mirror of
https://github.com/etcd-io/etcd.git
synced 2024-09-27 06:25:44 +00:00
pkg/transport: Improved description of flag peer-skip-client-san-verification
This commit is contained in:
parent
2f476f2b5a
commit
03fd396610
@ -213,7 +213,7 @@ func newConfig() *config {
|
|||||||
fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedCN, "peer-cert-allowed-cn", "", "Allowed CN for inter peer authentication.")
|
fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedCN, "peer-cert-allowed-cn", "", "Allowed CN for inter peer authentication.")
|
||||||
fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedHostname, "peer-cert-allowed-hostname", "", "Allowed TLS hostname for inter peer authentication.")
|
fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedHostname, "peer-cert-allowed-hostname", "", "Allowed TLS hostname for inter peer authentication.")
|
||||||
fs.Var(flags.NewStringsValue(""), "cipher-suites", "Comma-separated list of supported TLS cipher suites between client/server and peers (empty will be auto-populated by Go).")
|
fs.Var(flags.NewStringsValue(""), "cipher-suites", "Comma-separated list of supported TLS cipher suites between client/server and peers (empty will be auto-populated by Go).")
|
||||||
fs.BoolVar(&cfg.ec.PeerTLSInfo.SkipClientVerify, "peer-skip-client-verify", false, "Skip client IP verification for peer connections.")
|
fs.BoolVar(&cfg.ec.PeerTLSInfo.SkipClientSANVerify, "peer-skip-client-san-verification", false, "Skip verification of SAN field in client certificate for peer connections.")
|
||||||
|
|
||||||
fs.Var(
|
fs.Var(
|
||||||
flags.NewUniqueURLsWithExceptions("*", "*"),
|
flags.NewUniqueURLsWithExceptions("*", "*"),
|
||||||
|
@ -56,7 +56,7 @@ func wrapTLS(scheme string, tlsinfo *TLSInfo, l net.Listener) (net.Listener, err
|
|||||||
if scheme != "https" && scheme != "unixs" {
|
if scheme != "https" && scheme != "unixs" {
|
||||||
return l, nil
|
return l, nil
|
||||||
}
|
}
|
||||||
if tlsinfo != nil && tlsinfo.SkipClientVerify {
|
if tlsinfo != nil && tlsinfo.SkipClientSANVerify {
|
||||||
return NewTLSListener(l, tlsinfo)
|
return NewTLSListener(l, tlsinfo)
|
||||||
}
|
}
|
||||||
return newTLSListener(l, tlsinfo, checkSAN)
|
return newTLSListener(l, tlsinfo, checkSAN)
|
||||||
@ -69,7 +69,7 @@ type TLSInfo struct {
|
|||||||
ClientCertAuth bool
|
ClientCertAuth bool
|
||||||
CRLFile string
|
CRLFile string
|
||||||
InsecureSkipVerify bool
|
InsecureSkipVerify bool
|
||||||
SkipClientVerify bool
|
SkipClientSANVerify bool
|
||||||
|
|
||||||
// ServerName ensures the cert matches the given host in case of discovery / virtual hosting
|
// ServerName ensures the cert matches the given host in case of discovery / virtual hosting
|
||||||
ServerName string
|
ServerName string
|
||||||
|
@ -78,16 +78,16 @@ func testNewListenerTLSInfoAccept(t *testing.T, tlsInfo TLSInfo) {
|
|||||||
}
|
}
|
||||||
defer conn.Close()
|
defer conn.Close()
|
||||||
if _, ok := conn.(*tls.Conn); !ok {
|
if _, ok := conn.(*tls.Conn); !ok {
|
||||||
t.Errorf("failed to accept *tls.Conn")
|
t.Error("failed to accept *tls.Conn")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// TestNewListenerTLSInfoSkipClientVerify tests that if client IP address mismatches
|
// TestNewListenerTLSInfoSkipClientSANVerify tests that if client IP address mismatches
|
||||||
// with specified address in its certificate the connection is still accepted
|
// with specified address in its certificate the connection is still accepted
|
||||||
// if the flag SkipClientVerify is set (i.e. checkSAN() is disabled for the client side)
|
// if the flag SkipClientSANVerify is set (i.e. checkSAN() is disabled for the client side)
|
||||||
func TestNewListenerTLSInfoSkipClientVerify(t *testing.T) {
|
func TestNewListenerTLSInfoSkipClientSANVerify(t *testing.T) {
|
||||||
tests := []struct {
|
tests := []struct {
|
||||||
skipClientVerify bool
|
skipClientSANVerify bool
|
||||||
goodClientHost bool
|
goodClientHost bool
|
||||||
acceptExpected bool
|
acceptExpected bool
|
||||||
}{
|
}{
|
||||||
@ -97,11 +97,11 @@ func TestNewListenerTLSInfoSkipClientVerify(t *testing.T) {
|
|||||||
{true, false, true},
|
{true, false, true},
|
||||||
}
|
}
|
||||||
for _, test := range tests {
|
for _, test := range tests {
|
||||||
testNewListenerTLSInfoClientCheck(t, test.skipClientVerify, test.goodClientHost, test.acceptExpected)
|
testNewListenerTLSInfoClientCheck(t, test.skipClientSANVerify, test.goodClientHost, test.acceptExpected)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func testNewListenerTLSInfoClientCheck(t *testing.T, skipClientVerify, goodClientHost, acceptExpected bool) {
|
func testNewListenerTLSInfoClientCheck(t *testing.T, skipClientSANVerify, goodClientHost, acceptExpected bool) {
|
||||||
tlsInfo, del, err := createSelfCert()
|
tlsInfo, del, err := createSelfCert()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatalf("unable to create cert: %v", err)
|
t.Fatalf("unable to create cert: %v", err)
|
||||||
@ -118,7 +118,7 @@ func testNewListenerTLSInfoClientCheck(t *testing.T, skipClientVerify, goodClien
|
|||||||
}
|
}
|
||||||
defer del2()
|
defer del2()
|
||||||
|
|
||||||
tlsInfo.SkipClientVerify = skipClientVerify
|
tlsInfo.SkipClientSANVerify = skipClientSANVerify
|
||||||
tlsInfo.TrustedCAFile = clientTLSInfo.CertFile
|
tlsInfo.TrustedCAFile = clientTLSInfo.CertFile
|
||||||
|
|
||||||
rootCAs := x509.NewCertPool()
|
rootCAs := x509.NewCertPool()
|
||||||
@ -166,7 +166,7 @@ func testNewListenerTLSInfoClientCheck(t *testing.T, skipClientVerify, goodClien
|
|||||||
select {
|
select {
|
||||||
case <-chClientErr:
|
case <-chClientErr:
|
||||||
if acceptExpected {
|
if acceptExpected {
|
||||||
t.Errorf("accepted for good client address: skipClientVerify=%t, goodClientHost=%t", skipClientVerify, goodClientHost)
|
t.Errorf("accepted for good client address: skipClientSANVerify=%t, goodClientHost=%t", skipClientSANVerify, goodClientHost)
|
||||||
}
|
}
|
||||||
case acceptErr := <-chAcceptErr:
|
case acceptErr := <-chAcceptErr:
|
||||||
t.Fatalf("unexpected Accept error: %v", acceptErr)
|
t.Fatalf("unexpected Accept error: %v", acceptErr)
|
||||||
@ -176,7 +176,7 @@ func testNewListenerTLSInfoClientCheck(t *testing.T, skipClientVerify, goodClien
|
|||||||
t.Errorf("failed to accept *tls.Conn")
|
t.Errorf("failed to accept *tls.Conn")
|
||||||
}
|
}
|
||||||
if !acceptExpected {
|
if !acceptExpected {
|
||||||
t.Errorf("accepted for bad client address: skipClientVerify=%t, goodClientHost=%t", skipClientVerify, goodClientHost)
|
t.Errorf("accepted for bad client address: skipClientSANVerify=%t, goodClientHost=%t", skipClientSANVerify, goodClientHost)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
x
Reference in New Issue
Block a user