etcdmain: grpc-proxy should only require CN-less certificates for --cert flags.

We have following communication schema: client --- 1 ---> grpc-proxy --- 2 --- > etcd-server There are 2 sets of flags/certs in grpc proxy [ https://github.com/etcd-io/etcd/blob/master/etcdmain/grpc_proxy.go#L140 ]: A. (cert-file, key-file, trusted-ca-file, auto-tls) this are controlling [1] so client to proxy connection and in particular they are describing proxy public identity. B. (cert,key, cacert ) - these are controlling [2] so what's the identity that proxy uses to make connections to the etcd-server. If 2 (B.) contains certificate with CN and etcd-server is running with --client-cert-auth=true, the CN can be used as identity of 'client' from service perspective. This is permission escalation, that we should forbid. If 1 (A.) contains certificate with CN - it should be considered perfectly valid. The server can (should) have full identity. So only --cert flag (and not --cert-file flag) should be validated for empty CN.
2024-09-27 06:25:44 +00:00 · 2020-09-07 11:52:45 +02:00
parent 2c93127c7b
commit 2d0ce9de3d
2 changed files with 10 additions and 5 deletions
--- a/pkg/transport/listener.go
+++ b/pkg/transport/listener.go
@@ -437,7 +437,7 @@ func (info TLSInfo) ClientConfig() (*tls.Config, error) {
 			return tls.X509KeyPair(certPEMBlock, keyPEMBlock)
 		})
 		if hasNonEmptyCN {
-			return nil, fmt.Errorf("cert has non empty Common Name (%s)", cn)
+			return nil, fmt.Errorf("cert has non empty Common Name (%s): %s", cn, info.CertFile)
 		}
 	}