FAQ
All,

I'm attempting to set up a system where a master process attempts to
communicate with other processes via RPC. When the master process attempts
to connect to the slaves it will be given a certificate.

At this point the user can either accept the certificate fingerprint or
reject it (at which point no further communication will occur).

This is very similar to SaltStack, for those of you who have used it
before. Before the SaltStack master will communicate with a slave the
master must explicitly accept the certificate of the slave.

Unfortunately I'm completely new at the certificate thing. The goal, again,
is to verify the client cert before the master starts communicating with it
via a custom RPC.

Any thoughts on how to go about doing this would be greatly appreciated.

Thanks!

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Search Discussions

  • Hotei at May 15, 2014 at 9:12 pm
    James,
    A few clarifications may help generate some responses...

    Are you attempting to port SaltStack to go or just get some similar
    functionality for a small project? A quick look at the saltstack website
    shows a VERY ambitious project.

    Do you have a specific type of certificate in mind? A simple passphrase
    hash can validate RPC channels if you can securely share a key. Or you can
    go the full Public-Key CA route if that's appropriate.

    How much trust (or distrust if you will) is appropriate for process? Are
    you assuming your traffic is/isn't at risk of sniffing or man-in-middle
    attack?

    More context usually generates better answers...
    On Thursday, May 15, 2014 1:21:01 PM UTC-4, James wrote:

    All,

    I'm attempting to set up a system where a master process attempts to
    communicate with other processes via RPC. When the master process attempts
    to connect to the slaves it will be given a certificate.

    At this point the user can either accept the certificate fingerprint or
    reject it (at which point no further communication will occur).

    This is very similar to SaltStack, for those of you who have used it
    before. Before the SaltStack master will communicate with a slave the
    master must explicitly accept the certificate of the slave.

    Unfortunately I'm completely new at the certificate thing. The goal,
    again, is to verify the client cert before the master starts communicating
    with it via a custom RPC.

    Any thoughts on how to go about doing this would be greatly appreciated.

    Thanks!
    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Hotei at May 15, 2014 at 9:56 pm
    James,

    General thoughts on how to approach problem:

    I would write the program with RPC and use a mockup for the certificate
    approval process. Since you're using a struct to pass via RPC just add a
    field with the certificate as content and stub a function that does the
    "approval" for the certificate. Just have the approval func always return
    true. Once you've got more details worked out (and the RPC part is
    working) the certificate approval part should be fairly easy.


    Assuming this is a personal project and you can make your own design
    decisions you can start with a hash for "certificate approval" and move to
    something else later if the situation warrants it. Go's std library has
    pretty much all the parts you need - the following shopping list is just a
    start.


    net/rpc
    hash
    crypto/sha256
    encoding/gob


    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • James at May 16, 2014 at 1:42 am
    Hotei,

    Many thanks -- I appreciate the responses and pointing me in the right
    direction in terms of the various packages to take a look at. This is
    a personal project where there will be a constant stream of RPC data
    flowing from master <-> slave(s). I'm definitely not attempting to
    re-write SaltStack. ;) The master will distribute workloads to the
    slave nodes, and the slave nodes will then respond with both results
    and system statistics.

    I was thinking about using PKI, although no CA is needed in this
    particular instance since the master is manually accepting the public
    certificate. I was hoping that the public/prvate keys could also be
    used to encrypt/decrypt the traffic from master <-> slave (in addition
    to the original problem of manually accepting certificates on the
    master).

    I've searched through the mailing list archives and seen some
    recommendations to use HTTP-based RPC (using Gorilla's RPC package),
    but I'd prefer to stick with non-HTTP-based RPC communication. I
    haven't found specifics on how to encrypt net/rpc communication with
    PKI, much less manually accepting the certificate before communication
    can flow.

    Upon reading the net/rpc documentation my gut instinct is that I need
    to manually make a TCP connection between the nodes and somehow rely
    on the TLS packages, as opposed to using the Listen() and Call()
    functions in the net/rpc package. Encrypting the RPC communication
    would be great step in the right direction. Any thoughts on how to do
    this would be greatly appreciated -- then I can try to tackle the cert
    "acceptance" process.

    Thanks again!


    On Thu, May 15, 2014 at 5:27 PM, Hotei wrote:
    James,

    General thoughts on how to approach problem:
    I would write the program with RPC and use a mockup for the certificate
    approval process. Since you're using a struct to pass via RPC just add a
    field with the certificate as content and stub a function that does the
    "approval" for the certificate. Just have the approval func always return
    true. Once you've got more details worked out (and the RPC part is
    working) the certificate approval part should be fairly easy.
    Assuming this is a personal project and you can make your own design
    decisions you can start with a hash for "certificate approval" and move to
    something else later if the situation warrants it. Go's std library has
    pretty much all the parts you need - the following shopping list is just a
    start.


    net/rpc
    hash
    crypto/sha256
    encoding/gob


    --
    You received this message because you are subscribed to the Google Groups
    "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an
    email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupgolang-nuts @
categoriesgo
postedMay 15, '14 at 5:21p
activeMay 16, '14 at 1:42a
posts4
users2
websitegolang.org

2 users in discussion

Hotei: 2 posts James: 2 posts

People

Translate

site design / logo © 2022 Grokbase