Influxdb is not sending a client certificate during TLS handshake

I want to send InfluxDB data to a subscriber over HTTPS.
Our security team does not want us to just use username and password to authenticate the call.
They want us to use TLS client authentication where the client certificate is sent during TLS handshake.
We turned on HTTPS on influxdb web server but it appears that influxdb is not sending a client certificate during TLS handshake.

We were wondering if this is possible for influxdb to do.
If so, how can it be configured to do so.
Also let us know if this is not possible so we can pursue other choices.

Thanks In Advance
Kamal

1 Like

Hello @ComeAll,
Welcome! You can enable TLS.
Let me know if I can help w anything else :slight_smile:

The OP’s request is very interesting and I’d use certificate based client authentication if it were available. Unfortunately that link doesn’t even slightly cover the OP’s request.

Hi @ComeAll,

Unfortunately InfluxDB does not support mTLS; please feel free to open a feature request.

I appreciate that you were unhappy with my colleagues answer, but we’re doing our best to help people here.

Instead of pointing out the flaws, use these sort of opportunities to help the community and expand on the OPs question; we can all learn together.

Hi @rawkode, @Anaisdg,
Sorry that I came across cocky. I thought (and still think) that the OP talking about using TLS client authentication instead of username + password was unambiguous, but my answer was inappropriate and impertinent and I apologize for that.
If you want to read about TLS client authentication, just jump over to Wikipedia to the TLS handshake chapter (https://en.m.wikipedia.org/wiki/Transport_Layer_Security#TLS_handshake) and scroll down to “Client-authenticated TLS handshake”.

Regards
Alex

1 Like

I stumbled on this thread because I was trying to get influxdb to send subscription data to kapacitor over TLS/https.

Here shows the influxdb subscriptions configured for https:

> show subscriptions
name: _internal
retention_policy name                                           mode destinations
---------------- ----                                           ---- ------------
monitor          kapacitor-0237911b-8496-432b-8bd3-cc624b5b1ce5 ANY  [https://kapacitor.example.com:9092]

name: telegraf
retention_policy name                                           mode destinations
---------------- ----                                           ---- ------------
autogen          kapacitor-0237911b-8496-432b-8bd3-cc624b5b1ce5 ANY  [https://kapacitor.example.com:9092]

I got this working by setting the following in kapacitor.conf:

"subscription-protocol": "https",

But unfortunately this config does not mean influxdb, as a TLS client of kapacitor, will present a client certificate to kapacitor for mTLS.
I guess a potential workaround is to create a packet ACL on kapacitor that blocks all traffic except those from influxdb.