From 9a53601a1867c2ec2da244b0f9a5f14449f5e3f6 Mon Sep 17 00:00:00 2001 From: John Millikin Date: Thu, 4 Apr 2019 10:53:13 -0700 Subject: [PATCH 1/5] etcdmain, pkg: Support peer and client TLS auth based on SAN fields. Etcd currently supports validating peers based on their TLS certificate's CN field. The current best practice for creation and validation of TLS certs is to use the Subject Alternative Name (SAN) fields instead, so that a certificate might be issued with a unique CN and its logical identities in the SANs. This commit extends the peer validation logic to use Go's `(*"crypto/x509".Certificate).ValidateHostname` function for name validation, which allows SANs to be used for peer access control. In addition, it allows name validation to be enabled on clients as well. This is used when running Etcd behind an authenticating proxy, or as an internal component in a larger system (like a Kubernetes master). --- Documentation/op-guide/authentication.md | 2 +- Documentation/op-guide/configuration.md | 12 +++- etcdmain/config.go | 2 + etcdmain/help.go | 4 ++ pkg/transport/listener.go | 24 +++++++- tests/e2e/etcd_config_test.go | 77 ++++++++++++++++++++++++ 6 files changed, 117 insertions(+), 4 deletions(-) diff --git a/Documentation/op-guide/authentication.md b/Documentation/op-guide/authentication.md index 879a1166a4e..df3ae2743b3 100644 --- a/Documentation/op-guide/authentication.md +++ b/Documentation/op-guide/authentication.md @@ -171,6 +171,6 @@ Otherwise, all `etcdctl` commands remain the same. Users and roles can still be ## Using TLS Common Name As of version v3.2 if an etcd server is launched with the option `--client-cert-auth=true`, the field of Common Name (CN) in the client's TLS cert will be used as an etcd user. In this case, the common name authenticates the user and the client does not need a password. Note that if both of 1. `--client-cert-auth=true` is passed and CN is provided by the client, and 2. username and password are provided by the client, the username and password based authentication is prioritized. Note that this feature cannot be used with gRPC-proxy and gRPC-gateway. This is because gRPC-proxy terminates TLS from its client so all the clients share a cert of the proxy. gRPC-gateway uses a TLS connection internally for transforming HTTP request to gRPC request so it shares the same limitation. Therefore the clients cannot provide their CN to the server correctly. gRPC-proxy will cause an error and stop if a given cert has non empty CN. gRPC-proxy returns an error which indicates that the client has an non empty CN in its cert. -As of version v3.3 if an etcd server is launched with the option `--peer-cert-allowed-cn` filtering of CN inter-peer connections is enabled. Nodes can only join the etcd cluster if their CN match the allowed one. +As of version v3.3 if an etcd server is launched with the option `--peer-cert-allowed-cn` or `--peer-cert-allowed-name` filtering of inter-peer connections is enabled. Nodes can only join the etcd cluster if their TLS certificate identity match the allowed one. See [etcd security page](https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/security.md) for more details. diff --git a/Documentation/op-guide/configuration.md b/Documentation/op-guide/configuration.md index 5a5e18d9d74..ba6dacb7c25 100644 --- a/Documentation/op-guide/configuration.md +++ b/Documentation/op-guide/configuration.md @@ -270,6 +270,11 @@ The security flags help to [build a secure etcd cluster][security]. + default: "" + env variable: ETCD_CLIENT_CRL_FILE +### --client-cert-allowed-name ++ Allowed Allowed TLS name for client cert authentication. ++ default: "" ++ env variable: ETCD_CLIENT_CERT_ALLOWED_NAME + ### --trusted-ca-file + Path to the client server TLS trusted CA cert file. + default: "" @@ -320,9 +325,14 @@ The security flags help to [build a secure etcd cluster][security]. ### --peer-cert-allowed-cn + Allowed CommonName for inter peer authentication. -+ default: none ++ default: "" + env variable: ETCD_PEER_CERT_ALLOWED_CN +### --peer-cert-allowed-name ++ Allowed TLS certificate name for inter peer authentication. ++ default: "" ++ env variable: ETCD_PEER_CERT_ALLOWED_NAME + ### --cipher-suites + Comma-separated list of supported TLS cipher suites between server/client and peers. + default: "" diff --git a/etcdmain/config.go b/etcdmain/config.go index 46904e99ac9..a697d718066 100644 --- a/etcdmain/config.go +++ b/etcdmain/config.go @@ -200,6 +200,7 @@ func newConfig() *config { fs.StringVar(&cfg.ec.ClientTLSInfo.KeyFile, "key-file", "", "Path to the client server TLS key file.") fs.BoolVar(&cfg.ec.ClientTLSInfo.ClientCertAuth, "client-cert-auth", false, "Enable client cert authentication.") fs.StringVar(&cfg.ec.ClientTLSInfo.CRLFile, "client-crl-file", "", "Path to the client certificate revocation list file.") + fs.StringVar(&cfg.ec.ClientTLSInfo.AllowedName, "client-cert-allowed-name", "", "Allowed TLS name for client cert authentication.") fs.StringVar(&cfg.ec.ClientTLSInfo.TrustedCAFile, "trusted-ca-file", "", "Path to the client server TLS trusted CA cert file.") fs.BoolVar(&cfg.ec.ClientAutoTLS, "auto-tls", false, "Client TLS using generated certificates") fs.StringVar(&cfg.ec.PeerTLSInfo.CertFile, "peer-cert-file", "", "Path to the peer server TLS cert file.") @@ -209,6 +210,7 @@ func newConfig() *config { fs.BoolVar(&cfg.ec.PeerAutoTLS, "peer-auto-tls", false, "Peer TLS using generated certificates") fs.StringVar(&cfg.ec.PeerTLSInfo.CRLFile, "peer-crl-file", "", "Path to the peer certificate revocation list file.") fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedCN, "peer-cert-allowed-cn", "", "Allowed CN for inter peer authentication.") + fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedName, "peer-cert-allowed-name", "", "Allowed TLS name for inter peer authentication.") fs.Var(flags.NewStringsValue(""), "cipher-suites", "Comma-separated list of supported TLS cipher suites between client/server and peers (empty will be auto-populated by Go).") fs.Var( diff --git a/etcdmain/help.go b/etcdmain/help.go index 7f022cda900..06324758676 100644 --- a/etcdmain/help.go +++ b/etcdmain/help.go @@ -128,6 +128,8 @@ Security: Enable client cert authentication. --client-crl-file '' Path to the client certificate revocation list file. + --client-cert-allowed-name '' + Allowed TLS name for client cert authentication. --trusted-ca-file '' Path to the client server TLS trusted CA cert file. --auto-tls 'false' @@ -142,6 +144,8 @@ Security: Path to the peer server TLS trusted CA file. --peer-cert-allowed-cn '' Required CN for client certs connecting to the peer endpoint. + --peer-cert-allowed-name '' + Allowed TLS name for inter peer authentication. --peer-auto-tls 'false' Peer TLS using self-generated certificates if --peer-key-file and --peer-cert-file are not provided. --peer-crl-file '' diff --git a/pkg/transport/listener.go b/pkg/transport/listener.go index 0c593e8e2bf..93459bbbef9 100644 --- a/pkg/transport/listener.go +++ b/pkg/transport/listener.go @@ -88,6 +88,10 @@ type TLSInfo struct { // AllowedCN is a CN which must be provided by a client. AllowedCN string + // AllowedName is an IP address or hostname that must match the TLS + // certificate provided by a client. + AllowedName string + // Logger logs TLS errors. // If nil, all logs are discarded. Logger *zap.Logger @@ -256,16 +260,32 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) { cfg.CipherSuites = info.CipherSuites } + // Client certificates may be verified by either an exact match on the CN, + // or a more general check of the CN and SANs. + var verifyCertificate func(*x509.Certificate) bool if info.AllowedCN != "" { + if info.AllowedName != "" { + return nil, fmt.Errorf("AllowedCN and AllowedName are mutually exclusive (cn=%q, name=%q)", info.AllowedCN, info.AllowedName) + } + verifyCertificate = func(cert *x509.Certificate) bool { + return info.AllowedCN == cert.Subject.CommonName + } + } + if info.AllowedName != "" { + verifyCertificate = func(cert *x509.Certificate) bool { + return cert.VerifyHostname(info.AllowedName) == nil + } + } + if verifyCertificate != nil { cfg.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { for _, chains := range verifiedChains { if len(chains) != 0 { - if info.AllowedCN == chains[0].Subject.CommonName { + if verifyCertificate(chains[0]) { return nil } } } - return errors.New("CommonName authentication failed") + return errors.New("client certificate authentication failed") } } diff --git a/tests/e2e/etcd_config_test.go b/tests/e2e/etcd_config_test.go index 7c660b03ee4..94e648a649a 100644 --- a/tests/e2e/etcd_config_test.go +++ b/tests/e2e/etcd_config_test.go @@ -191,6 +191,83 @@ func TestEtcdPeerCNAuth(t *testing.T) { } } +// TestEtcdPeerNameAuth checks that the inter peer auth based on cert name validation is working correctly. +func TestEtcdPeerNameAuth(t *testing.T) { + peers, tmpdirs := make([]string, 3), make([]string, 3) + for i := range peers { + peers[i] = fmt.Sprintf("e%d=https://127.0.0.1:%d", i, etcdProcessBasePort+i) + d, err := ioutil.TempDir("", fmt.Sprintf("e%d.etcd", i)) + if err != nil { + t.Fatal(err) + } + tmpdirs[i] = d + } + ic := strings.Join(peers, ",") + + procs := make([]*expect.ExpectProcess, len(peers)) + defer func() { + for i := range procs { + if procs[i] != nil { + procs[i].Stop() + } + os.RemoveAll(tmpdirs[i]) + } + }() + + // node 0 and 1 have a cert with the correct certificate name, node 2 doesn't + for i := range procs { + commonArgs := []string{ + binDir + "/etcd", + "--name", fmt.Sprintf("e%d", i), + "--listen-client-urls", "http://0.0.0.0:0", + "--data-dir", tmpdirs[i], + "--advertise-client-urls", "http://0.0.0.0:0", + "--listen-peer-urls", fmt.Sprintf("https://127.0.0.1:%d,https://127.0.0.1:%d", etcdProcessBasePort+i, etcdProcessBasePort+len(peers)+i), + "--initial-advertise-peer-urls", fmt.Sprintf("https://127.0.0.1:%d", etcdProcessBasePort+i), + "--initial-cluster", ic, + } + + var args []string + if i <= 1 { + args = []string{ + "--peer-cert-file", certPath, + "--peer-key-file", privateKeyPath, + "--peer-trusted-ca-file", caPath, + "--peer-client-cert-auth", + "--peer-cert-allowed-name", "example.com", + } + } else { + args = []string{ + "--peer-cert-file", certPath2, + "--peer-key-file", privateKeyPath2, + "--peer-trusted-ca-file", caPath, + "--peer-client-cert-auth", + "--peer-cert-allowed-name", "example2.com", + } + } + + commonArgs = append(commonArgs, args...) + + p, err := spawnCmd(commonArgs) + if err != nil { + t.Fatal(err) + } + procs[i] = p + } + + for i, p := range procs { + var expect []string + if i <= 1 { + expect = etcdServerReadyLines + } else { + expect = []string{"remote error: tls: bad certificate"} + } + if err := waitReadyExpectProc(p, expect); err != nil { + t.Fatal(err) + } + } +} + func TestGrpcproxyAndCommonName(t *testing.T) { argsWithNonEmptyCN := []string{ binDir + "/etcd", From 5824421f8beac15b0fb3c176b6ab7fbe7986a7a6 Mon Sep 17 00:00:00 2001 From: John Millikin Date: Wed, 3 Jul 2019 09:41:37 +0900 Subject: [PATCH 2/5] etcdman, pkg: Rename new flags to 'hostname' --- Documentation/op-guide/authentication.md | 2 +- Documentation/op-guide/configuration.md | 8 ++++---- etcdmain/config.go | 4 ++-- etcdmain/help.go | 8 ++++---- pkg/transport/listener.go | 15 +++++++++------ pkg/transport/listener_tls.go | 2 ++ tests/e2e/etcd_config_test.go | 4 ++-- 7 files changed, 24 insertions(+), 19 deletions(-) diff --git a/Documentation/op-guide/authentication.md