Add mTLS client authentication for OTLP/OTAP receivers #1539
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This PR adds mutual TLS (mTLS) support to the OTLP and OTAP gRPC receivers, enabling client certificate authentication for enhanced security. Features: - Client CA certificate configuration (client_ca_file, client_ca_pem) - Optional system CA certificate pool inclusion - Configurable handshake timeout for DoS protection - Concurrent TLS handshake support (up to 64 parallel handshakes) - Certificate hot-reloading with configurable reload interval Configuration options: - tls.cert_file/cert_pem: Server certificate - tls.key_file/key_pem: Server private key - tls.client_ca_file/client_ca_pem: CA for client cert verification (enables mTLS) - tls.include_system_ca_certs_pool: Include system CAs for client verification - tls.handshake_timeout: Timeout for TLS handshake (default: 10s) - tls.reload_interval: Interval for certificate reload checks (default: 5m) Tests added: - mTLS client certificate verification tests - Handshake timeout enforcement test - Concurrent handshake non-blocking test - TLS reload integration test fixes
This PR adds mutual TLS (mTLS) support to the OTLP and OTAP gRPC receivers, enabling client certificate authentication for enhanced security. Features: - Client CA certificate configuration (client_ca_file, client_ca_pem) - Optional system CA certificate pool inclusion - Configurable handshake timeout for DoS protection - Concurrent TLS handshake support (up to 64 parallel handshakes) - Certificate hot-reloading with configurable reload interval Configuration options: - tls.cert_file/cert_pem: Server certificate - tls.key_file/key_pem: Server private key - tls.client_ca_file/client_ca_pem: CA for client cert verification (enables mTLS) - tls.include_system_ca_certs_pool: Include system CAs for client verification - tls.handshake_timeout: Timeout for TLS handshake (default: 10s) - tls.reload_interval: Interval for certificate reload checks (default: 5m) Tests added: - mTLS client certificate verification tests - Handshake timeout enforcement test - Concurrent handshake non-blocking test - TLS reload integration test fixes
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #1539 +/- ##
==========================================
- Coverage 83.50% 83.47% -0.04%
==========================================
Files 428 428
Lines 119410 119479 +69
==========================================
+ Hits 99713 99733 +20
- Misses 19163 19212 +49
Partials 534 534
🚀 New features to boost your workflow:
|
lalitb
commented
Dec 5, 2025
| arc-swap = { workspace = true, optional = true } | ||
| rustls = { workspace = true, optional = true } | ||
| rustls-pemfile = { workspace = true, optional = true } | ||
| rustls-pki-types = { workspace = true, optional = true } |
Member
Author
There was a problem hiding this comment.
rustls-pemfile is no longer maintained, so replaced by rustls-pki-types, which is maintained by rustls project.
Member
There was a problem hiding this comment.
https://github.com/open-telemetry/otel-arrow/pull/1536/files can be reverted with this.
lalitb
commented
Dec 5, 2025
| match maybe_tls_acceptor { | ||
| Some(tls_acceptor) => { | ||
| let tls_stream = create_tls_stream(listener_stream, tls_acceptor); | ||
| let tls_stream = create_tls_stream(listener_stream, tls_acceptor, handshake_timeout); |
Member
Author
There was a problem hiding this comment.
handshake_timeout is added to protect against slow/malicious clients that could hold connection slots indefinitely by not completing the TLS handshake.
Without a timeout, a malicious client could:
- Open a TCP connection
- Never send TLS ClientHello (or send it very slowly)
- Hold the connection slot forever, preventing legitimate clients from connecting
- Repeat this to exhaust server resources (DoS attack)
lalitb
commented
Dec 5, 2025
| /// - Allows concurrent handshakes to prevent slow clients from blocking others | ||
| /// - Limits memory overhead for pending handshake state | ||
| /// - May need adjustment based on actual workload characteristics | ||
| const MAX_CONCURRENT_HANDSHAKES: usize = 64; |
Member
Author
There was a problem hiding this comment.
Not mTLS-specific - this is a general TLS hardening to prevent DoS via connection flooding. Limits concurrent handshakes to 64, applying backpressure when exceeded. Without this limit, an attacker could overwhelm the server by initiating thousands of handshakes simultaneously.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds mutual TLS (mTLS) client certificate authentication to OTLP/OTAP receivers with parallel handshake processing and timeout protection.
What's New
1. mTLS Client Certificate Verification
WebPkiClientVerifier2. Parallel Handshake Processing
3. Handshake timeout
Configuration
Enable mTLS
System CA Pool
What's Deferred