WIP embed: requests for grpc gateway must have empty CN if --client-c…

…ert-auth is passed
etcd-io · Jan 3, 2019 · 28265e7 · 28265e7
1 parent 49c60fa
commit 28265e7
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/embed/serve.go b/embed/serve.go
@@ -331,6 +331,16 @@ func (ac *accessController) ServeHTTP(rw http.ResponseWriter, req *http.Request)
 			http.Error(rw, errCVE20185702(host), 421)
 			return
 		}
+	} else if ac.s.Cfg.ClientCertAuthEnabled {
+		for _, chains := range req.TLS.VerifiedChains {
+			if len(chains) < 1 {
+				continue
+			}
+			if len(chains[0].Subject.CommonName) != 0 {
+				http.Error(rw, "client sending requests against gateway must have empty CommonName in its cert", 400)
+				return
+			}
+		}
 	}
 
 	// Write CORS header.