b/Documentation/op-guide/authentication.md index df3ae2743b3..f836f0f96bc 100644 --- a/Documentation/op-guide/authentication.md +++ b/Documentation/op-guide/authentication.md @@ -171,6 +171,6 @@ Otherwise, all `etcdctl` commands remain the same. Users and roles can still be ## Using TLS Common Name As of version v3.2 if an etcd server is launched with the option `--client-cert-auth=true`, the field of Common Name (CN) in the client's TLS cert will be used as an etcd user. In this case, the common name authenticates the user and the client does not need a password. Note that if both of 1. `--client-cert-auth=true` is passed and CN is provided by the client, and 2. username and password are provided by the client, the username and password based authentication is prioritized. Note that this feature cannot be used with gRPC-proxy and gRPC-gateway. This is because gRPC-proxy terminates TLS from its client so all the clients share a cert of the proxy. gRPC-gateway uses a TLS connection internally for transforming HTTP request to gRPC request so it shares the same limitation. Therefore the clients cannot provide their CN to the server correctly. gRPC-proxy will cause an error and stop if a given cert has non empty CN. gRPC-proxy returns an error which indicates that the client has an non empty CN in its cert. -As of version v3.3 if an etcd server is launched with the option `--peer-cert-allowed-cn` or `--peer-cert-allowed-name` filtering of inter-peer connections is enabled. Nodes can only join the etcd cluster if their TLS certificate identity match the allowed one. +As of version v3.3 if an etcd server is launched with the option `--peer-cert-allowed-cn` or `--peer-cert-allowed-hostname` filtering of inter-peer connections is enabled. Nodes can only join the etcd cluster if their TLS certificate identity match the allowed one. See [etcd security page](https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/security.md) for more details. diff --git a/Documentation/op-guide/configuration.md b/Documentation/op-guide/configuration.md index ba6dacb7c25..fdbc5572fdd 100644 --- a/Documentation/op-guide/configuration.md +++ b/Documentation/op-guide/configuration.md @@ -270,10 +270,10 @@ The security flags help to [build a secure etcd cluster][security]. + default: "" + env variable: ETCD_CLIENT_CRL_FILE -### --client-cert-allowed-name +### --client-cert-allowed-hostname + Allowed Allowed TLS name for client cert authentication. + default: "" -+ env variable: ETCD_CLIENT_CERT_ALLOWED_NAME ++ env variable: ETCD_CLIENT_CERT_ALLOWED_HOSTNAME ### --trusted-ca-file + Path to the client server TLS trusted CA cert file. @@ -328,10 +328,10 @@ The security flags help to [build a secure etcd cluster][security]. + default: "" + env variable: ETCD_PEER_CERT_ALLOWED_CN -### --peer-cert-allowed-name +### --peer-cert-allowed-hostname + Allowed TLS certificate name for inter peer authentication. + default: "" -+ env variable: ETCD_PEER_CERT_ALLOWED_NAME ++ env variable: ETCD_PEER_CERT_ALLOWED_HOSTNAME ### --cipher-suites + Comma-separated list of supported TLS cipher suites between server/client and peers. diff --git a/etcdmain/config.go b/etcdmain/config.go index a697d718066..12a22d4de84 100644 --- a/etcdmain/config.go +++ b/etcdmain/config.go @@ -200,7 +200,7 @@ func newConfig() *config { fs.StringVar(&cfg.ec.ClientTLSInfo.KeyFile, "key-file", "", "Path to the client server TLS key file.") fs.BoolVar(&cfg.ec.ClientTLSInfo.ClientCertAuth, "client-cert-auth", false, "Enable client cert authentication.") fs.StringVar(&cfg.ec.ClientTLSInfo.CRLFile, "client-crl-file", "", "Path to the client certificate revocation list file.") - fs.StringVar(&cfg.ec.ClientTLSInfo.AllowedName, "client-cert-allowed-name", "", "Allowed TLS name for client cert