software/slapos-master: allow disabling CRL check (!1502) · Merge Requests · nexedi / slapos

software/slapos-master: allow disabling CRL check

Context of the MR

A few months ago, @rafael updated the way Compute Node certificates are revoked (see slapos.core!548 (merged)). Before, we generated a CRL for the revoked certificate, which was, and still is, the standard way of doing revocation in ERP5. For performances issues, the new way does not generate a CRL, but simply invalidates the Compute Node certificate object in ERP5.

This MR goes one step further by allowing to disable CRL check directly in Apache, as this check is not required for new instances, since SlapOS does not use CRLs anymore. A new configuration parameter check_crl is added to the slapos-master SR, and defaults to True. In case the user wants to disable CRL check by Apache, this configuration parameter should be set to False.

Why not removing the check?

If CRL check is not required anymore, shouldn't we simply remove the configuration parameter from Apache configuration since this configuration is only used for SlapOS master? Doing this would not be a problem for new instances, but could become problematic if we try to update old instances which have revoked certificates in the CRL directory.

What I mean by that is the following: suppose a certificate was created and revoked before Rafael's MR. This client is disallowed access because of the CRL file. Now, we update the instance, supposing this MR is merged as is: the client still cannot connect, because CRL validation is enforced, even though no new CRL will be generated, as the instance now includes Rafael's fix. If we completely remove CRL validation, this client will be able to login with the previously revoked certificate.

However, certificates have an expiration date, so at some point all CRL will have become obsolete since they will refer to expired certificates. At this point, the parameter introduced by this MR should default to False (ie. remove CRL check completely), and Apache will not look for CRL anymore. The current state is therefore a transition state: this MR is quite conservative as the default value is compatible with old servers. When some time will have passed, we should be able to delete CRL check completely in Apache configuration.

### Context of the MR

A few months ago, @rafael updated the way Compute Node certificates are revoked (see https://lab.nexedi.com/nexedi/slapos.core/merge_requests/548). Before, we generated a CRL for the revoked certificate, which was, and still is, the standard way of doing revocation in ERP5. For performances issues, the new way does not generate a CRL, but simply invalidates the Compute Node certificate object in ERP5.

This MR goes one step further by allowing to disable CRL check directly in Apache, as this check is not required for new instances, since SlapOS does not use CRLs anymore. A new configuration parameter `check_crl` is added to the `slapos-master` SR, and defaults to `True`. In case the user wants to disable CRL check by Apache, this configuration parameter should be set to `False`.

### Why not removing the check?

What I mean by that is the following: suppose a certificate was created and revoked *before* Rafael's MR. This client is disallowed access because of the CRL file. Now, we update the instance, supposing this MR is merged as is: the client still cannot connect, because CRL validation is enforced, even though no new CRL will be generated, as the instance now includes Rafael's fix. If we completely remove CRL validation, this client will be able to login with the previously revoked certificate.

However, certificates have an expiration date, so at some point all CRL will have become obsolete since they will refer to expired certificates. At this point, the parameter introduced by this MR should default to `False` (ie. remove CRL check completely), and Apache will not look for CRL anymore. The current state is therefore a transition state: this MR is quite conservative as the default value is compatible with old servers. When some time will have passed, we should be able to delete CRL check completely in Apache configuration.

software/slapos-master: allow disabling CRL check

Context of the MR

Why not removing the check?

Check out, review, and merge locally

Revert this commit

Cherry-pick this commit