Mutual TLS Nedir?

MTLS/TwoWayTLS/ISTIO-MTLS ….. etc

Yaklasik 2 yil once istio nedir diye gezinirken karsima cikan bir terim acikcasi kendisi tam tanimina gelin su diagrama bir goz atalim ;

$ openssl genrsa -des3 -out ca.key 4096$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
$ openssl genrsa -des3 -out mysite.key 4096$ openssl genrsa -des3 -out mysite.com.key 4096  262  openssl req -new -key mysite.com.key -out mysite.com.csr  264  $ openssl x509 -req -days 365 -in user.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out user.crt
server {  
....
.....
listen 443;
ssl on;
server_name mysite.com;
proxy_ssl_server_name on;
ssl_certificate /etc/nginx/certs/mysite.com.crt;
ssl_certificate_key /etc/nginx/certs/mysite.com.key;
.........
}
curl --cacert ca.crt https://mysite.com 
ssl_client_certificate /etc/nginx/certs/ca.crt;
ssl_verify_client on;
$ curl --cacert ca.crt https://mysite.com$ <html>... 400 No required SSL certificate was sent ...</html>
curl --cacert ca.crt --key user.key --cert user.crt https://mysite.com

Peki ya envoy, istio…. ?

Asagidaki gorsele bakacak olursak service kismi asil konteynirlarimizi kapsiyor burada public sertifikalari biribirine cagri yapan servislere yuklememize gerek yok.

Istio Genel Dizayn

Son olarak,

Mtl gunumuzdeki zero-trust yaklasimin bir urunu aslinda, bazi belgelerde ortada bir key olmadan sertifika uzerinden reverse proxy yapilabilecek auth islemleri icin, IOT cihazlarina ozel sertifikalardan olmak uzere bir cok genis kullanim alani mevcut.

Kaynakca

--

--

PythonRubyLinux(❤)

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store