Docker Community Forums

Share and learn in the Docker community.

Is there a security hole in adding TLS security to docker port?

I’ve been following the guide at: https://docs.docker.com/engine/security/https/ to open up & protect my Docker daemon socket. My use case is to use the docker plugin for Jenkins in a CI environment and to get the docker host to spawn slaves.

I believe that I’ve installed some self signed certificates successfully and if I executed a CURL on this such as:

curl https://HOSTNAME:2376/version

I get a suitable message indicating that this is a self signed cert and that curl doesn’t like it:

curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

I then go on to use the -k option for fun on curl and that’s where I have a concern and a question:

{"Version":"17.05.0-ce","ApiVersion":"1.29","MinAPIVersion":"1.12","GitCommit":"89658be","GoVersion":"go1.7.5","Os":"linux","Arch":"amd64","KernelVersion":"4.4.0-66-generic","BuildTime":"2017-05-04T22:10:54.638119411+00:00"}

I was not expecting this result. I then try:

#  curl https://HOSTNAME:2376/version -k -v
*   Trying [ipaddress removed]
* Connected to HOSTNAME ([ipaddress removed]) port 2376 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 692 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* 	 server certificate verification SKIPPED
* 	 server certificate status verification SKIPPED
* 	 common name: HOSTNAME (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: CN=HOSTNAME
* 	 start date: Tue, 26 Sep 2017 14:42:51 GMT
* 	 expire date: Wed, 26 Sep 2018 14:42:51 GMT
* 	 issuer: C=AU,ST=Some-State,O=Internet Widgits Pty Ltd,CN=HOSTNAME
* 	 compression: NULL
* ALPN, server accepted to use http/1.1
> GET /version HTTP/1.1
> Host: HOSTNAME:2376
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Api-Version: 1.29
< Content-Type: application/json
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/17.05.0-ce (linux)
< Date: Tue, 26 Sep 2017 15:27:07 GMT
< Content-Length: 225
< 
{"Version":"17.05.0-ce","ApiVersion":"1.29","MinAPIVersion":"1.12","GitCommit":"89658be","GoVersion":"go1.7.5","Os":"linux","Arch":"amd64","KernelVersion":"4.4.0-66-generic","BuildTime":"2017-05-04T22:10:54.638119411+00:00"}
* Connection #0 to host HOSTNAME left intact

Have I done something wrong or has curl requested the response over HTTP and Docker has complied?

Thanks in advance.

Hello, all the forum mates. I have a question regarding home security. I know it is not connected to that topic, but I think someone will be able to help me here because my question is similar to the topic of modern technologies. I would like to replace a home security system I use now. It has become too old-fashioned for now. So, I am choosing between several options including the Ajax system - https://ajax.systems/. It works without a wi-fi connection. As I understand, the sim card option is more reliable than wi-fi connected systems, so this variety would definitely be the best one for me. What do you think about it? Do you know any useful tips to choose a security system? I will be very thankful if you share it.

First, on the Docker daemon’s host machine, generate CA private and public keys:

$ openssl genrsa -aes256 -out ca-key.pem 4096
Generating RSA private key, 4096 bit long modulus
…++
…++
e is 65537 (0x10001)
Enter pass phrase for ca-key.pem:
Verifying - Enter pass phrase for ca-key.pem:

$ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
Enter pass phrase for ca-key.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:Queensland
Locality Name (eg, city) :Brisbane
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Docker Inc
Organizational Unit Name (eg, section) :Sales
Common Name (e.g. server FQDN or YOUR name) :$HOST
Email Address :Sven@home.org.au
Now that you have a CA, you can create a server key and certificate signing request (CSR). Make sure that “Common Name” matches the hostname you use to connect to Docker:

Note: Replace all instances of $HOST in the following example with the DNS name of your Docker daemon’s host.

$ openssl genrsa -out server-key.pem 4096
Generating RSA private key, 4096 bit long modulus
…++
…++
e is 65537 (0x10001)

$ openssl req -subj “/CN=$HOST” -sha256 -new -key server-key.pem -out server.csr
Next, we’re going to sign the public key with our CA:

Since TLS connections can be made through IP address as well as DNS name, the IP addresses need to be specified when creating the certificate. For example, to allow connections using 10.10.10.20 and 127.0.0.1:

$ echo subjectAltName = DNS:$HOST,IP:10.10.10.20,IP:127.0.0.1 >> extfile.cnf
Set the Docker daemon key’s extended usage attributes to be used only for server authentication:

$ echo extendedKeyUsage = serverAuth >> extfile.cnf
Now, generate the signed certificate:

$ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem
-CAcreateserial -out server-cert.pem -extfile extfile.cnf
Signature ok
subject=/CN=your.host.com
Getting CA Private Key
Enter pass phrase for ca-key.pem: