mirrors/etcd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
14,919 Commits 124 Branches 418 Tags
faa7a499729ed84fb3d5509b51a18bd82c07d3e5
Commit Graph

104 Commits

Author SHA1 Message Date
Hitoshi Mitake
65887ae1b4 pkg, clientv3, etcdmain: let grpcproxy rise an error when its cert has non empty CN 
Fix https://github.com/etcd-io/etcd/issues/9521
 2019-01-25 00:43:57 +09:00
Gyuho Lee
d37f1521b7 *: update import paths to "go.etcd.io/etcd" 
Signed-off-by: Gyuho Lee <leegyuho@amazon.com>
 2018-08-28 17:47:55 -07:00
Gyuho Lee
3fb9cc84c6 pkg/transport: add "TLSInfo.CipherSuites" field 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-06-05 12:27:05 -07:00
Gyuho Lee
c862712c73 pkg/transport: remove unused parameter from "wrapTLS" 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-05-09 15:42:45 -07:00
Gyuho Lee
2bd88e378c pkg/transport: check nil logger 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-04-16 17:36:00 -07:00
Gyuho Lee
3f8d1738de pkg/transport: document how TLS reload works with IP only certs 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-04-13 14:19:37 -07:00
rob boll
88c078d4bd pkg/transport: don't set certificates on tls config 2018-04-13 13:17:27 -07:00
Gyuho Lee
7f812ca8e1 pkg/proxy: move from "pkg/transport" 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-04-05 11:06:30 -07:00
Gyuho Lee
322437f47d pkg/transport: log tlsutil.NewCert errors 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-04-02 13:42:09 -07:00
Gyuho Lee
d44332daa9 proxy: clean up logging 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-03-30 11:25:23 -07:00
Gyuho Lee
759fcb6e70 pkg/transport: deprecate "CAFile" field 
Has been deprecated since v2.1...

Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-03-20 15:38:05 -07:00
Gyuho Lee
ab486e5348 pkg/transport: implement "Proxy" 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-01-24 17:37:09 -08:00
Gyuho Lee
114a7779c9 pkg/transport: add "fixtures" for TLS tests 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-01-24 17:37:09 -08:00
Gyu-Ho Lee
75110dd839 *: fix naked returns 
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-11-10 18:46:15 -08:00
Gyu-Ho Lee
1f2197b1f8 pkg/transport: add TODO to deprecate 'CAFile' field in v4 
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-10-04 14:01:01 -07:00
Hitoshi Mitake
70018e9207 etcdmain, pkg: CN based auth for inter peer connection 
This commit adds an authentication mechanism to inter peer connection
(rafthttp). If the cert based peer auth is enabled and a new option
`--peer-cert-allowed-cn` is passed, an etcd process denies a peer
connection whose CN doesn't match.
 2017-10-02 15:59:17 +09:00
Anthony Romano
e9a7f3551b Merge pull request #8281 from heyitsanthony/san-rdns 
transport: use reverse lookup to match wildcard DNS SAN
 2017-07-22 08:02:57 -07:00
Anthony Romano
b1aa962233 transport: use reverse lookup to match wildcard DNS SAN 
Fixes #8268
 2017-07-21 16:43:25 -07:00
Anthony Romano
426ad25924 transport: include InsecureSkipVerify in TLSInfo 
Some functions take a TLSInfo to generate a tls.Config and there was no
way to force the InsecureSkipVerify flag.
 2017-07-21 11:00:22 -07:00
Anthony Romano
ab95eb0795 transport: accept connection if matched IP SAN but no DNS match 
The IP SAN check would always do a DNS SAN check if DNS is given
and the connection's IP is verified. Instead, don't check DNS
entries if there's a matching iP.

Fixes #8206
 2017-07-06 16:11:53 -07:00
Anthony Romano
322976bedc transport: CRL checking 2017-06-19 15:23:41 -07:00
Gyu-Ho Lee
d690634bd6 *: remove unused, fix typos 
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-05-18 12:11:18 -07:00
Tony Grosinger
4e21f87e3d pkg/transport: reload TLS certificates for every client requests 
This changes the baseConfig used when creating tls Configs to utilize
the GetCertificate and GetClientCertificate functions to always reload
the certificates from disk whenever they are needed.

Always reloading the certificates allows changing the certificates via
an external process without interrupting etcd.

