vitalif
/
etcd
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
13,209 Commits
21 Branches
406 Tags
79 MiB
Commit Graph

93 Commits (e9969aae7e590fda17e41df4c44a39ec4c35fb3b)

Author SHA1 Message Date
Gyuho Lee ab486e5348 pkg/transport: implement "Proxy" 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-01-24 17:37:09 -08:00
Gyuho Lee 114a7779c9 pkg/transport: add "fixtures" for TLS tests 
Signed-off-by: Gyuho Lee <gyuhox@gmail.com>
 2018-01-24 17:37:09 -08:00
Gyu-Ho Lee 75110dd839 *: fix naked returns 
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-11-10 18:46:15 -08:00
Gyu-Ho Lee 1f2197b1f8 pkg/transport: add TODO to deprecate 'CAFile' field in v4 
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-10-04 14:01:01 -07:00
Hitoshi Mitake 70018e9207 etcdmain, pkg: CN based auth for inter peer connection 
This commit adds an authentication mechanism to inter peer connection
(rafthttp). If the cert based peer auth is enabled and a new option
`--peer-cert-allowed-cn` is passed, an etcd process denies a peer
connection whose CN doesn't match.
 2017-10-02 15:59:17 +09:00
Anthony Romano e9a7f3551b Merge pull request #8281 from heyitsanthony/san-rdns 
transport: use reverse lookup to match wildcard DNS SAN
 2017-07-22 08:02:57 -07:00
Anthony Romano b1aa962233 transport: use reverse lookup to match wildcard DNS SAN 
Fixes #8268
 2017-07-21 16:43:25 -07:00
Anthony Romano 426ad25924 transport: include InsecureSkipVerify in TLSInfo 
Some functions take a TLSInfo to generate a tls.Config and there was no
way to force the InsecureSkipVerify flag.
 2017-07-21 11:00:22 -07:00
Anthony Romano ab95eb0795 transport: accept connection if matched IP SAN but no DNS match 
The IP SAN check would always do a DNS SAN check if DNS is given
and the connection's IP is verified. Instead, don't check DNS
entries if there's a matching iP.

Fixes #8206
 2017-07-06 16:11:53 -07:00
Anthony Romano 322976bedc transport: CRL checking 2017-06-19 15:23:41 -07:00
Gyu-Ho Lee d690634bd6 *: remove unused, fix typos 
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-05-18 12:11:18 -07:00
Tony Grosinger 4e21f87e3d pkg/transport: reload TLS certificates for every client requests 
This changes the baseConfig used when creating tls Configs to utilize
the GetCertificate and GetClientCertificate functions to always reload
the certificates from disk whenever they are needed.

Always reloading the certificates allows changing the certificates via
an external process without interrupting etcd.

Fixes #7576

Cherry-picked by Gyu-Ho Lee <gyuhox@gmail.com>
Original commit can be found at https://github.com/coreos/etcd/pull/7784
 2017-04-27 11:22:03 -07:00
Anthony Romano 05582ad5b2 transport: resolve DNSNames when SAN checking 
The current transport client TLS checking will pass an IP address into
VerifyHostnames if there is DNSNames SAN. However, the go runtime will
not resolve the DNS names to match the client IP. Intead, resolve the
names when checking.
 2017-04-18 13:21:26 -07:00
Gyu-Ho Lee 8aaa1ed911 *: use '*tls.Config.Clone' in Go 1.8 
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-04-17 20:08:27 -07:00
Anthony Romano 1153e1e7d9 Merge pull request #7687 from heyitsanthony/deny-tls-ipsan 
transport: deny incoming peer certs with wrong IP SAN
 2017-04-13 15:03:25 -07:00
Gyu-Ho Lee 8ce579aac9 pkg/transport: add 'IsClosedConnError' 
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-04-13 11:55:18 -07:00
Anthony Romano 70a9929b5d transport: use actual certs for listener tests 2017-04-12 13:41:33 -07:00
Anthony Romano cad1215b18 *: deny incoming peer certs with wrong IP SAN 2017-04-12 13:41:33 -07:00
Anthony Romano d42c1f5131 Merge pull request #7646 from andelf/fix-unix-socket-url 
*: fix a bug in handling unix socket urls
 2017-04-05 09:24:38 -07:00
andelf 4f27981c46 *: fix a bug in handling unix socket urls 
Now use url.Host + url.Path as unix socket path

Fixes #7644
 2017-04-05 14:33:13 +08:00
Gyu-Ho Lee 8a7a548a6d pkg/transport: remove port in Certificate.IPAddresses 
etcd passes 'url.URL.Host' to 'SelfCert' which contains
client, peer port. 'net.ParseIP("127.0.0.1:2379")' returns
'nil', and the client on this self-cert will see errors
of '127.0.0.1 because it doesn't contain any IP SANs'

Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-04-04 09:44:59 -07:00
Anthony Romano 2f1542c06d *: use filepath.Join for files 2017-03-16 07:46:06 -07:00
Gyu-Ho Lee 3d75395875 *: remove never-unused vars, minor lint fix 
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
 2017-03-06 14:59:12 -08:00
David Cheney 9b84127739 pkg/transport: remove dependency on pkg/fileutils 
4a0f922 changed SelfCert to use a helper from pkg/fileutils which
introduced a transitive dependency on coreos/pkg/capnslog. This means
anyone who imports pkg/transport to use TLS with the clientv3 library
has the default stdlib logger hijacked by capnslog.

