vitalif
/
etcd
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
14,686 Commits
21 Branches
406 Tags
79 MiB
Commit Graph

103 Commits (004e04a1d1882f3d1258db8114a49866a420abc7)

Author SHA1 Message Date
Gyuho Lee d37f1521b7 *: update import paths to "go.etcd.io/etcd" 
Signed-off-by: Gyuho Lee <leegyuho@amazon.com>
 2018-08-28 17:47:55 -07:00
Gyuho Lee 3fb9cc84c6 pkg/transport: add "TLSInfo.CipherSuites" field 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-06-05 12:27:05 -07:00
Gyuho Lee c862712c73 pkg/transport: remove unused parameter from "wrapTLS" 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-05-09 15:42:45 -07:00
Gyuho Lee 2bd88e378c pkg/transport: check nil logger 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-04-16 17:36:00 -07:00
Gyuho Lee 3f8d1738de pkg/transport: document how TLS reload works with IP only certs 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-04-13 14:19:37 -07:00
rob boll 88c078d4bd pkg/transport: don't set certificates on tls config 2018-04-13 13:17:27 -07:00
Gyuho Lee 7f812ca8e1 pkg/proxy: move from "pkg/transport" 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-04-05 11:06:30 -07:00
Gyuho Lee 322437f47d pkg/transport: log tlsutil.NewCert errors 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-04-02 13:42:09 -07:00
Gyuho Lee d44332daa9 proxy: clean up logging 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-03-30 11:25:23 -07:00
Gyuho Lee 759fcb6e70 pkg/transport: deprecate "CAFile" field 
Has been deprecated since v2.1...

Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-03-20 15:38:05 -07:00
Gyuho Lee ab486e5348 pkg/transport: implement "Proxy" 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-01-24 17:37:09 -08:00
Gyuho Lee 114a7779c9 pkg/transport: add "fixtures" for TLS tests 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-01-24 17:37:09 -08:00
Gyu-Ho Lee 75110dd839 *: fix naked returns 
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-11-10 18:46:15 -08:00
Gyu-Ho Lee 1f2197b1f8 pkg/transport: add TODO to deprecate 'CAFile' field in v4 
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-10-04 14:01:01 -07:00
Hitoshi Mitake 70018e9207 etcdmain, pkg: CN based auth for inter peer connection 
This commit adds an authentication mechanism to inter peer connection
(rafthttp). If the cert based peer auth is enabled and a new option
`--peer-cert-allowed-cn` is passed, an etcd process denies a peer
connection whose CN doesn't match.
 2017-10-02 15:59:17 +09:00
Anthony Romano e9a7f3551b Merge pull request #8281 from heyitsanthony/san-rdns 
transport: use reverse lookup to match wildcard DNS SAN
 2017-07-22 08:02:57 -07:00
Anthony Romano b1aa962233 transport: use reverse lookup to match wildcard DNS SAN 
Fixes #8268
 2017-07-21 16:43:25 -07:00
Anthony Romano 426ad25924 transport: include InsecureSkipVerify in TLSInfo 
Some functions take a TLSInfo to generate a tls.Config and there was no
way to force the InsecureSkipVerify flag.
 2017-07-21 11:00:22 -07:00
Anthony Romano ab95eb0795 transport: accept connection if matched IP SAN but no DNS match 
The IP SAN check would always do a DNS SAN check if DNS is given
and the connection's IP is verified. Instead, don't check DNS
entries if there's a matching iP.

Fixes #8206
 2017-07-06 16:11:53 -07:00
Anthony Romano 322976bedc transport: CRL checking 2017-06-19 15:23:41 -07:00
Gyu-Ho Lee d690634bd6 *: remove unused, fix typos 
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-05-18 12:11:18 -07:00
Tony Grosinger 4e21f87e3d pkg/transport: reload TLS certificates for every client requests 
This changes the baseConfig used when creating tls Configs to utilize
the GetCertificate and GetClientCertificate functions to always reload
the certificates from disk whenever they are needed.

Always reloading the certificates allows changing the certificates via
an external process without interrupting etcd.

Fixes #7576

Cherry-picked by Gyu-Ho Lee <gyuhox@gmail.com>
Original commit can be found at https://github.com/coreos/etcd/pull/7784
 2017-04-27 11:22:03 -07:00
Anthony Romano 05582ad5b2 transport: resolve DNSNames when SAN checking 
The current transport client TLS checking will pass an IP address into
VerifyHostnames if there is DNSNames SAN. However, the go runtime will
not resolve the DNS names to match the client IP. Intead, resolve the
names when checking.
 2017-04-18 13:21:26 -07:00
Gyu-Ho Lee 8aaa1ed911 *: use '*tls.Config.Clone' in Go 1.8 
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-04-17 20:08:27 -07:00
Anthony Romano 1153e1e7d9 Merge pull request #7687 from heyitsanthony/deny-tls-ipsan 
transport: deny incoming peer certs with wrong IP SAN
 2017-04-13 15:03:25 -07:00
Gyu-Ho Lee 8ce579aac9 pkg/transport: add 'IsClosedConnError' 
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-04-13 11:55:18 -07:00
Anthony Romano 70a9929b5d transport: use actual certs for listener tests 2017-04-12 13:41:33 -07:00
Anthony Romano cad1215b18 *: deny incoming peer certs with wrong IP SAN 2017-04-12 13:41:33 -07:00
Anthony Romano d42c1f5131 Merge pull request #7646 from andelf/fix-unix-socket-url 
*: fix a bug in handling unix socket urls
 2017-04-05 09:24:38 -07:00
andelf 4f27981c46 *: fix a bug in handling unix socket urls 
Now use url.Host + url.Path as unix socket path

