Add custom TLS CA global option

falcosecurity · Aug 9, 2023 · 2599851 · 2599851
1 parent 9e23a09
commit 2599851
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -203,6 +203,8 @@ mutualtlsclient: # takes priority over mutualtlsfilespath if not emtpy
   certfile: "/etc/certs/client/client.crt" # client certification file
   keyfile: "/etc/certs/client/client.key" # client key
   cacertfile: "/etc/certs/client/ca.crt" # for server certification
+tlsclient:
+  cacertfile: "/etc/certs/client/ca.crt" # added to the system's tls CA pool
 tlsserver:
   deploy: false # if true, TLS server will be deployed instead of HTTP
   certfile: "/etc/certs/server/server.crt" # server certification file
@@ -696,6 +698,7 @@ care of lower/uppercases**) : `yaml: a.b --> envvar: A_B` :
 - **MUTUALTLSCLIENT_CERTFILE**: client certification file for mutual TLS client certification, takes priority over MUTUALTLSFILESPATH if not empty
 - **MUTUALTLSCLIENT_KEYFILE**: client key file for mutual TLS client certification, takes priority over MUTUALTLSFILESPATH if not empty
 - **MUTUALTLSCLIENT_CACERTFILE**: CA certification file for server certification for mutual TLS authentication, takes priority over MUTUALTLSFILESPATH if not empty
+- **TLSCLIENT_CACERTFILE**: CA certificate file for server certification on TLS connections, appended to the system CA pool if not empty
 - **TLSSERVER_DEPLOY**: if _true_ TLS server will be deployed instead of HTTP
 - **TLSSERVER_CERTFILE**: server certification file for TLS Server (default: "/etc/certs/server/server.crt")
 - **TLSSERVER_KEYFILE**: server key file for TLS Server (default: "/etc/certs/server/server.key")

diff --git a/config.go b/config.go
@@ -53,6 +53,7 @@ func getConfig() *types.Configuration {
 	v.SetDefault("MutualTLSClient.CertFile", "")
 	v.SetDefault("MutualTLSClient.KeyFile", "")
 	v.SetDefault("MutualTLSClient.CaCertFile", "")
+	v.SetDefault("TLSClient.CaCertFile", "")
 
 	v.SetDefault("TLSServer.Deploy", false)
 	v.SetDefault("TLSServer.CertFile", "/etc/certs/server/server.crt")

diff --git a/config_example.yaml b/config_example.yaml
@@ -13,6 +13,8 @@ mutualtlsclient: # takes priority over mutualtlsfilespath if not emtpy
   certfile: "/etc/certs/client/client.crt" # client certification file
   keyfile: "/etc/certs/client/client.key" # client key
   cacertfile: "/etc/certs/client/ca.crt" # for server certification
+tlsclient:
+  cacertfile: "/etc/certs/client/ca.crt" # added to the system's tls CA pool
 tlsserver:
   deploy: false # if true, TLS server will be deployed instead of HTTP
   certfile: "/etc/certs/server/server.crt" # server certification file

diff --git a/outputs/client.go b/outputs/client.go
@@ -193,6 +193,28 @@ func (c *Client) sendRequest(method string, payload interface{}) error {
 
 	customTransport := http.DefaultTransport.(*http.Transport).Clone()
 
+	if customTransport.TLSClientConfig == nil {
+		customTransport.TLSClientConfig = &tls.Config{}
+	}
+
+	customTransport.TLSClientConfig.MinVersion = tls.VersionTLS12
+
+	if customTransport.TLSClientConfig.RootCAs == nil {
+		pool, err := x509.SystemCertPool()
+		if err != nil {
+			pool = x509.NewCertPool()
+		}
+		customTransport.TLSClientConfig.RootCAs = pool
+	}
+
+	if c.Config.TLSClient.CaCertFile != "" {
+		caCert, err := ioutil.ReadFile(c.Config.TLSClient.CaCertFile)
+		if err != nil {
+			log.Printf("[ERROR] : %v - %v\n", c.OutputType, err.Error())
+		}
+		customTransport.TLSClientConfig.RootCAs.AppendCertsFromPEM(caCert)
+	}
+
 	if c.MutualTLSEnabled {
 		// Load client cert
 		var MutualTLSClientCertPath, MutualTLSClientKeyPath, MutualTLSClientCaCertPath string
@@ -221,13 +243,8 @@ func (c *Client) sendRequest(method string, payload interface{}) error {
 		if err != nil {
 			log.Printf("[ERROR] : %v - %v\n", c.OutputType, err.Error())
 		}
-		caCertPool := x509.NewCertPool()
-		caCertPool.AppendCertsFromPEM(caCert)
-		customTransport.TLSClientConfig = &tls.Config{
-			Certificates: []tls.Certificate{cert},
-			RootCAs:      caCertPool,
-			MinVersion:   tls.VersionTLS12,
-		}
+		customTransport.TLSClientConfig.RootCAs.AppendCertsFromPEM(caCert)
+		customTransport.TLSClientConfig.Certificates = []tls.Certificate{cert}
 	} else {
 		// With MutualTLS enabled, the check cert flag is ignored
 		if !c.CheckCert {

diff --git a/types/types.go b/types/types.go
@@ -49,6 +49,7 @@ func (f FalcoPayload) Check() bool {
 type Configuration struct {
 	MutualTLSFilesPath string
 	MutualTLSClient    MutualTLSClient
+	TLSClient          TLSClient
 	TLSServer          TLSServer
 	Debug              bool
 	ListenAddress      string
@@ -115,6 +116,11 @@ type MutualTLSClient struct {
 	CaCertFile string
 }
 
+// MutualTLSClient represents parameters for global TLS client options
+type TLSClient struct {
+	CaCertFile string
+}
+
 // TLSServer represents parameters for TLS Server
 type TLSServer struct {
 	Deploy     bool