Mirroristas/etcd
2
0
Fork 0
mirror of https://github.com/etcd-io/etcd.git synced 2024-09-27 06:25:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

embed: support custom cipher suites

Browse Source 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
This commit is contained in:
Gyuho Lee 2018-06-04 08:45:16 -07:00
parent 6c2add4142
commit 22d65d8cc2
2 changed files with 61 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
embed/config.go
View File

@ -31,6 +31,7 @@ import (
"github.com/coreos/etcd/pkg/cors" "github.com/coreos/etcd/pkg/cors"
"github.com/coreos/etcd/pkg/netutil" "github.com/coreos/etcd/pkg/netutil"
"github.com/coreos/etcd/pkg/srv" "github.com/coreos/etcd/pkg/srv"
"github.com/coreos/etcd/pkg/tlsutil"
"github.com/coreos/etcd/pkg/transport" "github.com/coreos/etcd/pkg/transport"
"github.com/coreos/etcd/pkg/types" "github.com/coreos/etcd/pkg/types"
@ -183,6 +184,11 @@ type Config struct {
PeerTLSInfo transport.TLSInfo PeerTLSInfo transport.TLSInfo
PeerAutoTLS bool PeerAutoTLS bool
// CipherSuites is a list of supported TLS cipher suites between
// client/server and peers. If empty, Go auto-populates the list.
// Note that cipher suites are prioritized in the given order.
CipherSuites []string `json:"cipher-suites"`
// debug // debug
Debug bool `json:"debug"` Debug bool `json:"debug"`
@ -426,6 +432,24 @@ func (cfg *configYAML) configFromFile(path string) error {
return cfg.Validate() return cfg.Validate()
} }
func updateCipherSuites(tls *transport.TLSInfo, ss []string) error {
if len(tls.CipherSuites) > 0 && len(ss) > 0 {
return fmt.Errorf("TLSInfo.CipherSuites is already specified (given %v)", ss)
}
if len(ss) > 0 {
cs := make([]uint16, len(ss))
for i, s := range ss {
var ok bool
cs[i], ok = tlsutil.GetCipherSuite(s)
if !ok {
return fmt.Errorf("unexpected TLS cipher suite %q", s)
}
}
tls.CipherSuites = cs
}
return nil
}
// Validate ensures that '*embed.Config' fields are properly configured. // Validate ensures that '*embed.Config' fields are properly configured.
func (cfg *Config) Validate() error { func (cfg *Config) Validate() error {
if err := checkBindURLs(cfg.LPUrls); err != nil { if err := checkBindURLs(cfg.LPUrls); err != nil {
@ -562,31 +586,41 @@ func (cfg Config) defaultClientHost() bool {
} }
func (cfg *Config) ClientSelfCert() (err error) { func (cfg *Config) ClientSelfCert() (err error) {
if cfg.ClientAutoTLS && cfg.ClientTLSInfo.Empty() { if !cfg.ClientAutoTLS {
chosts := make([]string, len(cfg.LCUrls)) return nil
for i, u := range cfg.LCUrls {
chosts[i] = u.Host
}
cfg.ClientTLSInfo, err = transport.SelfCert(filepath.Join(cfg.Dir, "fixtures", "client"), chosts)
return err
} else if cfg.ClientAutoTLS {
plog.Warningf("ignoring client auto TLS since certs given")
} }
return nil if !cfg.ClientTLSInfo.Empty() {
plog.Warningf("ignoring client auto TLS since certs given")
return nil
}
chosts := make([]string, len(cfg.LCUrls))
for i, u := range cfg.LCUrls {
chosts[i] = u.Host
}
cfg.ClientTLSInfo, err = transport.SelfCert(filepath.Join(cfg.Dir, "fixtures", "client"), chosts)
if err != nil {
return err
}
return updateCipherSuites(&cfg.ClientTLSInfo, cfg.CipherSuites)
} }
func (cfg *Config) PeerSelfCert() (err error) { func (cfg *Config) PeerSelfCert() (err error) {
if cfg.PeerAutoTLS && cfg.PeerTLSInfo.Empty() { if !cfg.PeerAutoTLS {
phosts := make([]string, len(cfg.LPUrls)) return nil
for i, u := range cfg.LPUrls {
phosts[i] = u.Host
}
cfg.PeerTLSInfo, err = transport.SelfCert(filepath.Join(cfg.Dir, "fixtures", "peer"), phosts)
return err
} else if cfg.PeerAutoTLS {
plog.Warningf("ignoring peer auto TLS since certs given")
} }
return nil if !cfg.PeerTLSInfo.Empty() {
plog.Warningf("ignoring peer auto TLS since certs given")
return nil
}
phosts := make([]string, len(cfg.LPUrls))
for i, u := range cfg.LPUrls {
phosts[i] = u.Host
}
cfg.PeerTLSInfo, err = transport.SelfCert(filepath.Join(cfg.Dir, "fixtures", "peer"), phosts)
if err != nil {
return err
}
return updateCipherSuites(&cfg.PeerTLSInfo, cfg.CipherSuites)
} }
// UpdateDefaultClusterFromName updates cluster advertise URLs with, if available, default host, // UpdateDefaultClusterFromName updates cluster advertise URLs with, if available, default host,

8
embed/etcd.go
View File

@ -42,7 +42,7 @@ import (
"github.com/coreos/etcd/rafthttp" "github.com/coreos/etcd/rafthttp"
"github.com/coreos/pkg/capnslog" "github.com/coreos/pkg/capnslog"
"github.com/grpc-ecosystem/go-grpc-prometheus" grpc_prometheus "github.com/grpc-ecosystem/go-grpc-prometheus"
"github.com/soheilhy/cmux" "github.com/soheilhy/cmux"
"google.golang.org/grpc" "google.golang.org/grpc"
"google.golang.org/grpc/keepalive" "google.golang.org/grpc/keepalive"
@ -302,6 +302,9 @@ func stopServers(ctx context.Context, ss *servers) {
func (e *Etcd) Err() <-chan error { return e.errc } func (e *Etcd) Err() <-chan error { return e.errc }
func startPeerListeners(cfg *Config) (peers []*peerListener, err error) { func startPeerListeners(cfg *Config) (peers []*peerListener, err error) {
if err = updateCipherSuites(&cfg.PeerTLSInfo, cfg.CipherSuites); err != nil {
return nil, err
}
if err = cfg.PeerSelfCert(); err != nil { if err = cfg.PeerSelfCert(); err != nil {
plog.Fatalf("could not get certs (%v)", err) plog.Fatalf("could not get certs (%v)", err)
} }
@ -387,6 +390,9 @@ func (e *Etcd) servePeers() (err error) {
} }
func startClientListeners(cfg *Config) (sctxs map[string]*serveCtx, err error) { func startClientListeners(cfg *Config) (sctxs map[string]*serveCtx, err error) {
if err = updateCipherSuites(&cfg.ClientTLSInfo, cfg.CipherSuites); err != nil {
return nil, err
}
if err = cfg.ClientSelfCert(); err != nil { if err = cfg.ClientSelfCert(); err != nil {
plog.Fatalf("could not get certs (%v)", err) plog.Fatalf("could not get certs (%v)", err)
} }