diff --git a/Documentation/op-guide/configuration.md b/Documentation/op-guide/configuration.md index 7bbf2761d..f96381d29 100644 --- a/Documentation/op-guide/configuration.md +++ b/Documentation/op-guide/configuration.md @@ -295,6 +295,11 @@ The security flags help to [build a secure etcd cluster][security]. + default: false + env variable: ETCD_PEER_AUTO_TLS +### --peer-cert-allowed-cn ++ Allowed CommonName for inter peer authentication. ++ default: none ++ env variable: ETCD_PEER_CERT_ALLOWED_CN + ## Logging flags ### --debug diff --git a/e2e/etcd_config_test.go b/e2e/etcd_config_test.go index 9cdfbb062..7c25d22fa 100644 --- a/e2e/etcd_config_test.go +++ b/e2e/etcd_config_test.go @@ -113,3 +113,80 @@ func TestEtcdUnixPeers(t *testing.T) { t.Fatal(err) } } + +// TestEtcdPeerCNAuth checks that the inter peer auth based on CN of cert is working correctly. +func TestEtcdPeerCNAuth(t *testing.T) { + peers, tmpdirs := make([]string, 3), make([]string, 3) + for i := range peers { + peers[i] = fmt.Sprintf("e%d=https://127.0.0.1:%d", i, etcdProcessBasePort+i) + d, err := ioutil.TempDir("", fmt.Sprintf("e%d.etcd", i)) + if err != nil { + t.Fatal(err) + } + tmpdirs[i] = d + } + ic := strings.Join(peers, ",") + + procs := make([]*expect.ExpectProcess, len(peers)) + defer func() { + for i := range procs { + if procs[i] != nil { + procs[i].Stop() + } + os.RemoveAll(tmpdirs[i]) + } + }() + + // node 0 and 1 have a cert with the correct CN, node 2 doesn't + for i := range procs { + commonArgs := []string{ + binDir + "/etcd", + "--name", fmt.Sprintf("e%d", i), + "--listen-client-urls", "http://0.0.0.0:0", + "--data-dir", tmpdirs[i], + "--advertise-client-urls", "http://0.0.0.0:0", + "--listen-peer-urls", fmt.Sprintf("https://127.0.0.1:%d,https://127.0.0.1:%d", etcdProcessBasePort+i, etcdProcessBasePort+len(peers)+i), + "--initial-advertise-peer-urls", fmt.Sprintf("https://127.0.0.1:%d", etcdProcessBasePort+i), + "--initial-cluster", ic, + } + + var args []string + if i <= 1 { + args = []string{ + "--peer-cert-file", certPath, + "--peer-key-file", privateKeyPath, + "--peer-trusted-ca-file", caPath, + "--peer-client-cert-auth", + "--peer-cert-allowed-cn", "example.com", + } + } else { + args = []string{ + "--peer-cert-file", certPath2, + "--peer-key-file", privateKeyPath2, + "--peer-trusted-ca-file", caPath, + "--peer-client-cert-auth", + "--peer-cert-allowed-cn", "example2.com", + } + } + + commonArgs = append(commonArgs, args...) + + p, err := spawnCmd(commonArgs) + if err != nil { + t.Fatal(err) + } + procs[i] = p + } + + for i, p := range procs { + var expect []string + if i <= 1 { + expect = etcdServerReadyLines + } else { + expect = []string{"(remote error: tls: bad certificate)"} + } + if err := waitReadyExpectProc(p, expect); err != nil { + t.Fatal(err) + } + } +} diff --git a/e2e/main_test.go b/e2e/main_test.go index 47691a9b3..4c954bf63 100644 --- a/e2e/main_test.go +++ b/e2e/main_test.go @@ -21,6 +21,9 @@ var ( privateKeyPath string caPath string + certPath2 string + privateKeyPath2 string + crlPath string revokedCertPath string revokedPrivateKeyPath string @@ -43,6 +46,9 @@ func TestMain(m *testing.M) { revokedPrivateKeyPath = certDir + "/server-revoked.key.insecure" crlPath = certDir + "/revoke.crl" + certPath2 = certDir + "/server2.crt" + privateKeyPath2 = certDir + "/server2.key.insecure" + v := m.Run() if v == 0 && testutil.CheckLeakedGoroutine() { os.Exit(1) diff --git a/etcdmain/config.go b/etcdmain/config.go index f05ea21e4..17461dacf 100644 --- a/etcdmain/config.go +++ b/etcdmain/config.go @@ -187,6 +187,7 @@ func newConfig() *config { fs.StringVar(&cfg.PeerTLSInfo.TrustedCAFile, "peer-trusted-ca-file", "", "Path to the peer server TLS trusted CA file.") fs.BoolVar(&cfg.PeerAutoTLS, "peer-auto-tls", false, "Peer TLS using generated certificates") fs.StringVar(&cfg.PeerTLSInfo.CRLFile, "peer-crl-file", "", "Path to the peer certificate revocation list file.") + fs.StringVar(&cfg.PeerTLSInfo.AllowedCN, "peer-cert-allowed-cn", "", "Allowed CN for inter peer authentication.") // logging fs.BoolVar(&cfg.Debug, "debug", false, "Enable debug-level logging for etcd.") diff --git a/integration/fixtures/ca.crt b/integration/fixtures/ca.crt index 33b5ce3b7..799a3bf0d 100644 --- a/integration/fixtures/ca.crt +++ b/integration/fixtures/ca.crt @@ -1,22 +1,22 @@ -----BEGIN CERTIFICATE----- -MIIDrjCCApagAwIBAgIUaE5uhZZO0NApCR9JZ8WFTYzCRHEwDQYJKoZIhvcNAQEL +MIIDrjCCApagAwIBAgIUD/nWsq3FfCKbMoY0HPFWnT0vEsMwDQYJKoZIhvcNAQEL BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl -Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzA4MjExMDE4MDBaFw0yNzA4MTkxMDE4 +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzA5MjkwNjUzMDBaFw0yNzA5MjcwNjUz MDBaMG8xDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT ZWN1cml0eTELMAkGA1UEAxMCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -AoIBAQDINenyY3RrYI6PYibH+j95HXhTJdIssBiox1IX89SkqmpFQAbmt2+49tka -el8MeyZC76KqAmbon6m8zCeCM/XxdxaEEUHeHAy28tD+Sahn6jrodCovZl0xe6hp -RVcMd10ic0awxRvogOU/wXvzExI01zcVAo3wVgH2ZVb2dnPe5cLXAdAHaJ/LtsBY -WCY/Z66afwwOfPSp/KOXcA2umxTYJusF1EJWb/2zNAW4kYCNnrL+ha1n0ll7WVv4 -TqmgoyJl6Zp8aGnxcFVQ0pkh0VCFQOxRFZWSAnfFSGAl8ERWyUgiI6cmY2FNPr6r -oGW3RZ/rrJBTdbQBUP+if8VKu9wBAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP -BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRoJE96ipgtnKmI+iE2QhTKTCkYHDAN -BgkqhkiG9w0BAQsFAAOCAQEAMFqUbkReRhcXYb3X5SHswlLS0XmB4MjcpibHUa8J -haIU0VZuG+85wMwAdUAHgHVANxzyFf/fWEmHvVJzOzWQmBuzjENbzN9jscTXX0ZM -eAEVuq3LooAWI0Zu3VTwpwOpeckdJdbpcxCpnNoytQ+3fF9935R/rzMFd1q+7aLK -J5fwkGCUWV9AcLYvl2Njh23nFohhtHLn/xmzhTXzFlxQhI3t3FmmSuhL0hed1TZB -j375gCo8olmeEV1i/wpMfrbxnQjuVlsjv4TvuYZ20xtobV6xHq0hJdej8HXW+VsC -F79uOFqyAbuDYwVhxI+s8C+kRaTZKvbL+i2xW1sNHapGWQ== +AoIBAQC8JbBTGtxAi7QPiix8bQJ+UmusPaaAtwOlcdz24FzLpIIp1tGqDZSVIG/N +Ewt3Uujau4G5GO32mIJ52f1dhZHu5RU4Rhu707lKHM7sgQZTtMQUJuJ7YGcfmi77 +SexBJvfNBAZScpZVbBDBzhLCDfjA89HwcGqjcxweSY6pXeHvwOVzwoZAoYJfw8vN +3hNnIHzMoraRlYdAetxGmA3/r3f3l3NfiIE1vZI3g0CAlTkY8ZaqT8Oo6ZIbFBYO +FIm1eCcNVdf6ZSzQOueKdIB+SFRNcnzdJYQpyWo1wuVTEZkNwp8jdpRK0xy2FBG3 +cTUac0mtvhfc8k1llp+Gk7uesr3fAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP +BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQX1uJJuwcyp2vAJIzR8oyOhdnDCTAN +BgkqhkiG9w0BAQsFAAOCAQEAb98aC0nym9vd6udUiECJKdgeed/PY3lczppk4MUV +tmH+5kDk84ES+lRb4n+OcxswE8E2xi9/vuGujC9vrUOFF3mlDG/ekwH3SoA0yuYC ++aBPd1MAZNhNie4B5rSBWNhwUo4OjhW9ohfiZA6C/TRk3pQBT9bB0DiFkv3uatbs +odoUOT7jK7vh/Jz7fYI1bHbRr3iym8aH00wo8774ZVQJkMO3HPqm/92CBZo3/vuK +WngWzUucGmZcalA/bPUofmSe0LaX1qhLUl6FG5hFByyufob8qRd5aiCgwrp2IILR +gNpiE4OF0AaP9cWysSOld+vT9BzFIlKX1fS0Zn38a+00yg== -----END CERTIFICATE----- diff --git a/integration/fixtures/gencerts.sh b/integration/fixtures/gencerts.sh index 8ece4df14..0f55cd7ba 100755 --- a/integration/fixtures/gencerts.sh +++ b/integration/fixtures/gencerts.sh @@ -23,6 +23,15 @@ cfssl gencert \ mv server.pem server.crt mv server-key.pem server.key.insecure +# generate DNS: localhost, IP: 127.0.0.1, CN: example2.com certificates +cfssl gencert \ + --ca ./ca.crt \ + --ca-key ./ca-key.pem \ + --config ./gencert.json \ + ./server-ca-csr2.json | cfssljson --bare ./server2 +mv server2.pem server2.crt +mv server2-key.pem server2.key.insecure + # generate revoked certificates and crl cfssl gencert --ca ./ca.crt \ --ca-key ./ca-key.pem \ diff --git a/integration/fixtures/revoke.crl b/integration/fixtures/revoke.crl index 062815c13..6348f0f03 100644 Binary files a/integration/fixtures/revoke.crl and b/integration/fixtures/revoke.crl differ diff --git a/integration/fixtures/server-ca-csr2.json b/integration/fixtures/server-ca-csr2.json new file mode 100644 index 000000000..0907ad23c --- /dev/null +++ b/integration/fixtures/server-ca-csr2.json @@ -0,0 +1,20 @@ +{ + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "etcd", + "OU": "etcd Security", + "L": "San Francisco", + "ST": "California", + "C": "USA" + } + ], + "CN": "example2.com", + "hosts": [ + "127.0.0.1", + "localhost" + ] +} diff --git a/integration/fixtures/server-revoked.crt b/integration/fixtures/server-revoked.crt index 65f1784ad..173dc1879 100644 --- a/integration/fixtures/server-revoked.crt +++ b/integration/fixtures/server-revoked.crt @@ -1,24 +1,24 @@ -----BEGIN CERTIFICATE----- -MIIEEjCCAvqgAwIBAgIURDPBrQ3XYJ55Ks+mx1JQF+/vfHIwDQYJKoZIhvcNAQEL +MIIEEjCCAvqgAwIBAgIUOW5etKg/ZnxbCpjtVvMoLmYMXecwDQYJKoZIhvcNAQEL BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl -Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzA4MjExMDE4MDBaFw0yNzA4MTkxMDE4 +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzA5MjkwNjU0MDBaFw0yNzA5MjcwNjU0 MDBaMHgxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT ZWN1cml0eTEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA -A4IBDwAwggEKAoIBAQDUqP4yxvMdKlQfnP51EYW7XEWKKWqdDmP4LnQN9L24NgS3 -Z66TqhcwH6VSDfL0e3B1puJAEqCpGfJ3CSvRkwbFHIthyYuZ2n2OF2tA3VCN57PM -RoCgkGWum6q1gMlRiKLZP2C18oa3Z2ySVY3Mv4mJGqqK+I+c0yVpcnGy/zkGlVDJ -/yw7YcxrBpz/54XP2sVAua6t/uEnsVq/dAKczuwl7rJiH2fhlgj6xNoLuhwORxTE -Ka0SAVA/6MHWdP0PKCEdksv+PugoM6yhTxoY+r2bRmayQA6MfgS6w5A2x04+K+q5 -APqSn8PrDYs2cUbEOWqvfEit9sQuZiFmK9HsbC/XAgMBAAGjgZwwgZkwDgYDVR0P +A4IBDwAwggEKAoIBAQDJb+66dOfF2/Q1Ppz825+uGxVpDIGHaP+H/EKgDELZZ+ev +0bUbsH9E28p+Ih87eV+hfu68kOgOZ7fLplN3uaSpG716sd/5ny32T/m/JS0hnZdR +bD1nvRPqxFPy1G1xM+JWeFRDbJQJ18t1Bt/KB3p+TRdo2aEaQgC2wrsTjv84MEbp +WJyI3uxmUaEStoPDskQyjI4Z5SKHHQqIuRzpo5KHMf9OqFRAm+pbe4aMsUBHOAH4 +YsHr/gGrZUSIdGScBnosncUl6Ec9rEBe4cRf7ruyid+pwJOhCeXekSCcQjyqG2cV +xPWShUuCGhFstu6dkMprRplzwy7WXqCdqMk9ZVkBAgMBAAGjgZwwgZkwDgYDVR0P AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB -Af8EAjAAMB0GA1UdDgQWBBRBAOxGvg1O7ZArmCeW0VZwBGJz+DAfBgNVHSMEGDAW -gBRoJE96ipgtnKmI+iE2QhTKTCkYHDAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8A -AAEwDQYJKoZIhvcNAQELBQADggEBAAiEMC18ECecYQIxMZN4ZiKhghgtBOVawvf+ -1hIU7jYfMnR8gII+nP6c1UxgWuV+4TEKdf6d37Jy83dhSkUputBqNVSpR1+sf9FE -f0QZWYEzgwgSsldNq0F+A7lWFcU/IyL9AK77sm6xmHx0RSSTKB4Omyp9Pyn6z+QT -avC+1OgjCaTMDKv6bajg8U+TbykEnfO8R0B9vDD4eIfNDNG0zrXNkiN0L00Hd8Uj -4HPB2Q9efIxjjEI58Cy61TTgzwuPbXW15xE17+UqHgKoKnKrgVTJLy5O+1RmfrOP -kLcLRvyHg/q8Vvq41DlD+TpiFD4CdB1nhcblA/NXMEovKysnJQ4= +Af8EAjAAMB0GA1UdDgQWBBSpFTakSu4EauEYmUFasPJu6CWbITAfBgNVHSMEGDAW +gBQX1uJJuwcyp2vAJIzR8oyOhdnDCTAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8A +AAEwDQYJKoZIhvcNAQELBQADggEBAENi+GFd6an867Jrgsgd5kbGkKOl0Mcr00H8 +OQGuy5Zuy4lpLwHQ5YHaowsmxt+KOkpEG6raFmOMJh5Q3fY//nAFhtmikOuggw45 +jQWT0uguB2NzdQfyo3BTLlwRbKVkfmoSDVtNPMYUR3AD6jhLVEoY/gDwCJHsm5/9 +mPK0bgzTjnNRXfr0+cBmeOSpOvTtgvRhQMEvpbh0DAv71MSYY/XSWVng75QMRSf0 +DuvuBAKmjfFw8rMcz0WkkN/QcMG3olxRyZt6gl7o6hlttO261+gfLY77s+YLYKr5 +Sf9WAHWcnrgmfyUXHoVx1YA5HoDBKUuX0bI6ufCnqn9JMIPDSGs= -----END CERTIFICATE----- diff --git a/integration/fixtures/server-revoked.key.insecure b/integration/fixtures/server-revoked.key.insecure index 71de01c30..8a783edc1 100644 --- a/integration/fixtures/server-revoked.key.insecure +++ b/integration/fixtures/server-revoked.key.insecure @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA1Kj+MsbzHSpUH5z+dRGFu1xFiilqnQ5j+C50DfS9uDYEt2eu -k6oXMB+lUg3y9HtwdabiQBKgqRnydwkr0ZMGxRyLYcmLmdp9jhdrQN1QjeezzEaA -oJBlrpuqtYDJUYii2T9gtfKGt2dsklWNzL+JiRqqiviPnNMlaXJxsv85BpVQyf8s -O2HMawac/+eFz9rFQLmurf7hJ7Fav3QCnM7sJe6yYh9n4ZYI+sTaC7ocDkcUxCmt -EgFQP+jB1nT9DyghHZLL/j7oKDOsoU8aGPq9m0ZmskAOjH4EusOQNsdOPivquQD6 -kp/D6w2LNnFGxDlqr3xIrfbELmYhZivR7Gwv1wIDAQABAoIBAFVxwRDt1ui1BS/e -iG7JJ45sOJSWp3uLOKeTIpYo68GEEskOI5q5ELAJRwd9C00n+7uJ3gYYdez7u+wQ -B0chZ+ry2R3lOO4MV74rsrBRO/iITDmbajsZSYGqkiBzKnBUEfpv+I+ibnZqW7lA -HsVRgBVSXYuQ60L7o2CG1yAwY908ja1gyRi6QxFuaQv+SWMP2VpH24bLox9rmQZ2 -xwTLViBHCdc9+IIHMAsJ84ViGu/oZ/wGlXTZMxgwsiCVS8tJ0ZjQT8QXZUnxj5yz -lJX6owzT1VfC/ZrbAms1lCQ4msVo6qX4QfA88JmW7y4YJrOEBINeJddO7TNyNMXC -o4xb28ECgYEA4f7A4NtYfNcl+FNRP3oOJBxc+V2fW5gSTYVMRlmE3UN6vvqpxLYe -BQATYjy66nPEFSvr72rbWaE3rmbdUyZJ0hXxgRvJsU9AYvg6Taw2/dLVf5xar6Di -VkVO+FqkX6eNuKnQfuqU55fHvSVnKiwpWZvoja86DpqdMW01srie9s8CgYEA8OUA -jheiEKjmzWfM8Bt0i0QpKf2+ga5u3XPd80spIWYnyZPLMYn4P4i7XAyKcuCEPm7+ -sFvV0M6kiAx48ECffvQDDSpUxKi9h4JlPtF+A0w+U74fVu4rNHIIh5ZTPaDPRY2W -DztShe4rFNUygjYxqmsCqpH1ttZn6Ns3wI7/+HkCgYEAzrY/ZC0d1irQ/z/uXBpf -XuZWoHzjK1uAukmHx/1PyzdSyebrbBOMh9RW5o9YBOVY4GipSPe7pVMSZEKQhOLL -uQ77NLXfGYC9Cwm0AqHYNvkm8a9pP6XwASsqHX6DRT80IUmqfLxC8Ubimv7gSzHT -rLQv1ZEGkJ8Z00DqUgwO0v8CgYB6MA4aBM7FmIaJha8j0ylIQqiGjhiFes7tMQpR -j7wrHr/rtTWJySvMPjSauhm3rz4k1PQGzG4l3csC3yCw7HZ6VJb/pIsevWB1TaTB -Ok2qqo+qtnL7Cw+LKJQ/Afby+ZBo/SoyS6rOGEJt7L4T4h1LDcBqeGKj/Rjzuc4L -s/0OMQKBgQCkN2P07cPey72s5Lxsjg729OkwfyMRWUI72388tlI1FmmTefslQjXW -/DCGPDZkgVnB3MyBglTagZ0e8IwHzAyXtqS7uSz6sSwyZ05Y7kXf6uJLBNxG0nBE -j3qRHjGzcF175gemyoiO8LxjTC/pAcazQrgCmM3oEZukG9Q42MviIA== +MIIEpAIBAAKCAQEAyW/uunTnxdv0NT6c/NufrhsVaQyBh2j/h/xCoAxC2Wfnr9G1 +G7B/RNvKfiIfO3lfoX7uvJDoDme3y6ZTd7mkqRu9erHf+Z8t9k/5vyUtIZ2XUWw9 +Z70T6sRT8tRtcTPiVnhUQ2yUCdfLdQbfygd6fk0XaNmhGkIAtsK7E47/ODBG6Vic +iN7sZlGhEraDw7JEMoyOGeUihx0KiLkc6aOShzH/TqhUQJvqW3uGjLFARzgB+GLB +6/4Bq2VEiHRknAZ6LJ3FJehHPaxAXuHEX+67sonfqcCToQnl3pEgnEI8qhtnFcT1 +koVLghoRbLbunZDKa0aZc8Mu1l6gnajJPWVZAQIDAQABAoIBABamUFiE1p7HyaDH +Bo3kAANqpjCmqFXad4kJ00/9sPKTHVkGom+Xm+fZMt6V5Z8hWaBmDmADhyQ/g0oR +zKbUp/Af32FRaNa/kEJ24aUdgAKcnqwYGJt2hivKoYnXWur0o4mHhCoEpmyo6Aaj +nDwyNRLIhk5S0iuKqlvib3iWhpoBmEnDE+0ydoBn1QHiiziFsGaAEi48CcXMpCHt +WDXXtCHndd8qb1PJ4ertDg+9lCyx1QGLM2ckfK1NoAx3VyAHFfz8dbDL8L3fTBP1 +QTPTD4NcjShUHadKPc8K20jp21BWPLCMKUPoR2jPZmAyrN8Ka+IuWmlM2qsozO87 +65/+GvUCgYEAy9H10i1v7GZ043T546Dt8beB+Gb/fiUOxZ1lpY1tvsFURqryHTAV +M7jhkgCe/YAQvm9pPz9ku88IxQIGNn9/URXFYyJgdTptaP0F5YOb+INYi+0TogCs +k28JGjnqEou7YyYwt2ehvcJuKq8Ue2dmsGq3lzdMEd/qWFn1U6f2cGsCgYEA/QHM +sG51KNLcufGLrErlFbasfB6Vdi8ui4+YdJMRYr3+hhIj1nqvTNLJcgkdEWcYwLm1 +NpTXHdjyQCfseYT79M2HK/MBzxncJXgdoMb71LakZzIWc0Mx9oDg2BVj3TKBVIpZ +/XqiIIXNElqE6yT1Os+INr2Vyi0wOR3W3Uk5B0MCgYEAva3RtR1v8XKQCTXNcFdN +2QtMOx2vW3elPaby95Scs0873OAtnZgnwxCla7iEPao26uLH8YJPfrB3ms/9dC5H +D/DQ1ycg2Tfcpj4ChMtsFWQ2vVGOWc+Cy1okAHIxMb00UFs0LxqUXQJagAKbbxSV +bkyCOonNkzzs2/gr5QSExa0CgYEAwhZ2UsZ5pBaWcyJkNojB0nVvPkwr9hzdxPwk +RRFpHemIbotN6MP25KUzGgL5xJblOzt7U2K8303FEQhPdS1aJ4LfdgyWT6yT4D6T +4/mhyJ1P40ZeSI+8rVBSrBFEqbSL2DHGNRi1dOOP3MuJ+eVBJpt78Bph5VXjD33f +jaQVVocCgYA5L4p7EBuJ7/3IGk6lwIsxmB2SIsnQ+wQuZfirMHBm9zDiBHxPd5is +P5uPUVlponNDbtawPOmgP/IpfEQSQc+RC24R8GjAKzwkdoLcw2DubOKg842AI2+z +tWSWXcXQzLJo9L+tJ/70C/8yeBfYry6LmLBnCptY3r0FiaTndbOoGA== -----END RSA PRIVATE KEY----- diff --git a/integration/fixtures/server-wildcard.crt b/integration/fixtures/server-wildcard.crt index 99a48bd68..d924294c4 100644 --- a/integration/fixtures/server-wildcard.crt +++ b/integration/fixtures/server-wildcard.crt @@ -1,24 +1,24 @@ -----BEGIN CERTIFICATE----- -MIIEDzCCAvegAwIBAgIURS07kZUkWQknBcWAsV6hTZlsQ6YwDQYJKoZIhvcNAQEL +MIIEDzCCAvegAwIBAgIUNDzcFXOAhXxTYih49LOUFsErYIgwDQYJKoZIhvcNAQEL BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl -Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzA4MjExMDE4MDBaFw0yNzA4MTkxMDE4 +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzA5MjkwNjU0MDBaFw0yNzA5MjcwNjU0 MDBaMHgxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT ZWN1cml0eTEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA -A4IBDwAwggEKAoIBAQDffZw2JmSt4IWN4Ez0eOTPniGEJx6u7mDpBl2kwzfbpva4 -ijz1I7tQNh2DGZjuttAkWtCORlQ+oO0gQNaLHvToPZoLKeshnbpI1RYYzwSnvvkH -zLZrj4zALMuEaiX9Z8I2PP03TYZytwikJ5ZCa1YT5aIQR/IZG4WCkhfDNqaItTlp -nFQDMx1RnEaK7z/fNKkf8p3n8DF/+P0TO8qeI3YrmUZ6u4ca8J0ZCnoSRXTOYroL -o0HqGFjV0ECrHEIbPtOYoJssCk2SWuaJd4HDGqJFlJdeDAaG2UumGlPAkuAHf2va -FJd7eHbuaDLWtDi1YYQ4103MEYwwRG8NARvQQnedAgMBAAGjgZkwgZYwDgYDVR0P +A4IBDwAwggEKAoIBAQDCE0C//qA88O5ivLTvjUO4RDJHfHAB8nanCxxz4Bu8Cucg +PnRpFetzI7YqO3jQadTDXOjYDp/frfB6ifQRS22Ggc98IWQ4V06B893wgac48tkF +m8tocD+wZ+eYoHN+1LU7JERTsKGwNtSm6G/KQp1d2r4ISg8GoB5KmHrOIHmKFbQH +7cLiB+pARKk52+JRrKHfezGr5PjNzdgUml7fcKQWoBfl4pdgIcfWIRhggscGytk2 +BTO5qLJU/6jQNnLlyypMabv7vh22pbUWNdoK2KJRKqMzIYbPkLjDTVF+BgB6Nr5M +znPPTDaXuRsoRVPDghnVfur2ckLo26+4fzTwdYHLAgMBAAGjgZkwgZYwDgYDVR0P AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB -Af8EAjAAMB0GA1UdDgQWBBTThlDqYBWEcolK4U5GP3ZjZJAeujAfBgNVHSMEGDAW -gBRoJE96ipgtnKmI+iE2QhTKTCkYHDAXBgNVHREEEDAOggwqLmV0Y2QubG9jYWww -DQYJKoZIhvcNAQELBQADggEBAARV6YV+ksoqHZQifrmjyBk1HXsuJArC++h5xvGl -kBnY1J3lNYybRcEMQRMWuqyb5v47bjEiqErgLH+X/CPWcoAUjgWHIrcUIplJPjFf -aEM27L4MhfuIsi5HaKsBeJVaogHblCe3QleECE8WaJpuDjmOTth0EGviLy6xzk6W -Q9oNV4cXW2OwSMymdMbn41vjQaJdNFkBZkBa+ObaGou9xJEkjBZ/+CEpgQsmtNqq -hIQLli1WpITx+E2C2U1wQB+8vhA2xiwWq2aHuj/Umv+QpFL3CSqPh/NQY1I6NXpW -WGDhEeeB5/Nwq8VvtLWrqxO7fPRkzecwVZJ2CAXKqMXLBUA= +Af8EAjAAMB0GA1UdDgQWBBTRXWxQWNLQVwbMn5/MDsMJw17jWDAfBgNVHSMEGDAW +gBQX1uJJuwcyp2vAJIzR8oyOhdnDCTAXBgNVHREEEDAOggwqLmV0Y2QubG9jYWww +DQYJKoZIhvcNAQELBQADggEBAA5Z/HhcTnERJn08LXKjSzvhC1YL3yBlCF1vccXz +XshuMNF5VmpfMAwNIRhlH8x1aQyLoB56UGpF+Y91N/aqkTsjxmsrW8eJzGSIbC2n +ZE9IXqv4DdB3jWHMOr9v+5eXXdp/i2HcWBxqoUVT82NsObl/a7yQiVeKLdGdS2MJ +UQ5amLVgIgB2ADI3myESaBA5yPEFuFPDCEznKCFr/+iN23oYvjhFEuDpI4kNGuGu +No1ukQr5s+mmbkoKhHymc8ri/93H+lRCDOfN3IZJrejpI5Z3JtQplCVph+naF1oM +zSc2sGUYYStqciJJhw/270nTwhQ9LgNDmTSCvU8bX4rx/z4= -----END CERTIFICATE----- diff --git a/integration/fixtures/server-wildcard.key.insecure b/integration/fixtures/server-wildcard.key.insecure index ededdef06..61f6c144e 100644 --- a/integration/fixtures/server-wildcard.key.insecure +++ b/integration/fixtures/server-wildcard.key.insecure @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEA332cNiZkreCFjeBM9Hjkz54hhCceru5g6QZdpMM326b2uIo8 -9SO7UDYdgxmY7rbQJFrQjkZUPqDtIEDWix706D2aCynrIZ26SNUWGM8Ep775B8y2 -a4+MwCzLhGol/WfCNjz9N02GcrcIpCeWQmtWE+WiEEfyGRuFgpIXwzamiLU5aZxU -AzMdUZxGiu8/3zSpH/Kd5/Axf/j9EzvKniN2K5lGeruHGvCdGQp6EkV0zmK6C6NB -6hhY1dBAqxxCGz7TmKCbLApNklrmiXeBwxqiRZSXXgwGhtlLphpTwJLgB39r2hSX -e3h27mgy1rQ4tWGEONdNzBGMMERvDQEb0EJ3nQIDAQABAoIBAC1+p3cKd8JBi05n -U6MMnR96hD4frIpVslqdViC9MLjBE0Zbta79WBsq+PUAF/a4NkTAS+Y6gNnC7qJ7 -MHFfmuFP8PTG0rukHRDId9gTBFKVeKJS1OuubCuOsttAtH0SSyG5Zp6EZJMjmVm5 -SUg6C2q/ey8vRiRASvxaewXdMSdww1lYKrcBvz1zhDbDdnx8lBzkL9d8v6xQu6YV -R62qpn0j0T6FKsGQQcFc/CLKTYE00BBfMoAoVSxcpD6yO26uWzFrTj1JAnQPPZpX -awylWuOYOHhto54m95zbw7JLxZYgtLtZz7BUrJuSucKhMtUpWaUfK7QavXnRw57f -TyWtZMECgYEA6q9ByCK06zVaTCg54Fy5mIHmEdhSVx7F13ysW24XP0UCqwuO3xV5 -j3ekQ/OZkmaxtH8qUSByUbblmpoeekOaUSggC8KiHLfNHQ2aAFEueWsryj/0yH7o -HYYijUhtKZ2MXEciOIrTBYXjtEIW1OXKHnoqCWVnsE/upn6pHjfh0FECgYEA88oU -KP4rXxXkQ/00fsT9ChpyARnLbHu2Df09560ddlzYEpJ0fpj4a0yR4Dv71tMHSkLI -IsmOSOMgmK9oAh7z72EpH2T4NYPr6lfnnFjCDHlA5/g6lmZ0quAtL8vhBLAFnofd -QyHqo7x2f9IsfgkKJrM0kmsHs3QfuDuyvB9rS40CgYEA1ZQX3sbPNbvBaMu3GFvq -wEN/mT/wd77WuGyLA05ms7rfWcDUDmwhzBJLGVhJq/Xvxd9xKJHJ2FoGDTQzhnud -pjxJJcrE9DPF5KnrPFylWfTRzmd0Iz9ziOL48PE3/4aVJanLGAAnWcBm4TbARpK1 -5hSxywlRWyDzhOyChrC+vnECgYEA0K5jMW/Yam1P1w8Qd49h1tsqSVzuL695+GGV -MxKRzLbO0p8BDzkcNKT3nc1a1toPPHcL4BNOM4AQcAJ98orSXk96JwCEIzMIp7GV -ddTYTlsgvzBR3lpXdcmthGNt+1g9hyVftk57DquNd/7NzRkp0lTGJKtvjSJS4J5h -cf0nGCUCgYEApa0Va1GsR80Enf6U6HY9nwj2YtUYax7KtiZcD2ih+51cscphrOG7 -pHUn6BxwndQsOdkT0YWB0uUYCIA1Yi9DKH9IB1H9HWr8ySU3Q4ngDwEWB5RK3lTE -4EAdnPWYymFIC0O2RLGxLe0q2S4zuzptdknKZkeWVJj/SdlC8ZzrJTA= +MIIEogIBAAKCAQEAwhNAv/6gPPDuYry0741DuEQyR3xwAfJ2pwscc+AbvArnID50 +aRXrcyO2Kjt40GnUw1zo2A6f363weon0EUtthoHPfCFkOFdOgfPd8IGnOPLZBZvL +aHA/sGfnmKBzftS1OyREU7ChsDbUpuhvykKdXdq+CEoPBqAeSph6ziB5ihW0B+3C +4gfqQESpOdviUayh33sxq+T4zc3YFJpe33CkFqAX5eKXYCHH1iEYYILHBsrZNgUz +uaiyVP+o0DZy5csqTGm7+74dtqW1FjXaCtiiUSqjMyGGz5C4w01RfgYAeja+TM5z +z0w2l7kbKEVTw4IZ1X7q9nJC6NuvuH808HWBywIDAQABAoIBAEar7iM8HKu0bIqF +/zlQbr2WD90aQktjOLPhhu3nSRIzwjBqrcdqlP+rnHVKjNcQAstVdPDgenVgiLaG +r9rwZaTadmzUWANwP4VxAXvIKtXBEShKsEqKvZaGb76ThxtDZ+9uaHc1VduuS8ev +0q2LjnST6ClqlogqHH27gtS23KtcUzjFpZS2060+yOPof7xvTe0/qY6vHHqhdTTr +SnkUNfMs0sdhobUv2nAqIKdLV3DnUn3z5FbJqluUXIaxPnGghjUmWXl+NQNg6iwV +DX9tINTt4DsWnPWpC38x+4razj5NxOmdVouFyHHBW2NiZFkszds3hO2YBM1DTqUS +2b9RI5ECgYEA0W7s5YcqtzILR3SrlCGzqfeDrUv8YkVAq7Yuneb8O/jvCh85GbPU +RTeUTbQlh2D8znVtb5wwwA10NCUjBowUwy0LSGqz0uOwi/kQ9skIxNp9VEDlihw+ +WUbt3seLA6mGd+u/ZVH0jb6rXgc5du7lxmTCPQ6WO9XNkYES6IAjpEkCgYEA7Toi +mOmrFuK7Xs1bxmqYXikmCA4/VeftCtUI6TQcaarRi+FpK7s9TkV3guI2wJKroCI3 +F1aycy7rJnUDpHF+n8k8YDH92rA5cVw6KfQhianhT6pSeGw+nLaHjybfz0Rj0jvV +WrTcpIIlRbVGQ2gjNPx2hezIo8LDKKDafQJDDXMCgYApTcQgvFibSp5Y2FSiYUcq +pSrt+Ydr5haMBuEIuS5TsZOLHn9HZ2TcxcpUzMt9+I3DNfuAQICIz950DkLrHqNV +nsOT459VXxxJbrR+x0UYdbKz9ByQ8WMGfmuZPSdYcI2Zhv/3PoOJlOn9IFWf9BuS +1fpMylysrkzdfmQ5QFRHKQKBgD+uoIT+DVCqcvQjGqTsDpUQZMY61OPBy89hmu/H +bm0rTu9HBo2XyQBPA6MeCOavOOVW6gUY3/StvrBnLyAg24YXZl7IbMYdEn6M7IxA +nhQvh210YokzPaeiFEfofqJMUKOqLj8YWDbNPSY2YHNN7E2YDFUtWDsl2G/6pkxy +o/9jAoGAYEPMOLHdj5KnZvk7Dk0g0rfe6b35FBnWsHlkXegbMvRWWxbzO/drpJen +GQKEFBb7bVkUDNzDudyZLZ6UJfrZe8Gl80YKND2qC14fct2nqF4LaY5W06RqZeMf +VaPxzmsk0iElzD+fTYTaEEpUgBebV1Hr+lX6MFK8euSUYQKxkfg= -----END RSA PRIVATE KEY----- diff --git a/integration/fixtures/server.crt b/integration/fixtures/server.crt index 36ced758b..5c4061b58 100644 --- a/integration/fixtures/server.crt +++ b/integration/fixtures/server.crt @@ -1,24 +1,24 @@ -----BEGIN CERTIFICATE----- -MIIEEjCCAvqgAwIBAgIUb73oe3m2k5Mo/gUdCT5svl4yZFkwDQYJKoZIhvcNAQEL +MIIEEjCCAvqgAwIBAgIUGdF+EXdv6uZK+whLwNjB8qFyFXQwDQYJKoZIhvcNAQEL BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl -Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzA4MjExMDE4MDBaFw0yNzA4MTkxMDE4 +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzA5MjkwNjU0MDBaFw0yNzA5MjcwNjU0 MDBaMHgxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT ZWN1cml0eTEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA -A4IBDwAwggEKAoIBAQDAAxwTw9CP0gpzk4D8MLjVlu8NOcT7cOkLOS97lA3VBM3p -EByoKe+eEzS92c0rE1rtYDma1TF04FAlgX+PA9iZ9jRIbITk1W5xljUb22fn6OQv -3Y1707Zy8gAtIO+P0SvY//F6Q98hfmB68sKvJfDTTli1iDfapXQvqpN/YmCjJ0ku -ORw9Ok9WIxLwwHBK5sx4HLKSqiuvnB6dfLBwdf5E8L+dCtdw2dbCmq8GBTNQyGRF -HFJtg9ashOpTJAc6omZr7epiVVj05NMivOex/Dkv2uKb8NfXojU6akbv6FfDlgH1 -5XqjwFGBZ5WOid4+Mu1SXAS1mZpEuKoOo2nULVB9AgMBAAGjgZwwgZkwDgYDVR0P +A4IBDwAwggEKAoIBAQC9AxnRD8ekAuOX8tjBXyhWewcLTI/G1+n7DgkTE90bKypo +MBCR5sQljt2TmQbjvFIXxZMxoHnFpg9cDOmi6Y7O7XoUSCLf4Aa/KJvomZbYvFLg +IPy8bjzh2e/M8+fgvOxyPysqsdLxbUh0jBVcYyiRfMyvzO2hN/BN42DDfnRcarnn +g3tlae8QbZPuGKGl4zelDHBaClVeXolMqbt5vZRin0ih/hc6Hpy6oHJYPKBSeqUE +Jugub/WN3UcKvv1mE++fzkFhEHS4t94HWB4rJyODg9glIgYMFMXarRhXMP4ZYm9h +beWr1NlA02p8GsffMYMDLhpmncyqlz430DVuQZRFAgMBAAGjgZwwgZkwDgYDVR0P AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB -Af8EAjAAMB0GA1UdDgQWBBRGTQZYJ6MBqwCPj/pB0G17BhNIKTAfBgNVHSMEGDAW -gBRoJE96ipgtnKmI+iE2QhTKTCkYHDAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8A -AAEwDQYJKoZIhvcNAQELBQADggEBALJ/GghSZd6aNReMv1nByxAVtBoaDjtYHYjo -3mMPB9kn2wi8HtMC/4jKmaGNGkjvsjMOePC2F2Rv5/F5vLR09CyyKsh8ahIZcibn -KohLRWHLCal14WOYuI5UfnBp6mzJieGueHhhk+GwRrVmGKx+FF2wscD8FM3tbtZY -GEOKHwovIA/wb5UHYK2LejjXmvWMbG2hdOse2tirD0GwV4e2LkSy7DlvJSI8/lnm -gLWbyZLXYvoE4jDMKzeGUQW37EC8d+4UXRjerUD6PrIzaEfKzBMWNcHmIn3ZCFLz -jjUTxwwfPak5iStInalbaY2jumydGgZxA44YFH9Y0OOH8yERkD4= +Af8EAjAAMB0GA1UdDgQWBBSjkU3B1yxW/jZluxM6SE77OUoF7zAfBgNVHSMEGDAW +gBQX1uJJuwcyp2vAJIzR8oyOhdnDCTAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8A +AAEwDQYJKoZIhvcNAQELBQADggEBABlIZ03P+Xg1lGBVI9HKS7HONPYuT4mz0fQU +yFWtDnHcq63GflNh/G9X1tyUNAO/Z9CgRcgje978yrP0s8bw2HumbWTOthcEaTgy +ULxK53NP8SM6irp2tCbsb6bpK2wy56dmkzfLfnHJTaRFrVVZp25hZfZVub6L0mu2 +Yzejd9euweSrsSH6tFglLuFrv5zBplNuUqNMI9gngCpAzp/E/ABGeu9yje4oJ2go +Bd15lkkFJxzJFQW3l3di3aO2VT914PC24TPMAaPStmNUNil0lWvzlzQv5AT9qcAI +uUs+fojBVZfJZV2aUMqpMklNQcZM/BCu5Peh0DIQBr2f58mBMuY= -----END CERTIFICATE----- diff --git a/integration/fixtures/server.key.insecure b/integration/fixtures/server.key.insecure index 7db29d47d..978c1df05 100644 --- a/integration/fixtures/server.key.insecure +++ b/integration/fixtures/server.key.insecure @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAwAMcE8PQj9IKc5OA/DC41ZbvDTnE+3DpCzkve5QN1QTN6RAc -qCnvnhM0vdnNKxNa7WA5mtUxdOBQJYF/jwPYmfY0SGyE5NVucZY1G9tn5+jkL92N -e9O2cvIALSDvj9Er2P/xekPfIX5gevLCryXw005YtYg32qV0L6qTf2JgoydJLjkc -PTpPViMS8MBwSubMeByykqorr5wenXywcHX+RPC/nQrXcNnWwpqvBgUzUMhkRRxS -bYPWrITqUyQHOqJma+3qYlVY9OTTIrznsfw5L9rim/DX16I1OmpG7+hXw5YB9eV6 -o8BRgWeVjonePjLtUlwEtZmaRLiqDqNp1C1QfQIDAQABAoIBABHsuGRH9WJXs04S -yQnB6p9V1b8gU3k9kyPPFNWufpQSPL6zGFnCgHH7TQMkH/kTd3uNbhM8L7+/aPv3 -WNca/s9wonTYXJeYLRVBdnfBRbPqk9K8FgcnPnMAkG+mEXcVichaLErDp0LTL2KK -4w3Ctvai67kWnFA2/d+tRtOvdWIFkXO8V1NV6C0Ira8Wa1MJjDyB/2N7JWr0cf5C -W+h4TkNHFibGQobMhqn14AlhlY4////0is0/Co58iTAQlXrjhxL8zMd19Q405KO9 -uw2pf5KG4vpsDNbnbyWy9Ppd/6NqjN4xggF22dqUESQ9G6Dq4NorBsKoAqnJFNWv -pLcje6kCgYEA22ll1XHX93khQB386kxIqpVVoKJptNVfiMza8PYUGEaxMsKRprjx -AyHrc1poLj5T4TGn7RRwIEjcadH/22Y05TEBFIrY35YeRkeviXdWrkKWtZFLpJPI -Dtj2GZLXBzAsaZRW99BPjSLumaA0eaGmxO4llL8Vhdc8WjfLrWMJFBcCgYEA4AgI -9aGSkVE2mayugCjCe64g3v6fqbrxelYD0puY7yHtJFVkoec7iEngxrTVuIFGpAz8 -8TLWoPwsvefrSGOolvelStNwO+/O4jC7knm5UzCdkytS92N5fR3/UjbdgxBZmVqt -t9fXD8uauM0D+Hx5VnWf7azBSKg+sSK6LXiU2IsCgYA39dLGNKn7cUZ8vulBrMEf -2MSlGqdROtaJ4o24xVpssqMBKkTRu/uka+NMYXOOz9C+79Y/jmXmpg6pYqkaASBe -kDgRUDRuGjCQhjoMGobeHRepKWychiCRQN7LuPrk13GMYAwqWlPf0FgAkK6xkvwg -4AhvvqizoSjAbdih2U94cwKBgQCF4adhC06o0yzbB4w9AJ7BBN2WBfpql1KJ9m9Q -ZDYv6klqpjF+Y8568xOGDDmQiokprq1WgzgqeqlOUBOWbiApIBPCtLrkxroPCGp/ -7YhoA6yXb5OkTekjcVLM0gbstU+mSr94F1/pi5aKC9Lso45rsd2CTvQvNIRKnWM/ -m0jwYwKBgHsqQU2zNWdRrmkvFtar/wo09UWcM+dL18zy1DngEZLfJHwmjLZ2rgKb -5tnXqsIyBgVHgn/mHmhSZg+634ehvWPiB0zg0Skr8CRT5Ue1GhnCmkd7nf97xIqr -cPJ9Zjm+jyEWcckCYwVqToTeoHFqjoOGj+x07dtV8X7Z93+mbljL +MIIEpgIBAAKCAQEAvQMZ0Q/HpALjl/LYwV8oVnsHC0yPxtfp+w4JExPdGysqaDAQ +kebEJY7dk5kG47xSF8WTMaB5xaYPXAzpoumOzu16FEgi3+AGvyib6JmW2LxS4CD8 +vG484dnvzPPn4Lzscj8rKrHS8W1IdIwVXGMokXzMr8ztoTfwTeNgw350XGq554N7 +ZWnvEG2T7hihpeM3pQxwWgpVXl6JTKm7eb2UYp9Iof4XOh6cuqByWDygUnqlBCbo +Lm/1jd1HCr79ZhPvn85BYRB0uLfeB1geKycjg4PYJSIGDBTF2q0YVzD+GWJvYW3l +q9TZQNNqfBrH3zGDAy4aZp3Mqpc+N9A1bkGURQIDAQABAoIBAQCLwh41yrA44vX8 +5dFGcqE2CPQ1c6AgTIizXTZyh86HB0ztCxVFfNfuWYwXViCVBivBbhMfr+Q6tEZJ +LzcWghJZiZkqJAi9dz4l3NYjkGXMzruNBHc8sVqNOYOqDXOYZrmC5Jh7kk9CuybH +HsmwrZVStm/3UdUnz1/9h7KF+xv5NJ+sA0qEHvVO2AGOKVnxwJ9Jo7AvQB1XSzdr +AVR2yQto21rfbn6SEbwO1sHmt8R2Y+YLk2NFqp+k45RVW3ewNsa/nu5nyE6dd/68 +nH4vLmDU5E2gQvkNWnjcN0xDLnoHxB9wJErBi2QTal62yjXNctEkJUdxDvqbXwiV +LNQrR5jFAoGBAOYxnvi4WukqNTvLNQWPnaWnp2HZuMV0tSuwCjxVVSxxWxYYNq/p +O0manQ50nfmfPLsCgFdnYNTOSatWQD/5RtKt63akdoSVUbpgeyx6cskev2zh7+X7 +syyxOlStufXykBBCtxtrJBfUrEL0jlCIUPEL3zsATRITZT2R5w5uTPyPAoGBANIz +mPE3fgy7JHEaHAukyIaaneU4vXn14hFSTOhsQF8vHm08mFQRVCzxb4UvKRTFp+VJ +UKbiyKtbLkcALtu1McmzkPNOE2Sm5/wJvYXisrchzTOa4ywBt/n7UrzClLLy+FlB +MOyMsucCv3JezCW7cr4aq0bNwYYoJFCjrzwphvPrAoGBAIdzHUrXF89pYaeMe+eI +yUenbit6tGmjsdNCI9O6loKvNNy8ZLl/8L3vt4jBAA/ZLiAQabqEfwrZU6n495dt +M8pWQl4uifqb7lpP2UqjxpUnfZYxIDtgrt6Wbm9TRkA9eZ3H0/zTP4qyPqarRm6G +t7IOvUz3cWI4fXMMPjxUlQJrAoGBAKjR7eTVl7Pr3ZHE0X98gdyxc1y03GCGXWFi +AwisYGrR8hLzlrf2Du/lnJaP0OOw925MGq1d+KK/IYS+neOxO+JuCF2QeDzfW/Pt +cryD3Nr+F8t5ezhNzQ/FjKazdC/guhsdI4joW4rzhwT5I+auDLKnwqWj/OiddsUZ +IVUlWRCvAoGBAOSJ3ur9qZ9I/SdR62GZTw1CGoZVmpTheabyxQQuyUFNTI/4vQh5 +P5+bDzARuyHZV86CQmWp53kt2wor0w+ib1yA2lDAzTjfVpnJxe9rsKjrXVfreeqx +VO9Xy5EoGJu3kg6wsmWc0JHAJ29HuCNnllofjQmiRcYqPjUxtQAfnAqI -----END RSA PRIVATE KEY----- diff --git a/integration/fixtures/server2.crt b/integration/fixtures/server2.crt new file mode 100644 index 000000000..98a18298d --- /dev/null +++ b/integration/fixtures/server2.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEEzCCAvugAwIBAgIURpz1nfYWl/lT2yZitiL/LVW6SZMwDQYJKoZIhvcNAQEL +BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH +Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzA5MjkwNjU0MDBaFw0yNzA5MjcwNjU0 +MDBaMHkxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE +BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT +ZWN1cml0eTEVMBMGA1UEAxMMZXhhbXBsZTIuY29tMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAywxQ++cAL++7cHSACpohKAPMEUcYD/SyZnCAYkpIOJg4 +/4z2vsIhH8UMlrpP2j0OakDZorByljYNBV4JKJGWSJQlyONfWe3B1ElssoRkGdyX +Qluiz+C9P/kGKOZztyz86O9jrjTUXqjkQJLR/JltCWlEvxB6CTSJ0vL99cUwuxJ3 +HstwZ1kBCrmWAvLa4bjjWaicsZYhsBBmhJp72t7O4d/8hNtBg/vX0ny4f2yj6URQ +oTeR9tvTJ6w6lXDtLgEAdtlTubcvNfvzOuI/ZVR64Jb4YEdUUpFVE+oC2yj/irXS +P8zSI7+XZIAEOnn8Gw5ddgjdblvH+cwhuCqUDEVuewIDAQABo4GcMIGZMA4GA1Ud +DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0T +AQH/BAIwADAdBgNVHQ4EFgQUbyM/QRgv8B8hkDVC91WA2sa/Q0AwHwYDVR0jBBgw +FoAUF9biSbsHMqdrwCSM0fKMjoXZwwkwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/ +AAABMA0GCSqGSIb3DQEBCwUAA4IBAQBbMStTQJv8LiRlG4SE+RcZk+KvaNZAORoP +rNHYnIUncUiNavwd1uDywgf5sDHIM7AkTmPAwUG1V5SbnfDAZZMTZWLv26nUam0L +Yw3Wk4BqbMgPEh4AJgCuiOoJPEPjofmc+nVXdOEtKGAAWYiJWxL0WOnI+FESTVW4 +nQKB3/0+tRNebkdVWuxaiYZ2kuCffwE4zk2d9iWR2/pJmB2WB4xtOs8Dq3MzRqNN +PHvxoiI6GTgEC/0Mb21XYF1sZ4CXlQF5wHMRGimTZvn3XuzziuepmOwcG5VZnYcD +O/b2fZINj01SEet/y1P26OhR9CxLX6K1s0hQ6aYOzMK3Jd2ABL+7 +-----END CERTIFICATE----- diff --git a/integration/fixtures/server2.key.insecure b/integration/fixtures/server2.key.insecure new file mode 100644 index 000000000..047e40daf --- /dev/null +++ b/integration/fixtures/server2.key.insecure @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAywxQ++cAL++7cHSACpohKAPMEUcYD/SyZnCAYkpIOJg4/4z2 +vsIhH8UMlrpP2j0OakDZorByljYNBV4JKJGWSJQlyONfWe3B1ElssoRkGdyXQlui +z+C9P/kGKOZztyz86O9jrjTUXqjkQJLR/JltCWlEvxB6CTSJ0vL99cUwuxJ3Hstw +Z1kBCrmWAvLa4bjjWaicsZYhsBBmhJp72t7O4d/8hNtBg/vX0ny4f2yj6URQoTeR +9tvTJ6w6lXDtLgEAdtlTubcvNfvzOuI/ZVR64Jb4YEdUUpFVE+oC2yj/irXSP8zS +I7+XZIAEOnn8Gw5ddgjdblvH+cwhuCqUDEVuewIDAQABAoIBACPRi2O0j1LlfnJL +Ct9T6y9s5A3UNclyyBnMFMnCAtWA/OUPz+M8ya0aDKt2OGnuRWG3CO1rJPuck1V0 +DjeK3zD0eWnjuklZ6MxzG2quch4hzMkW8zSql5f2bQDADn+svvy0ZigwB5qfPoyp +mcNuqU50tHzkAjMngnylAundHEiTm8bGlWbGUNaNud0hC01fsIYhQFPD7naJUb5V +eoduuBnLRLyY6VOkJT4En9z76MnK988wZeNjH861n0iqD/KDkoR2c+QSyJY01TYC +SPHMOe24+GNNqsyfVSxazQX7lPf2frXWFqPdnH3w1FHnhtT51H/tr90gCLbgX9Vu +N27SvSkCgYEA2Kbk4xBU0xoHDCJ9ADbEmA6VuG8jZWRSq3pKeP734f6t3v7sje9v +jbR3+X609zoCvg/N8OnrVMqvTxD4pGCGhLyKqCqRAuM/QzgeJ5fOkXnlTXHJAP1X +wMTEGZqDPMKW55wEgnvE1k5H2eZTGT3dgKHLSJibKgGGm2MS+rZ74XcCgYEA7+zr +qc7ziUM2ow6b+b91kdLzZMHmYrF5CRp+lPDpILxqGrEZBOxFDoaVKwbsNCoipaFI +6+wUDTbNny7KEZBwj/dQJVvC7xMhw1LIA23WbmVHcXxMdM6tud8PB1P8yRpI4rSB +VLpgB8Gf23AIqpB4r3C+/fne3le62NIoNaUDPB0CgYBelC0juwNszNX6xCuRplcY +knVl+I6ZOrykQ1SzkYshS48X5G3cYIRwdjJR5rCVpOuBkWC0JUooz/rMJ3qEN+dB +lxVo6Hw5qH77l0oCutDgzTf/IQdAuVhPvRZmnv9fzQsXvRJy7Bk3/SB8zYHFaS6D +cx5NaOGD6vqaZxvn+zYFbQKBgHL/J+V4IBqGcMWu1uvZ7Mw8RBTjKz3aupy2aj2R +Suw54tFwWQGXDXJs50p8QvKtz3V73KvXt7Sts9i8YHYSuSEH9Q4y8TgN/3zTTLL4 +DnNTb+7hGPRTq8kPNPDaPKtXQeAHjIXD3wtYrvpKtJysKmxMqf6pqT0A57nM4SD1 +OpuxAoGAOh4CXj5Jn6dvMusHChV+yEMybA5Nfk/2ctwYTDEuMlnKXV8+PghimlwB +Mrqjd99KtGFjeerkTzD+wqt2tPsnRvPrPYBwd3eM8k18dtonvk1nvxcReTRb6QSu +yGGJAuVfMNE2gL8D0qFcgf+Ss3AyWMglS8fxZnSUSMsXvdawCmo= +-----END RSA PRIVATE KEY----- diff --git a/pkg/transport/listener.go b/pkg/transport/listener.go index 33ba17fe1..38737e3e4 100644 --- a/pkg/transport/listener.go +++ b/pkg/transport/listener.go @@ -22,6 +22,7 @@ import ( "crypto/x509" "crypto/x509/pkix" "encoding/pem" + "errors" "fmt" "math/big" "net" @@ -76,6 +77,9 @@ type TLSInfo struct { // parseFunc exists to simplify testing. Typically, parseFunc // should be left nil. In that case, tls.X509KeyPair will be used. parseFunc func([]byte, []byte) (tls.Certificate, error) + + // AllowedCN is a CN which must be provided by a client. + AllowedCN string } func (info TLSInfo) String() string { @@ -174,6 +178,20 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) { MinVersion: tls.VersionTLS12, ServerName: info.ServerName, } + + if info.AllowedCN != "" { + cfg.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { + for _, chains := range verifiedChains { + if len(chains) != 0 { + if info.AllowedCN == chains[0].Subject.CommonName { + return nil + } + } + } + return errors.New("CommonName authentication failed") + } + } + // this only reloads certs when there's a client request // TODO: support server-side refresh (e.g. inotify, SIGHUP), caching cfg.GetCertificate = func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {