Gyuho Lee
ab486e5348
pkg/transport: implement "Proxy"
...
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-01-24 17:37:09 -08:00
Gyuho Lee
114a7779c9
pkg/transport: add "fixtures" for TLS tests
...
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
2018-01-24 17:37:09 -08:00
Gyu-Ho Lee
75110dd839
*: fix naked returns
...
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-11-10 18:46:15 -08:00
Gyu-Ho Lee
1f2197b1f8
pkg/transport: add TODO to deprecate 'CAFile' field in v4
...
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-10-04 14:01:01 -07:00
Hitoshi Mitake
70018e9207
etcdmain, pkg: CN based auth for inter peer connection
...
This commit adds an authentication mechanism to inter peer connection
(rafthttp). If the cert based peer auth is enabled and a new option
`--peer-cert-allowed-cn` is passed, an etcd process denies a peer
connection whose CN doesn't match.
2017-10-02 15:59:17 +09:00
Anthony Romano
e9a7f3551b
Merge pull request #8281 from heyitsanthony/san-rdns
...
transport: use reverse lookup to match wildcard DNS SAN
2017-07-22 08:02:57 -07:00
Anthony Romano
b1aa962233
transport: use reverse lookup to match wildcard DNS SAN
...
Fixes #8268
2017-07-21 16:43:25 -07:00
Anthony Romano
426ad25924
transport: include InsecureSkipVerify in TLSInfo
...
Some functions take a TLSInfo to generate a tls.Config and there was no
way to force the InsecureSkipVerify flag.
2017-07-21 11:00:22 -07:00
Anthony Romano
ab95eb0795
transport: accept connection if matched IP SAN but no DNS match
...
The IP SAN check would always do a DNS SAN check if DNS is given
and the connection's IP is verified. Instead, don't check DNS
entries if there's a matching iP.
Fixes #8206
2017-07-06 16:11:53 -07:00
Anthony Romano
322976bedc
transport: CRL checking
2017-06-19 15:23:41 -07:00
Gyu-Ho Lee
d690634bd6
*: remove unused, fix typos
...
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-05-18 12:11:18 -07:00
Tony Grosinger
4e21f87e3d
pkg/transport: reload TLS certificates for every client requests
...
This changes the baseConfig used when creating tls Configs to utilize
the GetCertificate and GetClientCertificate functions to always reload
the certificates from disk whenever they are needed.
Always reloading the certificates allows changing the certificates via
an external process without interrupting etcd.
Fixes #7576
Cherry-picked by Gyu-Ho Lee <gyuhox@gmail.com>
Original commit can be found at https://github.com/coreos/etcd/pull/7784
2017-04-27 11:22:03 -07:00
Anthony Romano
05582ad5b2
transport: resolve DNSNames when SAN checking
...
The current transport client TLS checking will pass an IP address into
VerifyHostnames if there is DNSNames SAN. However, the go runtime will
not resolve the DNS names to match the client IP. Intead, resolve the
names when checking.
2017-04-18 13:21:26 -07:00
Gyu-Ho Lee
8aaa1ed911
*: use '*tls.Config.Clone' in Go 1.8
...
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-04-17 20:08:27 -07:00
Anthony Romano
1153e1e7d9
Merge pull request #7687 from heyitsanthony/deny-tls-ipsan
...
transport: deny incoming peer certs with wrong IP SAN
2017-04-13 15:03:25 -07:00
Gyu-Ho Lee
8ce579aac9
pkg/transport: add 'IsClosedConnError'
...
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-04-13 11:55:18 -07:00
Anthony Romano
70a9929b5d
transport: use actual certs for listener tests
2017-04-12 13:41:33 -07:00
Anthony Romano
cad1215b18
*: deny incoming peer certs with wrong IP SAN
2017-04-12 13:41:33 -07:00
Anthony Romano
d42c1f5131
Merge pull request #7646 from andelf/fix-unix-socket-url
...
*: fix a bug in handling unix socket urls
2017-04-05 09:24:38 -07:00
andelf
4f27981c46
*: fix a bug in handling unix socket urls
...
Now use url.Host + url.Path as unix socket path
Fixes #7644
2017-04-05 14:33:13 +08:00
Gyu-Ho Lee
8a7a548a6d
pkg/transport: remove port in Certificate.IPAddresses
...
etcd passes 'url.URL.Host' to 'SelfCert' which contains
client, peer port. 'net.ParseIP("127.0.0.1:2379")' returns
'nil', and the client on this self-cert will see errors
of '127.0.0.1 because it doesn't contain any IP SANs'
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-04-04 09:44:59 -07:00
Anthony Romano
2f1542c06d
*: use filepath.Join for files
2017-03-16 07:46:06 -07:00
Gyu-Ho Lee
3d75395875
*: remove never-unused vars, minor lint fix
...