authentication.") + fs.StringVar(&cfg.ec.ClientTLSInfo.AllowedHostname, "client-cert-allowed-hostname", "", "Allowed TLS hostname for client cert authentication.") fs.StringVar(&cfg.ec.ClientTLSInfo.TrustedCAFile, "trusted-ca-file", "", "Path to the client server TLS trusted CA cert file.") fs.BoolVar(&cfg.ec.ClientAutoTLS, "auto-tls", false, "Client TLS using generated certificates") fs.StringVar(&cfg.ec.PeerTLSInfo.CertFile, "peer-cert-file", "", "Path to the peer server TLS cert file.") @@ -210,7 +210,7 @@ func newConfig() *config { fs.BoolVar(&cfg.ec.PeerAutoTLS, "peer-auto-tls", false, "Peer TLS using generated certificates") fs.StringVar(&cfg.ec.PeerTLSInfo.CRLFile, "peer-crl-file", "", "Path to the peer certificate revocation list file.") fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedCN, "peer-cert-allowed-cn", "", "Allowed CN for inter peer authentication.") - fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedName, "peer-cert-allowed-name", "", "Allowed TLS name for inter peer authentication.") + fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedHostname, "peer-cert-allowed-hostname", "", "Allowed TLS hostname for inter peer authentication.") fs.Var(flags.NewStringsValue(""), "cipher-suites", "Comma-separated list of supported TLS cipher suites between client/server and peers (empty will be auto-populated by Go).") fs.Var( diff --git a/etcdmain/help.go b/etcdmain/help.go index 06324758676..4cf7b23289b 100644 --- a/etcdmain/help.go +++ b/etcdmain/help.go @@ -128,8 +128,8 @@ Security: Enable client cert authentication. --client-crl-file '' Path to the client certificate revocation list file. - --client-cert-allowed-name '' - Allowed TLS name for client cert authentication. + --client-cert-allowed-hostname '' + Allowed TLS hostname for client cert authentication. --trusted-ca-file '' Path to the client server TLS trusted CA cert file. --auto-tls 'false' @@ -144,8 +144,8 @@ Security: Path to the peer server TLS trusted CA file. --peer-cert-allowed-cn '' Required CN for client certs connecting to the peer endpoint. - --peer-cert-allowed-name '' - Allowed TLS name for inter peer authentication. + --peer-cert-allowed-hostname '' + Allowed TLS hostname for inter peer authentication. --peer-auto-tls 'false' Peer TLS using self-generated certificates if --peer-key-file and --peer-cert-file are not provided. --peer-crl-file '' diff --git a/pkg/transport/listener.go b/pkg/transport/listener.go index 93459bbbef9..628878aadf5 100644 --- a/pkg/transport/listener.go +++ b/pkg/transport/listener.go @@ -88,9 +88,9 @@ type TLSInfo struct { // AllowedCN is a CN which must be provided by a client. AllowedCN string - // AllowedName is an IP address or hostname that must match the TLS + // AllowedHostname is an IP address or hostname that must match the TLS // certificate provided by a client. - AllowedName string + AllowedHostname string // Logger logs TLS errors. // If nil, all logs are discarded. @@ -264,20 +264,21 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) { // or a more general check of the CN and SANs. var verifyCertificate func(*x509.Certificate) bool if info.AllowedCN != "" { - if info.AllowedName != "" { - return nil, fmt.Errorf("AllowedCN and AllowedName are mutually exclusive (cn=%q, name=%q)", info.AllowedCN, info.AllowedName) + if info.AllowedHostname != "" { + return nil, fmt.Errorf("AllowedCN and AllowedHostname are mutually exclusive (cn=%q, hostname=%q)", info.AllowedCN, info.AllowedHostname) } verifyCertificate = func(cert *x509.Certificate) bool { return info.AllowedCN == cert.Subject.CommonName } } - if info.AllowedName != "" { + if info.AllowedHostname != "" { verifyCertificate = func(cert *x509.Certificate) bool { - return cert.VerifyHostname(info.AllowedName) == nil + return cert.VerifyHostname(info.AllowedHostname) == nil } } if verifyCertificate != nil { cfg.