Design Decision: TLS termination point¶
Background / Context¶
Design of the float is critically influenced by the decision of where TLS connections to the node should be terminated.
1. Terminate TLS on Firewall¶
- Common practice for DMZ web solutions, often with an HSM associated with the Firewall and should be familiar for banks to setup.
- Doesn’t expose our private key in the less trusted DMZ context.
- Bugs in the firewall TLS engine will be patched frequently.
- The DMZ float server would only require a self-signed certificate/private key to enable secure communications, so theft of this key has no impact beyond the compromised machine.
- May limit cryptography options to RSA, and prevent checking of X500 names (only the root certificate checked) - Corda certificates are not totally standard.
- Doesn’t allow identification of the message source.
- May require additional work and SASL support code to validate the ultimate origin of connections in the float.
2. Direct TLS Termination onto Float¶
- Validate our PKI certificates directly ourselves.
- Allow messages to be reliably tagged with source.
- We don’t currently use the identity to check incoming packets, only for connection authentication anyway.
- Management of Private Key a challenge requiring extra work and security implications. Options for this are presented below.
Variant Option 2a: Float TLS certificate via direct HSM¶
- Key can’t be stolen (only access to signing operations)
- Audit trail of signings.
- Accessing HSM from DMZ probably not allowed.
- Breaks the inbound-connection-only rule of modern DMZ.
Variant Option 2b: Tunnel signing requests to bridge manager¶
- No new connections involved from Float box.
- No access to actual private key from DMZ.
- Requires implementation of a message protocol, in addition to a key provider that can be passed to the standard SSLEngine, but proxies signing requests.
Variant Option 2c: Store key on local file system¶
- Simple with minimal extra code required.
- Delegates access control to bank’s own systems.
- Risks losing only the TLS private key, which can easily be revoked. This isn’t the legal identity key at all.
- Risks losing the TLS private key.
- Probably not allowed.
Recommendation and justification¶
Proceed with Variant option 1a: Terminate on firewall; include SASL connection checking.