-
Notifications
You must be signed in to change notification settings - Fork 9.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Grpc proxy with tls auth #11970
Comments
In some cases, grpc-proxy can be used with CN based auth. Fixes etcd-io#11970 Signed-off-by: Patrik Cyvoct <patrik@ptrk.io>
This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 21 days if no further activity occurs. Thank you for your contributions. |
/cc @mitake - looks like you had a lot of contributions around the logic For the reference docs:
I spotted the errors by running this and seeing test failures. Generation of server certicate with CN="" helps.
My understanding of the goal and situation:
So my intuition is that only --cert flag (and not --cert-file flag) should be validated for empty CN. Will check whether it matches server behavior. @mitake: Hitoshi: Does it make sense what I wrote above ? |
Unfortunately it seems that CN is required for both --cert and --cert-file flag. It seems that the verification happens in that line: Line 205 in c20cc05
It seems suspicious that to create a proxy server we need to create a proxy-client that speaks to this server for purpose of healhtchecking. At least it should not verify CN="" , but I'm curious why its needed in the first place. @tangcong - could you, please, comment in context of 0898c5b |
@tangcong: I think that this line: Line 184 in c20cc05
should pass additional flag to set EmptyCN: False in this context. Offtopic: In general I'm surprised by a practice that /healthcheck handlers are creating a public connection to themselves. It's complicated and has not trivial security implications. Usually /healtcheck is checking internal state, sometimes triggering some 'internal' logic (like Watch from your example), but without doing public connection. The part of 'connection' is already verified by prober being able to reach the server - and there is no reason for another layer of connections. |
I will take a closer look later, this issue(Jun 4) does not seem to be caused by pr 12114 that is submitted in July. I agree with your idea, currently healthcheck is not optimal. @ptabor |
Proposed a fix in 2d0ce9d |
@ptabor sorry for my late response, for a few days I cannot allocate a time for taking a look at it. I'll follow this PR this weekend. Could you wait for a while? |
Hello!
So apparently grpc proxy doesn't work with tls auth. Or at least it doesn't start (I've read the docs). But the question is why couldn't this be allowed? If all clients uses the same cname, it should be able to work right? Could a flag on the proxy be added to allow this usecase?
The text was updated successfully, but these errors were encountered: