-
Notifications
You must be signed in to change notification settings - Fork 237
TLS Overall Plan
Below are the steps to introduce certifiable TLS logging for the audit system. Each of these phases need detailed plans that draws from overall TLS Requirements to flesh out the details.
-
Make the current PR a viable prototype. Add
tls_auth = psk, addtls_crypto_profile = standard | fips | pqc, requiretls_psk_identity, addtls_allowed_clients, authorize identity before record ingestion, record cryptographic connection establishment and failure reasons in the audit system, and maketls_allowed_clientsreload transactional. Keep any single-PSK limitation explicit in the documentation. -
Tighten profile policy. Implement
standard,pqc, and a fail-closed placeholder forfipsif FIPS cannot be completed immediately. Move default ciphers, groups, TLS 1.3 floor, PSK minimum length, and PQC requirements into profile definitions. Keep raw overrides behind profile floor checks. System crypto policy may constrain or reject a profile, but must not silently downgrade it. -
Add collector PSK lookup. Introduce
tls_psk_storeand change the collector PSK callback from one global key to identity lookup. Start with one active secret per identity. Unknown and disabled identities should fail without useful enumeration feedback. -
Add lifecycle-ready metadata. Extend the PSK store format to carry identity, secret, status, created, expires, owner or inventory reference, and optional non-secret fingerprint. The listener profile remains authoritative; identity metadata does not choose the cryptographic profile.
-
Add reload, rotation, and revocation behavior. Build new PSK store and authorization state before swapping it in. Preserve the old working state on reload failure. Support current/next PSKs or adjacent identities for planned rotation. Disable identities immediately for new connections and close active connections where feasible.
-
Add dedicated lifecycle utility. Generate per-sender PSKs, validate identity format, add/disable/rotate/list keys, safely update
tls_psk_storeandtls_allowed_clients, and provide dry-run validation. -
Expand tests. Add auditd/audisp integration tests for successful PSK, unknown identity, disabled identity, malformed allowed-client file, PQC-required failure, FIPS fail-closed behavior where unsupported, TLS-disabled build behavior, PSK file permission failures, reload failure preserving old state, audit records for connection establishment, and slow-handshake timeout.
-
Defer larger secure remote logging work. Keep application-level replay windows, signed acknowledgements, gap records, hash-chained spools, X.509 mTLS, and the full
audisp-remoterole split as later secure remote logging phases unless this PR is expanded beyond the first PSK transport milestone.