This PR reverts 4a0f922. There are no tests because 4a0f922 contained no
test and was not attached to a PR.

Fixes #7350
 2017-02-20 12:32:04 +11:00
Laurie Clark-Michalek eba41cd7b3
pkg/transport: Obey the usual laws of ssl when using a private PKI 2017-01-15 21:27:53 +00:00
Anthony Romano da8fd18d8e transport: warn on user-provided CA 
ServerName is ignored for a user-provided CA for backwards compatibility. This
breaks PKI, so warn it is deprecated.
 2017-01-12 09:10:05 -08:00
Gyu-Ho Lee 629d9e7dab Revert "pkg/transport: update tls.Config copy method" 2016-09-19 15:07:12 +09:00
Gyu-Ho Lee 8c9a88c7d4 pkg/transport: update tls.Config copy method 
For Go 1.7
 2016-09-18 22:50:45 +09:00
Xiang Li 7a48ca4cea embed: fix go 1.7 http issue 
go 1.7 introduces HTTP2 compability issue. Now we
need to explicitly enable HTTP2 when TLS is set.
 2016-09-18 18:38:55 +08:00
Anthony Romano 3b92384394 pkg/transport: bump wait time in TestReadWriteTimeoutDialer for write deadline 
Was able to get 2s wait times with 500 concurrent requests on a fast machine;
a slower machine could possibly see similar delays with a single connection.

Fixes #6220
 2016-08-22 15:30:44 -07:00
Gyu-Ho Lee c38f0290a7 pkg/transport: fix minor typo 2016-08-04 16:00:18 -07:00
Anthony Romano cd781bf30c transport: add ServerName to TLSConfig and add ValidateSecureEndpoints 
ServerName prevents accepting forged SRV records with cross-domain
credentials. ValidateSecureEndpoints prevents downgrade attacks from SRV
records.
 2016-08-03 22:28:03 -07:00
Gyu-Ho Lee c8cc87c3f5 pkg/transport: update scheme to unix copying URL 2016-08-03 10:35:28 -07:00
Anthony Romano 99e0655c2f transport: wrap timeout listener with tls listener 
Otherwise the listener will return timeoutConn's, causing a type
assertion to tls.Conn in net.http to fail so http.Request.TLS is never set.
 2016-07-19 16:47:14 -07:00
Xiang Li 3839a55910 *: fix issue found in fast lease renew 2016-07-15 15:07:15 -07:00
Anthony Romano fc1a226d15 pkg/transport: unix domain socket listener and transport 2016-06-24 21:04:31 -07:00
Gyu-Ho Lee 4a0f922a6c pkg/transport: use TouchDirAll 2016-06-22 15:57:55 -07:00
Gyu-Ho Lee 6557ef7cd8 *: copy all exported members in tls.Config 
Without this, go vet complains

assignment copies lock value to n: crypto/tls.Config contains sync.Once
contains sync.Mutex
 2016-06-22 12:04:08 -07:00
Xiang Li 8b28c647ea transport: require tls12 2016-06-02 09:38:56 -07:00
Gyu-Ho Lee 8b77de4e99 pkg: update LICENSE header 2016-05-12 20:48:53 -07:00
Xiang Li eb3919e8cf *: move baisc tls util funcs to tlsutil pkg 2016-03-31 09:45:45 -07:00
Xiang Li 900a61b023 *: http and https on the same port 2016-03-23 10:28:38 -07:00
Nick Owens d80a546ed4 pkg/transport: use ProxyFromEnvironment when constructing a transport 
this allows use of HTTP_PROXY/HTTPS_PROXY for etcdctl.
 2016-03-21 21:02:42 -07:00
Anthony Romano a69c709839 pkg/transport: generate certs 2016-03-21 11:38:23 -07:00
Gyu-Ho Lee dae7e009b0 *: godoc clean up 2016-03-19 14:19:23 -07:00
Anthony Romano 20461ab11a *: fix many typos 2016-01-31 21:42:39 -08:00
Xiang Li 72ffa74476 pkg/transport: update timeout transport to reuse conn when timeout is not set 2016-01-25 06:55:54 +08:00
Gyu-Ho Lee b6077f9d57 *: fix minor typos 2016-01-14 01:28:29 -08:00
Anthony Romano 811fbc5672 etcdmain: support keep alive listeners on limit listener connections 
Fixes #4171
 2016-01-08 10:11:31 -08:00
Gyu-Ho Lee f76166a041 *: fix minor typos 2016-01-08 00:21:19 -08:00