vitalif
/
etcd
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
etcd/pkg/transport
History
Kelsey Hightower 8dd8b1cdc2 etcd: server SSL and client cert auth configuration is more explicit 
etcd does not provide enough flexibility to configure server SSL and
client authentication separately. When configuring server SSL the
`--ca-file` flag is required to trust self-signed SSL certificates
used to service client requests.

The `--ca-file` has the side effect of enabling client cert
authentication. This can be surprising for those looking to simply
secure communication between an etcd server and client.

Resolve this issue by introducing four new flags:

    --client-cert-auth
    --peer-client-cert-auth
    --trusted-ca-file
    --peer-trusted-ca-file

These new flags will allow etcd to support a more explicit SSL
configuration for both etcd clients and peers.

Example usage:

Start etcd with server SSL and no client cert authentication:

    etcd -name etcd0 \
    --advertise-client-urls https://etcd0.example.com:2379 \
    --cert-file etcd0.example.com.crt \
    --key-file etcd0.example.com.key \
    --trusted-ca-file ca.crt

Start etcd with server SSL and enable client cert authentication:

    etcd -name etcd0 \
    --advertise-client-urls https://etcd0.example.com:2379 \
    --cert-file etcd0.example.com.crt \
    --key-file etcd0.example.com.key \
    --trusted-ca-file ca.crt \
    --client-cert-auth

Start etcd with server SSL and client cert authentication for both
peer and client endpoints:

    etcd -name etcd0 \
    --advertise-client-urls https://etcd0.example.com:2379 \
    --cert-file etcd0.example.com.crt \
    --key-file etcd0.example.com.key \
    --trusted-ca-file ca.crt \
    --client-cert-auth \
    --peer-cert-file etcd0.example.com.crt \
    --peer-key-file etcd0.example.com.key \
    --peer-trusted-ca-file ca.crt \
    --peer-client-cert-auth

This change is backwards compatible with etcd versions 2.0.0+. The
current behavior of the `--ca-file` flag is preserved.

Fixes #2499.
 		2015-03-12 23:09:54 -07:00
..
keepalive_listener.go pkg/transport: fix tlskeepalive 2015-01-29 09:42:48 -08:00
keepalive_listener_test.go pkg/transport: fix tlskeepalive 2015-01-29 09:42:48 -08:00
listener.go etcd: server SSL and client cert auth configuration is more explicit 2015-03-12 23:09:54 -07:00
listener_test.go pkg/transport: fix downgrade https to http bug in transport 2015-03-06 10:42:23 -08:00
timeout_conn.go *: switch to line comments for copyright 2015-01-26 09:53:30 -08:00
timeout_dialer.go *: switch to line comments for copyright 2015-01-26 09:53:30 -08:00
timeout_dialer_test.go *: switch to line comments for copyright 2015-01-26 09:53:30 -08:00
timeout_listener.go *: switch to line comments for copyright 2015-01-26 09:53:30 -08:00
timeout_listener_test.go *: switch to line comments for copyright 2015-01-26 09:53:30 -08:00
timeout_transport.go pkg/transport: set the maxIdleConnsPerHost to -1 2015-03-02 21:52:03 -08:00
timeout_transport_test.go pkg/transport: set the maxIdleConnsPerHost to -1 2015-03-02 21:52:03 -08:00