Fixes #7576

Cherry-picked by Gyu-Ho Lee <gyuhox@gmail.com>
Original commit can be found at https://github.com/coreos/etcd/pull/7784
 2017-04-27 11:22:03 -07:00
Anthony Romano
05582ad5b2 transport: resolve DNSNames when SAN checking 
The current transport client TLS checking will pass an IP address into
VerifyHostnames if there is DNSNames SAN. However, the go runtime will
not resolve the DNS names to match the client IP. Intead, resolve the
names when checking.
 2017-04-18 13:21:26 -07:00
Gyu-Ho Lee
8aaa1ed911 *: use '*tls.Config.Clone' in Go 1.8 
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-04-17 20:08:27 -07:00
Anthony Romano
1153e1e7d9 Merge pull request #7687 from heyitsanthony/deny-tls-ipsan 
transport: deny incoming peer certs with wrong IP SAN
 2017-04-13 15:03:25 -07:00
Gyu-Ho Lee
8ce579aac9 pkg/transport: add 'IsClosedConnError' 
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-04-13 11:55:18 -07:00
Anthony Romano
70a9929b5d transport: use actual certs for listener tests 2017-04-12 13:41:33 -07:00
Anthony Romano
cad1215b18 *: deny incoming peer certs with wrong IP SAN 2017-04-12 13:41:33 -07:00
Anthony Romano
d42c1f5131 Merge pull request #7646 from andelf/fix-unix-socket-url 
*: fix a bug in handling unix socket urls
 2017-04-05 09:24:38 -07:00
andelf
4f27981c46 *: fix a bug in handling unix socket urls 
Now use url.Host + url.Path as unix socket path

Fixes #7644
 2017-04-05 14:33:13 +08:00
Gyu-Ho Lee
8a7a548a6d pkg/transport: remove port in Certificate.IPAddresses 
etcd passes 'url.URL.Host' to 'SelfCert' which contains
client, peer port. 'net.ParseIP("127.0.0.1:2379")' returns
'nil', and the client on this self-cert will see errors
of '127.0.0.1 because it doesn't contain any IP SANs'

Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-04-04 09:44:59 -07:00
Anthony Romano
2f1542c06d *: use filepath.Join for files 2017-03-16 07:46:06 -07:00
Gyu-Ho Lee
3d75395875 *: remove never-unused vars, minor lint fix 
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-03-06 14:59:12 -08:00
David Cheney
9b84127739 pkg/transport: remove dependency on pkg/fileutils 
4a0f922 changed SelfCert to use a helper from pkg/fileutils which
introduced a transitive dependency on coreos/pkg/capnslog. This means
anyone who imports pkg/transport to use TLS with the clientv3 library
has the default stdlib logger hijacked by capnslog.

This PR reverts 4a0f922. There are no tests because 4a0f922 contained no
test and was not attached to a PR.

Fixes #7350
 2017-02-20 12:32:04 +11:00
Laurie Clark-Michalek
eba41cd7b3 pkg/transport: Obey the usual laws of ssl when using a private PKI 2017-01-15 21:27:53 +00:00
Anthony Romano
da8fd18d8e transport: warn on user-provided CA 
ServerName is ignored for a user-provided CA for backwards compatibility. This
breaks PKI, so warn it is deprecated.
 2017-01-12 09:10:05 -08:00
Gyu-Ho Lee
629d9e7dab Revert "pkg/transport: update tls.Config copy method" 2016-09-19 15:07:12 +09:00
Gyu-Ho Lee
8c9a88c7d4 pkg/transport: update tls.Config copy method 
For Go 1.7
 2016-09-18 22:50:45 +09:00
Xiang Li
7a48ca4cea embed: fix go 1.7 http issue 
go 1.7 introduces HTTP2 compability issue. Now we
need to explicitly enable HTTP2 when TLS is set.
 2016-09-18 18:38:55 +08:00
Anthony Romano
3b92384394 pkg/transport: bump wait time in TestReadWriteTimeoutDialer for write deadline 
Was able to get 2s wait times with 500 concurrent requests on a fast machine;
a slower machine could possibly see similar delays with a single connection.

Fixes #6220
 2016-08-22 15:30:44 -07:00
Gyu-Ho Lee
c38f0290a7 pkg/transport: fix minor typo 2016-08-04 16:00:18 -07:00
Anthony Romano
cd781bf30c transport: add ServerName to TLSConfig and add ValidateSecureEndpoints 
ServerName prevents accepting forged SRV records with cross-domain
credentials. ValidateSecureEndpoints prevents downgrade attacks from SRV
records.
 2016-08-03 22:28:03 -07:00
Gyu-Ho Lee
c8cc87c3f5 pkg/transport: update scheme to unix copying URL 2016-08-03 10:35:28 -07:00
Anthony Romano
99e0655c2f transport: wrap timeout listener with tls listener 
Otherwise the listener will return timeoutConn's, causing a type
assertion to tls.Conn in net.http to fail so http.Request.TLS is never set.
 2016-07-19 16:47:14 -07:00
Xiang Li
3839a55910 *: fix issue found in fast lease renew 2016-07-15 15:07:15 -07:00
Anthony Romano
fc1a226d15 pkg/transport: unix domain socket listener and transport 2016-06-24 21:04:31 -07:00
Gyu-Ho Lee
4a0f922a6c pkg/transport: use TouchDirAll 2016-06-22 15:57:55 -07:00
Gyu-Ho Lee
6557ef7cd8 *: copy all exported members in tls.Config 
Without this, go vet complains

assignment copies lock value to n: crypto/tls.Config contains sync.Once
contains sync.Mutex
 2016-06-22 12:04:08 -07:00
Xiang Li
8b28c647ea transport: require tls12 2016-06-02 09:38:56 -07:00