Fixes #7644
 2017-04-05 14:33:13 +08:00
Gyu-Ho Lee 8a7a548a6d pkg/transport: remove port in Certificate.IPAddresses 
etcd passes 'url.URL.Host' to 'SelfCert' which contains
client, peer port. 'net.ParseIP("127.0.0.1:2379")' returns
'nil', and the client on this self-cert will see errors
of '127.0.0.1 because it doesn't contain any IP SANs'

Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-04-04 09:44:59 -07:00
Anthony Romano 2f1542c06d *: use filepath.Join for files 2017-03-16 07:46:06 -07:00
Gyu-Ho Lee 3d75395875 *: remove never-unused vars, minor lint fix 
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-03-06 14:59:12 -08:00
David Cheney 9b84127739 pkg/transport: remove dependency on pkg/fileutils 
4a0f922 changed SelfCert to use a helper from pkg/fileutils which
introduced a transitive dependency on coreos/pkg/capnslog. This means
anyone who imports pkg/transport to use TLS with the clientv3 library
has the default stdlib logger hijacked by capnslog.

This PR reverts 4a0f922. There are no tests because 4a0f922 contained no
test and was not attached to a PR.

Fixes #7350
 2017-02-20 12:32:04 +11:00
Laurie Clark-Michalek eba41cd7b3
pkg/transport: Obey the usual laws of ssl when using a private PKI 2017-01-15 21:27:53 +00:00
Anthony Romano da8fd18d8e transport: warn on user-provided CA 
ServerName is ignored for a user-provided CA for backwards compatibility. This
breaks PKI, so warn it is deprecated.
 2017-01-12 09:10:05 -08:00
Gyu-Ho Lee 629d9e7dab Revert "pkg/transport: update tls.Config copy method" 2016-09-19 15:07:12 +09:00
Gyu-Ho Lee 8c9a88c7d4 pkg/transport: update tls.Config copy method 
For Go 1.7
 2016-09-18 22:50:45 +09:00
Xiang Li 7a48ca4cea embed: fix go 1.7 http issue 
go 1.7 introduces HTTP2 compability issue. Now we
need to explicitly enable HTTP2 when TLS is set.
 2016-09-18 18:38:55 +08:00
Anthony Romano 3b92384394 pkg/transport: bump wait time in TestReadWriteTimeoutDialer for write deadline 
Was able to get 2s wait times with 500 concurrent requests on a fast machine;
a slower machine could possibly see similar delays with a single connection.

Fixes #6220
 2016-08-22 15:30:44 -07:00
Gyu-Ho Lee c38f0290a7 pkg/transport: fix minor typo 2016-08-04 16:00:18 -07:00
Anthony Romano cd781bf30c transport: add ServerName to TLSConfig and add ValidateSecureEndpoints 
ServerName prevents accepting forged SRV records with cross-domain
credentials. ValidateSecureEndpoints prevents downgrade attacks from SRV
records.
 2016-08-03 22:28:03 -07:00
Gyu-Ho Lee c8cc87c3f5 pkg/transport: update scheme to unix copying URL 2016-08-03 10:35:28 -07:00
Anthony Romano 99e0655c2f transport: wrap timeout listener with tls listener 
Otherwise the listener will return timeoutConn's, causing a type
assertion to tls.Conn in net.http to fail so http.Request.TLS is never set.
 2016-07-19 16:47:14 -07:00
Xiang Li 3839a55910 *: fix issue found in fast lease renew 2016-07-15 15:07:15 -07:00
Anthony Romano fc1a226d15 pkg/transport: unix domain socket listener and transport 2016-06-24 21:04:31 -07:00
Gyu-Ho Lee 4a0f922a6c pkg/transport: use TouchDirAll 2016-06-22 15:57:55 -07:00
Gyu-Ho Lee 6557ef7cd8 *: copy all exported members in tls.Config 
Without this, go vet complains

assignment copies lock value to n: crypto/tls.Config contains sync.Once
contains sync.Mutex
 2016-06-22 12:04:08 -07:00
Xiang Li 8b28c647ea transport: require tls12 2016-06-02 09:38:56 -07:00
Gyu-Ho Lee 8b77de4e99 pkg: update LICENSE header 2016-05-12 20:48:53 -07:00