Merge pull request #8884 from gyuho/revert-srv-dns-patch

Revert "embed: fix HTTPs + DNS SRV discovery"

CHANGELOG.md

@@ -1,3 +1,18 @@
+## [v3.2.10](https://github.com/coreos/etcd/releases/tag/v3.2.10) (2017-11-20)
+
+See [code changes](https://github.com/coreos/etcd/compare/v3.2.9...v3.2.10).
+
+### Fixed
+
+- Replace backend key-value database `boltdb/bolt` with [`coreos/bbolt`](https://github.com/coreos/bbolt) to address [backend database size issue](https://github.com/coreos/etcd/issues/8009)
+- Fix clientv3 balancer to handle [network partition](https://github.com/coreos/etcd/issues/8711)
+  - Upgrade `google.golang.org/grpc` v1.2.1 to v1.7.3
+  - Upgrade `github.com/grpc-ecosystem/grpc-gateway` v1.2 to v1.3
+  - Upgrade gRPC v1.2.1 to v1.7.3
+- Revert [discovery SRV auth `ServerName` with `*.{ROOT_DOMAIN}`](https://github.com/coreos/etcd/pull/8651) to support non-wildcard subject alternative names in the certs (see [issue #8445](https://github.com/coreos/etcd/issues/8445) for more contexts)
+  - For instance, `etcd --discovery-srv=etcd.local` will only authenticate peers/clients when the provided certs have root domain `etcd.local` (**not `*.etcd.local`**) as an entry in Subject Alternative Name (SAN) field
+
+
 ## [v3.2.9](https://github.com/coreos/etcd/releases/tag/v3.2.9) (2017-10-06)
 
 See [code changes](https://github.com/coreos/etcd/compare/v3.2.8...v3.2.9).
@@ -6,7 +21,8 @@ See [code changes](https://github.com/coreos/etcd/compare/v3.2.8...v3.2.9).
 
 - Compile with [Go 1.8.4](https://groups.google.com/d/msg/golang-nuts/sHfMg4gZNps/a-HDgDDDAAAJ)
 - Update `golang.org/x/crypto/bcrypt` (See [golang/crypto@6c586e1](https://github.com/golang/crypto/commit/6c586e17d90a7d08bbbc4069984180dce3b04117) for more)
-- Fix HTTPS + DNS SRV discovery with subdomain
+- Fix discovery SRV bootstrapping to [authenticate `ServerName` with `*.{ROOT_DOMAIN}`](https://github.com/coreos/etcd/pull/8651), in order to support sub-domain wildcard matching (see [issue #8445](https://github.com/coreos/etcd/issues/8445) for more contexts)
+  - For instance, `etcd --discovery-srv=etcd.local` will only authenticate peers/clients when the provided certs have root domain `*.etcd.local` as an entry in Subject Alternative Name (SAN) field
 
 
 ## [v3.2.8](https://github.com/coreos/etcd/releases/tag/v3.2.8) (2017-09-29)
@@ -334,8 +350,8 @@ See [upgrade 3.1](https://github.com/coreos/etcd/blob/master/Documentation/upgra
 - etcd uses default route IP if advertise URL is not given
 - Cluster rejects removing members if quorum will be lost
 - SRV records (e.g., infra1.example.com) must match the discovery domain (i.e., example.com) if no custom certificate authority is given
-  - TLSConfig ServerName is ignored with user-provided certificates
-    for backwards compatibility; to be deprecated in 3.2
+  - TLSConfig ServerName is ignored with user-provided certificates for backwards compatibility; to be deprecated in 3.2
+  - For example, `etcd --discovery-srv=example.com` will only authenticate peers/clients when the provided certs have root domain `example.com` as an entry in Subject Alternative Name (SAN) field
 - Discovery now has upper limit for waiting on retries
 - Warn on binding listeners through domain names; to be deprecated in 3.2
 

Documentation/op-guide/clustering.md

@@ -456,6 +456,8 @@ $ etcd --name infra2 \
 --listen-peer-urls http://10.0.1.12:2380
 ```
 
+Since v3.1.0 (except v3.2.9), when `etcd --discovery-srv=example.com` is configured with TLS, server will only authenticate peers/clients when the provided certs have root domain `example.com` as an entry in Subject Alternative Name (SAN) field. See [Notes for DNS SRV][security-guide-dns-srv].
+
 ### Gateway
 
 etcd gateway is a simple TCP proxy that forwards network data to the etcd cluster. Please read [gateway guide][gateway] for more information.
@@ -475,5 +477,6 @@ To setup an etcd cluster with proxies of v2 API, please read the the [clustering
 [proxy]: https://github.com/coreos/etcd/blob/release-2.3/Documentation/proxy.md
 [clustering_etcd2]: https://github.com/coreos/etcd/blob/release-2.3/Documentation/clustering.md
 [security-guide]: security.md
+[security-guide-dns-srv]: security.md#notes-for-dns-srv
 [tls-setup]: ../../hack/tls-setup
 [gateway]: gateway.md

Documentation/op-guide/security.md

@@ -181,6 +181,10 @@ To disable certificate chain checking, invoke curl with the `-k` flag:
 $ curl -k https://127.0.0.1:2379/v2/keys/foo -Xput -d value=bar -v
 ```
 
+## Notes for DNS SRV
+
+Since v3.1.0 (except v3.2.9), discovery SRV bootstrapping authenticates `ServerName` with a root domain name from `--discovery-srv` flag. This is to avoid man-in-the-middle cert attacks, by requiring a certificate to have matching root domain name in its Subject Alternative Name (SAN) field. For instance, `etcd --discovery-srv=etcd.local` will only authenticate peers/clients when the provided certs have root domain `etcd.local` as an entry in Subject Alternative Name (SAN) field
+
 ## Notes for etcd proxy
 
 etcd proxy terminates the TLS from its client if the connection is secure, and uses proxy's own key/cert specified in `--peer-key-file` and `--peer-cert-file` to communicate with etcd members.

embed/config.go

@@ -444,9 +444,7 @@ func (cfg *Config) PeerURLsMapAndToken(which string) (urlsmap types.URLsMap, tok
 		}
 		clusterStr := strings.Join(clusterStrs, ",")
 		if strings.Contains(clusterStr, "https://") && cfg.PeerTLSInfo.CAFile == "" {
-			// SRV targets have subdomains under the given DNSCluster, so wildcard matching
-			// is needed.
-			cfg.PeerTLSInfo.ServerName = "*." + cfg.DNSCluster
+			cfg.PeerTLSInfo.ServerName = cfg.DNSCluster
 		}
 		urlsmap, err = types.NewURLsMap(clusterStr)
 		// only etcd member must belong to the discovered cluster.