Mirroristas/etcd
2
0
Fork 0
mirror of https://github.com/etcd-io/etcd.git synced 2024-09-27 06:25:44 +00:00
Code Issues Packages Projects Releases Wiki Activity
11,698 Commits 15 Branches 491 Tags
b7cf080e2c77c5ca8f52c4d8e3fdd7c8ef1bfb5a
Commit Graph

84 Commits

Author SHA1 Message Date
Anthony Romano
322976bedc transport: CRL checking 2017-06-19 15:23:41 -07:00
Gyu-Ho Lee
d690634bd6 *: remove unused, fix typos 
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-05-18 12:11:18 -07:00
Tony Grosinger
4e21f87e3d pkg/transport: reload TLS certificates for every client requests 
This changes the baseConfig used when creating tls Configs to utilize
the GetCertificate and GetClientCertificate functions to always reload
the certificates from disk whenever they are needed.

Always reloading the certificates allows changing the certificates via
an external process without interrupting etcd.

Fixes #7576

Cherry-picked by Gyu-Ho Lee <gyuhox@gmail.com>
Original commit can be found at https://github.com/coreos/etcd/pull/7784
 2017-04-27 11:22:03 -07:00
Anthony Romano
05582ad5b2 transport: resolve DNSNames when SAN checking 
The current transport client TLS checking will pass an IP address into
VerifyHostnames if there is DNSNames SAN. However, the go runtime will
not resolve the DNS names to match the client IP. Intead, resolve the
names when checking.
 2017-04-18 13:21:26 -07:00
Gyu-Ho Lee
8aaa1ed911 *: use '*tls.Config.Clone' in Go 1.8 
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-04-17 20:08:27 -07:00
Anthony Romano
1153e1e7d9 Merge pull request #7687 from heyitsanthony/deny-tls-ipsan 
transport: deny incoming peer certs with wrong IP SAN
 2017-04-13 15:03:25 -07:00
Gyu-Ho Lee
8ce579aac9 pkg/transport: add 'IsClosedConnError' 
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-04-13 11:55:18 -07:00
Anthony Romano
70a9929b5d transport: use actual certs for listener tests 2017-04-12 13:41:33 -07:00
Anthony Romano
cad1215b18 *: deny incoming peer certs with wrong IP SAN 2017-04-12 13:41:33 -07:00
Anthony Romano
d42c1f5131 Merge pull request #7646 from andelf/fix-unix-socket-url 
*: fix a bug in handling unix socket urls
 2017-04-05 09:24:38 -07:00
andelf
4f27981c46 *: fix a bug in handling unix socket urls 
Now use url.Host + url.Path as unix socket path

Fixes #7644
 2017-04-05 14:33:13 +08:00
Gyu-Ho Lee
8a7a548a6d pkg/transport: remove port in Certificate.IPAddresses 
etcd passes 'url.URL.Host' to 'SelfCert' which contains
client, peer port. 'net.ParseIP("127.0.0.1:2379")' returns
'nil', and the client on this self-cert will see errors
of '127.0.0.1 because it doesn't contain any IP SANs'

Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-04-04 09:44:59 -07:00
Anthony Romano
2f1542c06d *: use filepath.Join for files 2017-03-16 07:46:06 -07:00
Gyu-Ho Lee
3d75395875 *: remove never-unused vars, minor lint fix 
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-03-06 14:59:12 -08:00
David Cheney
9b84127739 pkg/transport: remove dependency on pkg/fileutils 
4a0f922 changed SelfCert to use a helper from pkg/fileutils which
introduced a transitive dependency on coreos/pkg/capnslog. This means
anyone who imports pkg/transport to use TLS with the clientv3 library
has the default stdlib logger hijacked by capnslog.

This PR reverts 4a0f922. There are no tests because 4a0f922 contained no
test and was not attached to a PR.

Fixes #7350
 2017-02-20 12:32:04 +11:00
Laurie Clark-Michalek
eba41cd7b3 pkg/transport: Obey the usual laws of ssl when using a private PKI 2017-01-15 21:27:53 +00:00
Anthony Romano
da8fd18d8e transport: warn on user-provided CA 
ServerName is ignored for a user-provided CA for backwards compatibility. This
breaks PKI, so warn it is deprecated.
 2017-01-12 09:10:05 -08:00
Gyu-Ho Lee
629d9e7dab Revert "pkg/transport: update tls.Config copy method" 2016-09-19 15:07:12 +09:00
Gyu-Ho Lee
8c9a88c7d4 pkg/transport: update tls.Config copy method 
For Go 1.7
 2016-09-18 22:50:45 +09:00
Xiang Li
7a48ca4cea embed: fix go 1.7 http issue 
go 1.7 introduces HTTP2 compability issue. Now we
need to explicitly enable HTTP2 when TLS is set.
 2016-09-18 18:38:55 +08:00
Anthony Romano
3b92384394 pkg/transport: bump wait time in TestReadWriteTimeoutDialer for write deadline 
Was able to get 2s wait times with 500 concurrent requests on a fast machine;
a slower machine could possibly see similar delays with a single connection.

Fixes #6220
 2016-08-22 15:30:44 -07:00
Gyu-Ho Lee
c38f0290a7 pkg/transport: fix minor typo 2016-08-04 16:00:18 -07:00
Anthony Romano
cd781bf30c transport: add ServerName to TLSConfig and add ValidateSecureEndpoints 
ServerName prevents accepting forged SRV records with cross-domain
credentials. ValidateSecureEndpoints prevents downgrade attacks from SRV
records.
 2016-08-03 22:28:03 -07:00
Gyu-Ho Lee
c8cc87c3f5 pkg/transport: update scheme to unix copying URL 2016-08-03 10:35:28 -07:00
Anthony Romano
99e0655c2f transport: wrap timeout listener with tls listener 
Otherwise the listener will return timeoutConn's, causing a type
assertion to tls.Conn in net.http to fail so http.Request.TLS is never set.
 2016-07-19 16:47:14 -07:00
Xiang Li
3839a55910 *: fix issue found in fast lease renew 2016-07-15 15:07:15 -07:00
Anthony Romano
fc1a226d15 pkg/transport: unix domain socket listener and transport 2016-06-24 21:04:31 -07:00
Gyu-Ho Lee
4a0f922a6c pkg/transport: use TouchDirAll 2016-06-22 15:57:55 -07:00
Gyu-Ho Lee
6557ef7cd8 *: copy all exported members in tls.Config 
Without this, go vet complains

assignment copies lock value to n: crypto/tls.Config contains sync.Once
contains sync.Mutex
 2016-06-22 12:04:08 -07:00
Xiang Li
8b28c647ea transport: require tls12 2016-06-02 09:38:56 -07:00
Gyu-Ho Lee
8b77de4e99 pkg: update LICENSE header 2016-05-12 20:48:53 -07:00
Xiang Li
eb3919e8cf *: move baisc tls util funcs to tlsutil pkg 2016-03-31 09:45:45 -07:00
Xiang Li
900a61b023 *: http and https on the same port 2016-03-23 10:28:38 -07:00
Nick Owens
d80a546ed4 pkg/transport: use ProxyFromEnvironment when constructing a transport 
this allows use of HTTP_PROXY/HTTPS_PROXY for etcdctl.
 2016-03-21 21:02:42 -07:00
Anthony Romano
a69c709839 pkg/transport: generate certs 2016-03-21 11:38:23 -07:00
Gyu-Ho Lee
dae7e009b0 *: godoc clean up 2016-03-19 14:19:23 -07:00
Anthony Romano
20461ab11a *: fix many typos 2016-01-31 21:42:39 -08:00
Xiang Li
72ffa74476 pkg/transport: update timeout transport to reuse conn when timeout is not set 2016-01-25 06:55:54 +08:00
Gyu-Ho Lee
b6077f9d57 *: fix minor typos 2016-01-14 01:28:29 -08:00
Anthony Romano
811fbc5672 etcdmain: support keep alive listeners on limit listener connections 
Fixes #4171
 2016-01-08 10:11:31 -08:00
Gyu-Ho Lee
f76166a041 *: fix minor typos 2016-01-08 00:21:19 -08:00
Xiang Li
1f97f2dc36 etcdmain: tls listener MUST be at the outer layer of all listeners 
go HTTP library uses type assertion to determine if a connection
is a TLS connection. If we wrapper TLS Listener with any customized
Listener that can create customized Conn, HTTPs will be broken.

This commit fixes the issue.
 2016-01-07 10:26:49 -08:00
Anthony Romano
f2df87f3e4 pkg/transport: support listeners on unix sockets 
Given unix://<socketname>, NewListener will listen on unix socket <socketname>.
This is useful when binding to tcp ports is undesirable (e.g., testing).
 2016-01-06 12:09:05 -08:00
Gyu-Ho Lee
81229dbea9 *: add missing package descriptions 
This adds and updates package descriptions in etcd projects.
And also deletes some duplicate LICENSE statements.
 2015-11-17 20:54:10 -08:00
Yicheng Qin
d3ebecdddd pkg/transport: extend wait timeout for write 
This helps the test to pass safely in semaphore CI.

Based on my manual testing, it may take at most 500ms to return
error in semaphore CI, so I set 1s as a safe value.
 2015-10-21 18:27:21 -07:00
Xiang Li
3c1ecf70cf pkg/transport: longer timeout for slow CI 2015-10-18 16:32:18 -07:00
Yicheng Qin
9673eb625a pkg/transport: pass dial timeout to NewTransport 
So we could set dial timeout for new transport, which makes it
customizable according to max RTT.
 2015-10-11 10:09:25 -07:00
Yicheng Qin
de1a16e0f1 pkg/transport: fix a data race in TestReadWriteTimeoutDialer 
Accessing test.T async will cause data race.

Change to use select to coordinate the access of test.T.
 2015-09-30 17:29:24 -07:00
Xiang Li
5d033c22af pkg/transport: fix a data race in TestWriteReadTimeoutListener 2015-09-25 10:02:37 -07:00
Yicheng Qin
92cd24d5bd *: fix govet shadow check failure 2015-08-27 14:15:30 -07:00