Mirroristas/etcd
2
0
Fork 0
mirror of https://github.com/etcd-io/etcd.git synced 2024-09-27 06:25:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

pkg/transport: Improved description of flag peer-skip-client-san-verification

Browse Source
This commit is contained in:
Martin Weindel 2019-06-11 17:28:01 +02:00 committed by Sam Batschelet
parent 2f476f2b5a
commit 03fd396610
3 changed files with 21 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
etcdmain/config.go
View File

@ -213,7 +213,7 @@ func newConfig() *config {
fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedCN, "peer-cert-allowed-cn", "", "Allowed CN for inter peer authentication.") fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedCN, "peer-cert-allowed-cn", "", "Allowed CN for inter peer authentication.")
fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedHostname, "peer-cert-allowed-hostname", "", "Allowed TLS hostname for inter peer authentication.") fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedHostname, "peer-cert-allowed-hostname", "", "Allowed TLS hostname for inter peer authentication.")
fs.Var(flags.NewStringsValue(""), "cipher-suites", "Comma-separated list of supported TLS cipher suites between client/server and peers (empty will be auto-populated by Go).") fs.Var(flags.NewStringsValue(""), "cipher-suites", "Comma-separated list of supported TLS cipher suites between client/server and peers (empty will be auto-populated by Go).")
fs.BoolVar(&cfg.ec.PeerTLSInfo.SkipClientVerify, "peer-skip-client-verify", false, "Skip client IP verification for peer connections.") fs.BoolVar(&cfg.ec.PeerTLSInfo.SkipClientSANVerify, "peer-skip-client-san-verification", false, "Skip verification of SAN field in client certificate for peer connections.")
fs.Var( fs.Var(
flags.NewUniqueURLsWithExceptions("*", "*"), flags.NewUniqueURLsWithExceptions("*", "*"),

16
pkg/transport/listener.go
View File

@ -56,20 +56,20 @@ func wrapTLS(scheme string, tlsinfo *TLSInfo, l net.Listener) (net.Listener, err
if scheme != "https" && scheme != "unixs" { if scheme != "https" && scheme != "unixs" {
return l, nil return l, nil
} }
if tlsinfo != nil && tlsinfo.SkipClientVerify { if tlsinfo != nil && tlsinfo.SkipClientSANVerify {
return NewTLSListener(l, tlsinfo) return NewTLSListener(l, tlsinfo)
} }
return newTLSListener(l, tlsinfo, checkSAN) return newTLSListener(l, tlsinfo, checkSAN)
} }
type TLSInfo struct { type TLSInfo struct {
CertFile string CertFile string
KeyFile string KeyFile string
TrustedCAFile string TrustedCAFile string
ClientCertAuth bool ClientCertAuth bool
CRLFile string CRLFile string
InsecureSkipVerify bool InsecureSkipVerify bool
SkipClientVerify bool SkipClientSANVerify bool
// ServerName ensures the cert matches the given host in case of discovery / virtual hosting // ServerName ensures the cert matches the given host in case of discovery / virtual hosting
ServerName string ServerName string

24
pkg/transport/listener_test.go
View File

@ -78,18 +78,18 @@ func testNewListenerTLSInfoAccept(t *testing.T, tlsInfo TLSInfo) {
} }
defer conn.Close() defer conn.Close()
if _, ok := conn.(*tls.Conn); !ok { if _, ok := conn.(*tls.Conn); !ok {
t.Errorf("failed to accept *tls.Conn") t.Error("failed to accept *tls.Conn")
} }
} }
// TestNewListenerTLSInfoSkipClientVerify tests that if client IP address mismatches // TestNewListenerTLSInfoSkipClientSANVerify tests that if client IP address mismatches
// with specified address in its certificate the connection is still accepted // with specified address in its certificate the connection is still accepted
// if the flag SkipClientVerify is set (i.e. checkSAN() is disabled for the client side) // if the flag SkipClientSANVerify is set (i.e. checkSAN() is disabled for the client side)
func TestNewListenerTLSInfoSkipClientVerify(t *testing.T) { func TestNewListenerTLSInfoSkipClientSANVerify(t *testing.T) {
tests := []struct { tests := []struct {
skipClientVerify bool skipClientSANVerify bool
goodClientHost bool goodClientHost bool
acceptExpected bool acceptExpected bool
}{ }{
{false, true, true}, {false, true, true},
{false, false, false}, {false, false, false},
@ -97,11 +97,11 @@ func TestNewListenerTLSInfoSkipClientVerify(t *testing.T) {
{true, false, true}, {true, false, true},
} }
for _, test := range tests { for _, test := range tests {
testNewListenerTLSInfoClientCheck(t, test.skipClientVerify, test.goodClientHost, test.acceptExpected) testNewListenerTLSInfoClientCheck(t, test.skipClientSANVerify, test.goodClientHost, test.acceptExpected)
} }
} }
func testNewListenerTLSInfoClientCheck(t *testing.T, skipClientVerify, goodClientHost, acceptExpected bool) { func testNewListenerTLSInfoClientCheck(t *testing.T, skipClientSANVerify, goodClientHost, acceptExpected bool) {
tlsInfo, del, err := createSelfCert() tlsInfo, del, err := createSelfCert()
if err != nil { if err != nil {
t.Fatalf("unable to create cert: %v", err) t.Fatalf("unable to create cert: %v", err)
@ -118,7 +118,7 @@ func testNewListenerTLSInfoClientCheck(t *testing.T, skipClientVerify, goodClien
} }
defer del2() defer del2()
tlsInfo.SkipClientVerify = skipClientVerify tlsInfo.SkipClientSANVerify = skipClientSANVerify
tlsInfo.TrustedCAFile = clientTLSInfo.CertFile tlsInfo.TrustedCAFile = clientTLSInfo.CertFile
rootCAs := x509.NewCertPool() rootCAs := x509.NewCertPool()
@ -166,7 +166,7 @@ func testNewListenerTLSInfoClientCheck(t *testing.T, skipClientVerify, goodClien
select { select {
case <-chClientErr: case <-chClientErr:
if acceptExpected { if acceptExpected {
t.Errorf("accepted for good client address: skipClientVerify=%t, goodClientHost=%t", skipClientVerify, goodClientHost) t.Errorf("accepted for good client address: skipClientSANVerify=%t, goodClientHost=%t", skipClientSANVerify, goodClientHost)
} }
case acceptErr := <-chAcceptErr: case acceptErr := <-chAcceptErr:
t.Fatalf("unexpected Accept error: %v", acceptErr) t.Fatalf("unexpected Accept error: %v", acceptErr)
@ -176,7 +176,7 @@ func testNewListenerTLSInfoClientCheck(t *testing.T, skipClientVerify, goodClien
t.Errorf("failed to accept *tls.Conn") t.Errorf("failed to accept *tls.Conn")
} }
if !acceptExpected { if !acceptExpected {
t.Errorf("accepted for bad client address: skipClientVerify=%t, goodClientHost=%t", skipClientVerify, goodClientHost) t.Errorf("accepted for bad client address: skipClientSANVerify=%t, goodClientHost=%t", skipClientSANVerify, goodClientHost)
} }
} }
} }