Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

transport: deny incoming peer certs with wrong IP SAN #7687

Merged
merged 2 commits into from
Apr 13, 2017

Conversation

heyitsanthony
Copy link
Contributor

addr := tlsConn.RemoteAddr().String()
h, _, herr := net.SplitHostPort(addr)
if herr != nil || cert.VerifyHostname(h) != nil {
return
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what error the other side receives if we close the conn here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

EOF

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is no ideal. we probably need to log explicitly at server side.

there is no easy way to terminate it inside the TLS handshake path?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it did the verification, it'd be at https://golang.org/src/crypto/tls/handshake_server.go#L735 but there is no way to set opts.DNSNames which is needed to do the check at https://golang.org/src/crypto/x509/verify.go#L298. The go standard library even discourages doing this kind of check on the server side: https://golang.org/src/crypto/tls/conn.go#L1377

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok. let's log the error at server side. so that at least, human operator can know what is going on.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't log with plog or it'll cause issues with clientv3 imports (9b84127). Should there be an optional logging function in tls.Config then?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/tls.Config/transport.TLSInfo

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add an interface or func seems ok.

@xiang90
Copy link
Contributor

xiang90 commented Apr 13, 2017

lgtm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

3 participants