get_secrets

Description and context

get_secrets is a small program to negotiate a symmetric secret between two peers authenticated by mTLS.

The secret is extracted using RFC5705 and its TLS1.3 updated support.

This is a toy implementation, created to support the claims of episode 3 of the Yakafokon podcast.

Example

Usage :

  -addr string
    	IP address to which the TLS server must bind. By default, it binds to all local addresses
  -ca string
    	Path to the file containing all of the Certification Authorities that should be trusted
  -client
    	Whether we should act as a TLS client. If not specified, act as a server
  -crt string
    	Path to the file containing the certificate to present to the TLS peer
  -key string
    	Path to the file containing the key to use with the TLS peer
  -label string
    	Label associated with the exported secret
  -length int
    	Length of the exported secret, in bytes (default 32)
  -out string
    	Path to the output file containing the exported secret
  -peer string
    	Name of the peer that must be in the certificate returned
  -port int
    	Port number of the server (default 443)

Server

./get_secrets -ca ca/ca.pem -crt ca/server.pem -key ca/server-key.pem -out server_secret -peer client.internal -addr server.internal -port 8000 -label postgres_password

After a client connects, and if the status code is 0, the server_secret file will contain a 32 bytes secret string.

Client

./get_secrets -ca ca/ca.pem -crt ca/client.pem -key ca/client-key.pem -out client_secret -peer server.internal -client -addr server.internal -port 8000 -label postgres_password

After establishing a connection with the server, and if the status code is 0, the client_secret file will contain a 32 bytes secret string. client_secret and server_secret are identical.