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
2017-03-06 14:59:12 -08:00
David Cheney
9b84127739
pkg/transport: remove dependency on pkg/fileutils
...
4a0f922
changed SelfCert to use a helper from pkg/fileutils which
introduced a transitive dependency on coreos/pkg/capnslog. This means
anyone who imports pkg/transport to use TLS with the clientv3 library
has the default stdlib logger hijacked by capnslog.
This PR reverts 4a0f922
. There are no tests because 4a0f922
contained no
test and was not attached to a PR.
Fixes #7350
2017-02-20 12:32:04 +11:00
Laurie Clark-Michalek
eba41cd7b3
pkg/transport: Obey the usual laws of ssl when using a private PKI
2017-01-15 21:27:53 +00:00
Anthony Romano
da8fd18d8e
transport: warn on user-provided CA
...
ServerName is ignored for a user-provided CA for backwards compatibility. This
breaks PKI, so warn it is deprecated.
2017-01-12 09:10:05 -08:00
Gyu-Ho Lee
629d9e7dab
Revert "pkg/transport: update tls.Config copy method"
2016-09-19 15:07:12 +09:00
Gyu-Ho Lee
8c9a88c7d4
pkg/transport: update tls.Config copy method
...
For Go 1.7
2016-09-18 22:50:45 +09:00
Xiang Li
7a48ca4cea
embed: fix go 1.7 http issue
...
go 1.7 introduces HTTP2 compability issue. Now we
need to explicitly enable HTTP2 when TLS is set.
2016-09-18 18:38:55 +08:00
Anthony Romano
3b92384394
pkg/transport: bump wait time in TestReadWriteTimeoutDialer for write deadline
...
Was able to get 2s wait times with 500 concurrent requests on a fast machine;
a slower machine could possibly see similar delays with a single connection.
Fixes #6220
2016-08-22 15:30:44 -07:00
Gyu-Ho Lee
c38f0290a7
pkg/transport: fix minor typo
2016-08-04 16:00:18 -07:00
Anthony Romano
cd781bf30c
transport: add ServerName to TLSConfig and add ValidateSecureEndpoints
...
ServerName prevents accepting forged SRV records with cross-domain
credentials. ValidateSecureEndpoints prevents downgrade attacks from SRV
records.
2016-08-03 22:28:03 -07:00
Gyu-Ho Lee
c8cc87c3f5
pkg/transport: update scheme to unix copying URL
2016-08-03 10:35:28 -07:00
Anthony Romano
99e0655c2f
transport: wrap timeout listener with tls listener
...
Otherwise the listener will return timeoutConn's, causing a type
assertion to tls.Conn in net.http to fail so http.Request.TLS is never set.
2016-07-19 16:47:14 -07:00
Xiang Li
3839a55910
*: fix issue found in fast lease renew
2016-07-15 15:07:15 -07:00
Anthony Romano
fc1a226d15
pkg/transport: unix domain socket listener and transport
2016-06-24 21:04:31 -07:00
Gyu-Ho Lee
4a0f922a6c
pkg/transport: use TouchDirAll
2016-06-22 15:57:55 -07:00
Gyu-Ho Lee
6557ef7cd8
*: copy all exported members in tls.Config
...
Without this, go vet complains
assignment copies lock value to n: crypto/tls.Config contains sync.Once
contains sync.Mutex
2016-06-22 12:04:08 -07:00
Xiang Li
8b28c647ea
transport: require tls12
2016-06-02 09:38:56 -07:00
Gyu-Ho Lee
8b77de4e99
pkg: update LICENSE header
2016-05-12 20:48:53 -07:00
Xiang Li
eb3919e8cf
*: move baisc tls util funcs to tlsutil pkg
2016-03-31 09:45:45 -07:00
Xiang Li
900a61b023
*: http and https on the same port
2016-03-23 10:28:38 -07:00
Nick Owens
d80a546ed4
pkg/transport: use ProxyFromEnvironment when constructing a transport
...
this allows use of HTTP_PROXY/HTTPS_PROXY for etcdctl.
2016-03-21 21:02:42 -07:00
Anthony Romano
a69c709839
pkg/transport: generate certs
2016-03-21 11:38:23 -07:00
Gyu-Ho Lee
dae7e009b0
*: godoc clean up
2016-03-19 14:19:23 -07:00
Anthony Romano
20461ab11a
*: fix many typos
2016-01-31 21:42:39 -08:00
Xiang Li
72ffa74476
pkg/transport: update timeout transport to reuse conn when timeout is not set
2016-01-25 06:55:54 +08:00
Gyu-Ho Lee
b6077f9d57
*: fix minor typos
2016-01-14 01:28:29 -08:00
Anthony Romano
811fbc5672
etcdmain: support keep alive listeners on limit listener connections
...
Fixes #4171
2016-01-08 10:11:31 -08:00
Gyu-Ho Lee
f76166a041
*: fix minor typos
2016-01-08 00:21:19 -08:00