL servers after 2025-05-07:
// https://letsencrypt.org/2024/12/05/ending-ocsp/
// https://github.com/tailscale/tailscale/issues/15912
const letsEncryptStartedStaplingCRL int64 = 1746576000 // 2025-05-07 00:00:00 UTC
// TLS returns a Probe that healthchecks a TLS endpoint.
//
// The ProbeFunc connects to a hostPort (host:port string), does a TLS
// handshake, verifies that the hostname matches the presented certificate,
// checks certificate validity time and OCSP revocation status.
//
// The TLS config is optional and may be nil.
func TLS(hostPort string, config *tls.Config) ProbeClass {
return ProbeClass{
Probe: func(ctx context.Context) error {
return probeTLS(ctx, config, hostPort)
},
Class: "tls",
}
}
// TLSWithIP is like TLS, but dials the provided dialAddr instead of using DNS
// resolution. Use config.ServerName to send SNI and validate the name in the
// cert.
func TLSWithIP(dialAddr netip.AddrPort, config *tls.Config) ProbeClass {
return ProbeClass{
Probe: func(ctx context.Context) error {
return probeTLS(ctx, config, dialAddr.String())
},
Class: "tls",
}
}
func probeTLS(ctx context.Context, config *tls.Config, dialHostPort string) error {
dialer := &tls.Dialer{Config: config}
conn, err := dialer.DialContext(ctx, "tcp", dialHostPort)
if err != nil {
return fmt.Errorf("connecting to %q: %w", dialHostPort, err)
}
defer conn.Close()
tlsConnState := conn.(*tls.Conn).ConnectionState()
return validateConnState(ctx, &tlsConnState)
}
// validateConnState verifies certificate validity time in all certificates
// returned by the TLS server and checks OCSP revocation status for the
// leaf cert.
func validateConnState(ctx context.Context, cs *tls.ConnectionState) (returnerr error) {
var errs []error
defer func() {
returnerr = errors.Join(errs...)
}()
latestAllowedExpiration := time.Now().Add(expiresSoon)
var leafCert *x509.Certificate
var issuerCert *x509.Certificate
var leafAuthorityKeyID string
// PeerCertificates will never be len == 0 on the client side
for i, cert := range cs.PeerCertificates {
if i == 0 {
leafCert = cert
leafAuthorityKeyID = string(cert.AuthorityKeyId)
}
if i > 0 {
if leafAuthorityKeyID == string(cert.SubjectKeyId) {
issuerCert = cert
}
}
// Do not check certificate validity period for self-signed certs.
// The practical reason is to avoid raising alerts for expiring
// DERP metaCert certificates that are returned as part of regular
// TLS handshake.
if string(cert.SubjectKeyId) == string(cert.AuthorityKeyId) {
continue
}
if time.Now().Before(cert.NotBefore) {
errs = append(errs, fmt.Errorf("one of the certs has NotBefore in the future (%v): %v", cert.NotBefore, cert.Subject))
}
if latestAllowedExpiration.After(cert.NotAfter) {
left := cert.NotAfter.Sub(time.Now())
errs = append(errs, fmt.Errorf("one of the certs expires in %v: %v", left, cert.Subject))
}
}
if len(leafCert.CRLDistributionPoints) == 0 {
if !slices.Contains(leafCert.Issuer.Organization, "Let's Encrypt") {
// LE certs contain a CRL, but certs from other CAs might not.
return
}
if leafCert.NotBefore.Before(time.Unix(letsEncryptStartedStaplingCRL, 0)) {
// Certificate might not have a CRL.
return
}
errs = append(errs, fmt.Errorf("no CRL server presented in leaf cert for %v", leafCert.Subject))
return
}
err := checkCertCRL(ctx, leafCert.CRLDistributionPoints[0], leafCert, issuerCert)
if err != nil {
errs = append(errs, fmt.Errorf("CRL verification failed for %v: %w", leafCert.Subject, err))
}
return
}
func checkCertCRL(ctx context.Context, crlURL string, leafCert, issuerCert *x509.Certificate) error {
hreq, err := http.NewRequestWithContext(ctx, "GET", crlURL, nil)
if err != nil {
return fmt.Errorf("could not create CRL GET request: %w", err)
}
hresp, err := http.DefaultClient.Do(hreq)
if err != nil {
return fmt.Errorf("CRL request failed: %w", err)
}
defer hresp.Body.Close()
if hresp.StatusCode != http.StatusOK {
return fmt.Errorf("crl: non-200 status code from CRL server: %s", hresp.Status)
}
lr := io.LimitReader(hresp.Body, 10<<20) // 10MB
crlB, err := io.ReadAll(lr)
if err != nil {
return err
}
crl, err := x509.ParseRevocationList(crlB)
if err != nil {
return fmt.Errorf("could not parse CRL: %w", err)
}
if err := crl.CheckSignatureFrom(issuerCert); err != nil {
return fmt.Errorf("could not verify CRL signature: %w", err)
}
for _, revoked := range crl.RevokedCertificateEntries {
if revoked.SerialNumber.Cmp(leafCert.SerialNumber) == 0 {
return fmt.Errorf("cert for %v has been revoked on %v, reason: %v", leafCert.Subject, revoked.RevocationTime, revoked.ReasonCode)
}
}
return nil
}
|
