Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support SSL/TLS for ECS Server? #518

Closed
synfinatic opened this issue Aug 11, 2023 · 2 comments
Closed

Support SSL/TLS for ECS Server? #518

synfinatic opened this issue Aug 11, 2023 · 2 comments
Labels
enhancement New feature or request idea Things to think about
Milestone
1.17.0

Comments

@synfinatic
Copy link
Owner

synfinatic commented Aug 11, 2023
edited
Loading

Would be very useful for users using aws-sso over ssh. Unclear if/how the certificate that we use would be trusted by the AWS SDK. Users would likely have to roll their own CA and inject it into the AWS SDK or figure out a way to use LetsEncrypt to generate a cert for localhost?

I suppose generating a trusted cert is really just left as an exercise for the reader. :-/
@synfinatic synfinatic added enhancement New feature or request idea Things to think about labels Aug 11, 2023
@synfinatic synfinatic mentioned this issue Sep 14, 2023
Closed
@synfinatic
Copy link
Owner Author

synfinatic commented Jun 28, 2024
edited
Loading

just point people to: https://letsencrypt.org/docs/certificates-for-localhost/

Should point out that their concern about MITM attacks isn't really relevant for aws-sso. Even if someone was to modify your DNS settings, the private key would be safe in the SecureStore so the connection would fail. I suppose the bigger issue is if LE would break things on their end?

@synfinatic
Copy link
Owner Author

synfinatic commented Jun 28, 2024
edited
Loading

So what if:

  1. Users generate a self-signed cert (maybe aws-sso can do this for them?)
  2. Private key is loaded into SecureStore, but cert is ~/.aws-sso/ecs-server.crt
  3. ECS server uses both to do StartTLS()
  4. ECS client reads the certificate and adds it to a copy of the trust store: https://forfuncsake.github.io/post/2017/08/trust-extra-ca-cert-in-go-app/
  5. If a user wants to, they can copy the ecs-server.crt file to another host and then other clients would trust it too.

synfinatic added a commit that referenced this issue Jun 30, 2024
@synfinatic
Add HTTPS support for ECS Server
ced2158 
* add `ecs cert` command to load cert/private key
* Stores the cert/private key in the secure store
* Re-think how the http auth CLi args work

Fixes: #518
@synfinatic synfinatic added this to the 1.17.0 milestone Jun 30, 2024
synfinatic added a commit that referenced this issue Jun 30, 2024
@synfinatic
Add HTTPS support for ECS Server
c250e7b 
* add `ecs cert` command to load cert/private key
* Stores the cert/private key in the secure store
* Re-think how the http auth CLi args work

Fixes: #518
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request idea Things to think about
Projects
None yet
Milestone
1.17.0
Development

No branches or pull requests
1 participant
@synfinatic