What's mtLS? @ Docker London

What's mtLS? @ Docker London

Mutual TLS, or mTLS, is a widely used standard for improving the security for authentication. It's an extension of TLS, which is used for HTTPS, but in addition to the client verifying that the server, the server also verifies that the client.

mTLS is already widely used and is the cornerstone of the Zero Trust Networking movement, but how does it work? In this talk, we will go over the fundamentals of mTLS and create a simple web app that users mTLS as the authentication method. We will use technologies like Docker and Nginx to accomplish this, show the benefits over traditional authentication methods (such as API keys and passwords)


Viktor Petersson

November 27, 2019


  1. WHAT'S MTLS? Oh and wait, how does that relate to

    Docker? wott.io @vpetersson
  2. OUTLINE What's mTLS? Our use case/scenario Demo (all praise thy

    mighty demo gods) Recap @vpetersson wott.io
  3. @vpetersson wott.io

  4. WHAT'S WOTT? @vpetersson wott.io Security tool for developers Provides cryptographic

    identity (x509) Ongoing security audit of fleet A security dashboard Workflow integrations (Github, Slack etc) (DevSecOps)
  5. THE SCENARIO We got clients (workstation/server/container) That needs to talk

    to our API securely We don't want to use regular credentials @vpetersson wott.io
  6. THE SCENARIO Nginx App App Client Client @vpetersson wott.io

  7. CONCEPTS OVERVIEW TLS vs Mutual TLS Zero Trust Networking vs

    Perimeter based security Public Key Infrastructure (PKI) and root of trust @vpetersson wott.io
  8. HOW TLS WORKS @vpetersson wott.io

  9. HOW MUTUAL TLS WORKS @vpetersson wott.io

  10. PERIMETER SECURITY VS ZERO TRUST Perimeter based security Defend the

    moat with firewall(s) Example: Infra from the 90s Zero Trust Networking Assume everything is hostile (even internal traffic) Encrypt and verify everything Example: Istio and BeyondCorp Read "Zero Trust Networks" by Doug Barth and Evan Gilman for more details @vpetersson wott.io
  11. PUBLIC KEY INFRASTRUCTURE (PKI) Where you get your SSL certificates

    Let's Encrypt, Commodo, Verisign Browsers trust "public CAs"* The CA is your "root of trust" Roll your own or use an existing CA (like WoTT) @vpetersson wott.io * This is a bit complicated and out of scope
  12. @vpetersson wott.io

  13. TODAY'S GOAL Use Mutual TLS (mTLS) for transport layer Rotate

    the keys periodically in an automated fashion* Access control using cryptographic identity No use of API keys or username+password @vpetersson wott.io * Performed automatically by the WoTT Agent
  14. INFRA SETUP Preparation before the talk Spun up a small

    VM on GCE Docker Compose for setting up containers Nginx App server (Django App) SSL cert from Let's Encrypt We will use WoTT's PKI, but you can also roll your own @vpetersson wott.io
  15. APP OVERVIEW Python/Django app Uses HTTP headers from Nginx for

    access control This is a PoC with known attack vectors, so don't blindly use this in production as-is @vpetersson wott.io
  16. ACCESS CONTROL OVERVIEW @vpetersson wott.io

  17. DEPLOYING OUR APP @vpetersson wott.io

  18. DEPLOYING OUR APP $ docker-compose up [...] @vpetersson wott.io We're

    going to use dockerlon.vpetersson.com
  19. CURL ALL DA THINGZ $ curl -I https://dockerlon.vpetersson.com/api/ HTTP/2 403

    [...] @vpetersson wott.io
  20. @vpetersson wott.io

  21. ACCESS CONTROL OVERVIEW @vpetersson wott.io

  22. NGINX MAGIC @vpetersson wott.io

  23. ONTO THE CLIENT (DEMO) @vpetersson wott.io

  24. @vpetersson wott.io DEMO GOD

  25. @vpetersson wott.io

  26. CURL ALL DA THINGZ $ sudo curl -s \ --key

    /opt/wott/certs/client.key \ --cert /opt/wott/certs/client.crt \ https://dockerlon.vpetersson.com/api/ | jq { "msg": "You shall not pass!" } @vpetersson wott.io
  27. @vpetersson wott.io

  28. ACCESS CONTROL OVERVIEW @vpetersson wott.io

  29. APP MAGIC @vpetersson wott.io THIS IS A PROOF OF CONCEPT.

  30. WHITELIST THE DEVICE @vpetersson wott.io

  31. WHO AM I? $ sudo wott-agent whoami x.d.wott.local @vpetersson wott.io

  32. @vpetersson wott.io

  33. CURL ALL DA THINGZ $ sudo curl \ --key /opt/wott/certs/client.key

    \ --cert /opt/wott/certs/client.crt \ https://dockerlon.vpetersson.com/api/ | jq { "msg": "Welcome x.d.wott.local. We've been expecting you." } @vpetersson wott.io
  34. ACCESS CONTROL OVERVIEW @vpetersson wott.io

  35. @vpetersson wott.io

  36. CONCLUSION mTLS doesn't have to be scary Easier and more

    secure than passwords Credential rotation built-in The foundation of Zero Trust Networking @vpetersson wott.io
  37. GET IN TOUCH Check out our agent mTLS and CVE

    audit of your nodes Ping us at hello@wott.io or visit wott.io @vpetersson wott.io
  38. REFERENCES https://github.com/vpetersson/django-mtls https://wott.io/blog/tutorials/2019/07/15/mtls-with-nginx https://tools.ietf.org/html/draft-ietf-oauth-mtls-17 @vpetersson wott.io

  39. @vpetersson wott.io Where's the bar?