Radostin: /* Debugging */

2019-09-07T17:56:16Z

Debugging

Radostin: Add comment about debugging

2019-06-13T10:11:48Z

Add comment about debugging

Radostin: Created page with "This page describes how use the TLS functionality of CRIU. A good introduction to Public Key Infrastructure (PKI) and the Transport Layer Security (TLS) protocol can be found..."

2019-06-08T18:46:19Z

Created page with "This page describes how use the TLS functionality of CRIU. A good introduction to Public Key Infrastructure (PKI) and the Transport Layer Security (TLS) protocol can be found..."

New page

This page describes how use the TLS functionality of CRIU. A good introduction to Public Key Infrastructure (PKI) and the Transport Layer Security (TLS) protocol can be found in the GnuTLS [https://gnutls.org/manual/gnutls.html manual].

== Overview ==
CRIU supports an authenticated key exchange using PKI and X.509 certificates to provide encryption and decryption of data transferred via [[page server]].

This functionality is enabled when CRIU is compiled with GnuTLS support. By default, this happens automatically when the development files for the <code>gnutls</code> package are installed. However, this can be disabled by setting the <code>NO_GNUTLS</code> environment variable at build time.

== Setup ==

The default PKI paths are listed in the table below. These locations can be overwritten by the corresponding command-line options.

{| class="wikitable"
|-
|'''Description'''
|'''Default path'''
|'''CLI option'''
|-
|Certificate authority certificate
|<code>/etc/pki/CA/cacert.pem</code>
|<code>--tls-cacert</code>
|-
|Certificate revocation list
|<code>/etc/pki/CA/cacrl.pem</code>
|<code>--tls-cacrl</code>
|-
|*Client/server certificate
|<code>/etc/pki/criu/cert.pem</code>
|<code>--tls-cert</code>
|-
|*Private key
|<code>/etc/pki/criu/private/key.pem</code>
|<code>--tls-key</code>
|-
|}
{{note|Required files are indicated with an asterisk (*). If GnuTLS fails to load a required or file specified file via command-line option CRIU will exit with an error.}}

X.509 certificates and private keys can be generated parsed with the [https://www.gnutls.org/manual/html_node/certtool-Invocation.html <code>certtool</code>]. A [https://www.gnutls.org/manual/html_node/certtool-Invocation.html#Certtool_0027s-template-file-format template file] can be used to avoid the interactive questions of this tool.

=== Generate Certificate Authority certificate ===
1. Create a template file.

<pre>
# cat > ca_template.info <<-EOF
cn = criu.org
ca
cert_signing_key
expiration_days = 700
EOF
</pre>

2. Generate a private key.

<pre>
# (umask 277 && certtool --generate-privkey > cakey.pem)
</pre>

3. Generate the CA certificate.

<pre>
# certtool --generate-self-signed \
--template ca_template.info \
--load-privkey cakey.pem \
--outfile cacert.pem
</pre>

=== Generate client/server certificates ===

1. Create a template file.

<pre>
# cat > server_template.info <<-EOF
cn = <Host Name>
encryption_key
signing_key
EOF
</pre>

2. Generate the private key file.

<pre>
# (umask 277 && certtool --generate-privkey > key.pem)
</pre>

3. Generate the certificate.

<pre>
# certtool --generate-certificate \
--template server_template.info \
--load-privkey key.pem \
--load-ca-certificate cacert.pem \
--load-ca-privkey cakey.pem \
--outfile cert.pem
</pre>

=== Generating certificate revocation list ===

Generating a CRL that contains revoked certificates can be achieved as follows:

<pre>
# certtool --generate-crl \
--load-ca-privkey cakey.pem \
--load-ca-certificate cacert.pem \
--load-certificate revoked-certs.pem \
--outfile cacrl.pem
</pre>

Where the <code>revoked-certs.pem</code> file contains all revoked certificates. If the <code>--load-certificate</code> is omitted, an empty Certificate Revocation List will be generated.

== Certificate verification ==

The use of a CA certificate and CRL is optional. They are being loaded if present and ignored otherwise. The system's default trusted CAs are used to verify the received client (or server) certificate when the <code>--tls-cacert</code> option is '''not''' specified.

Both the client and the server are required to send a certificate during the TLS handshake phase.

The [https://gnutls.org/manual/html_node/Priority-Strings.html priority string] for the TLS session's handshake algorithms and options (ciphers, key exchange methods and MACs) is set to default.

The value specified with the [[CLI/opt/--address]] option is expected to match the hostname included in the received certificate. This implies that, for example, if an IP address is used to connect to a server and the server's certificate includes it's domain name, the verification will fail. This feature is very important to mitigate MITM attacks, however, it can be disabled with the <code>--tls-no-cn-verify</code> command-line option.

== Usage Example ==

=== Page-server ===
<pre>
[dst]# criu page-server -D <path> --port <port> --tls

[src]# criu dump --page-server --address <dst> --port <port> -t <pid> -D <path> --tls
</pre>

=== Lazy migration ===
<pre>
[src]# criu dump --lazy-pages --port <port> -t <pid> -D <path> --tls

[dst]# criu lazy-pages --page-server --address <src> --port <port> -D <path> --tls

[dst]# criu restore -D <PATH> --lazy-pages
</pre>

← Older revision		Revision as of 17:56, 7 September 2019
Line 137:		Line 137:
	== Debugging ==		== Debugging ==

−	In cases when things ~~do not~~ go as expected ~~further information to assist debugging can be obtained by setting~~ the environment variable <code>GNUTLS_DEBUG_LEVEL</code> to ~~an appropriate~~ log level. The ~~level is~~ an integer between 0 and 9 (higher values ~~mean~~ more verbosity).	+	In cases when things don't go as expected the environment variable <code>GNUTLS_DEBUG_LEVEL</code> can be used to set the GnuTLS log level. The value should be an integer between 0 and 9 (higher values = more verbosity).

← Older revision		Revision as of 10:11, 13 June 2019
Line 134:		Line 134:
	[dst]# criu restore -D <PATH> --lazy-pages		[dst]# criu restore -D <PATH> --lazy-pages
	</pre>		</pre>
		+
		+	== Debugging ==
		+
		+	In cases when things do not go as expected further information to assist debugging can be obtained by setting the environment variable <code>GNUTLS_DEBUG_LEVEL</code> to an appropriate log level. The level is an integer between 0 and 9 (higher values mean more verbosity).

TLS - Revision history

Radostin: /* Debugging */

Radostin: Add comment about debugging

Radostin: Created page with "This page describes how use the TLS functionality of CRIU. A good introduction to Public Key Infrastructure (PKI) and the Transport Layer Security (TLS) protocol can be found..."