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { + fmt.Fprintf(os.Stderr, "== VERIFY PEER CERT (%d verified chains)\n", len(verifiedChains)) for _, chains := range verifiedChains { if len(chains) != 0 { if verifyCertificate(chains[0]) { @@ -285,6 +286,7 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) { } } } + fmt.Fprintf(os.Stderr, "== VERIFY PEER CERT\n") return errors.New("client certificate authentication failed") } } @@ -362,6 +364,7 @@ func (info TLSInfo) ServerConfig() (*tls.Config, error) { } cs := info.cafiles() + fmt.Fprintf(os.Stderr, "== CAFILES: %v\n", cs) if len(cs) > 0 { cp, err := tlsutil.NewCertPool(cs) if err != nil { diff --git a/pkg/transport/listener_tls.go b/pkg/transport/listener_tls.go index 6f1600945cc..a1217ae953c 100644 --- a/pkg/transport/listener_tls.go +++ b/pkg/transport/listener_tls.go @@ -21,6 +21,7 @@ import ( "fmt" "io/ioutil" "net" + "os" "strings" "sync" ) @@ -98,6 +99,7 @@ func checkSAN(ctx context.Context, tlsConn *tls.Conn) error { st := tlsConn.ConnectionState() if certs := st.PeerCertificates; len(certs) > 0 { addr := tlsConn.RemoteAddr().String() + fmt.Fprintf(os.Stderr, "checkSAN(addr=%q, certs=%v)\n", addr, certs) return checkCertSAN(ctx, certs[0], addr) } return nil diff --git a/tests/e2e/etcd_config_test.go b/tests/e2e/etcd_config_test.go index 94e648a649a..804f1146590 100644 --- a/tests/e2e/etcd_config_test.go +++ b/tests/e2e/etcd_config_test.go @@ -234,7 +234,7 @@ func TestEtcdPeerNameAuth(t *testing.T) { "--peer-key-file", privateKeyPath, "--peer-trusted-ca-file", caPath, "--peer-client-cert-auth", - "--peer-cert-allowed-name", "example.com", + "--peer-cert-allowed-hostname", "example.com", } } else { args = []string{ @@ -242,7 +242,7 @@ func TestEtcdPeerNameAuth(t *testing.T) { "--peer-key-file", privateKeyPath2, "--peer-trusted-ca-file", caPath, "--peer-client-cert-auth", - "--peer-cert-allowed-name", "example2.com", + "--peer-cert-allowed-hostname", "example2.com", } } From 91472797fff818e1bbe49190153ae4b195d70674 Mon Sep 17 00:00:00 2001 From: John Millikin Date: Thu, 4 Jul 2019 07:13:38 +0900 Subject: [PATCH 3/5] pkg: Remove stray printfs --- pkg/transport/listener.go | 3 --- pkg/transport/listener_tls.go | 2 -- 2 files changed, 5 deletions(-) diff --git a/pkg/transport/listener.go b/pkg/transport/listener.go index 628878aadf5..f479868490c 100644 --- a/pkg/transport/listener.go +++ b/pkg/transport/listener.go @@ -278,7 +278,6 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) { } if verifyCertificate != nil { cfg.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { - fmt.Fprintf(os.Stderr, "== VERIFY PEER CERT (%d verified chains)\n", len(verifiedChains)) for _, chains := range verifiedChains { if len(chains) != 0 { if verifyCertificate(chains[0]) { @@ -286,7 +285,6 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) { } } } - fmt.Fprintf(os.Stderr, "== VERIFY PEER CERT\n") return errors.New("client certificate authentication failed") } } @@ -364,7 +362,6 @@ func (info TLSInfo) ServerConfig() (*tls.Config, error) { } cs := info.cafiles() - fmt.Fprintf(os.Stderr, "== CAFILES: %v\n", cs) if len(cs) > 0 { cp, err := tlsutil.NewCertPool(cs) if err != nil { diff --git a/pkg/transport/listener_tls.go b/pkg/transport/listener_tls.go index a1217ae953c..6f1600945cc 100644 --- a/pkg/transport/listener_tls.go +++ b/pkg/transport/listener_tls.go @@ -21,7 +21,6 @@ import ( "fmt" "io/ioutil" "net" - "os" "strings" "sync" ) @@ -99,7 +98,6 @@ func checkSAN(ctx context.Context, tlsConn *tls.Conn) error { st := tlsConn.ConnectionState() if certs := st.PeerCertificates; len(certs) > 0 { addr := tlsConn.RemoteAddr().String() - fmt.Fprintf(os.Stderr, "checkSAN(addr=%q, certs=%v)\n", addr, certs) return checkCertSAN(ctx, certs[0], addr) } return nil From c6686734b14b48aaafd88e7d9b90e9926e62a6a5 Mon Sep 17 00:00:00 2001 From: John Millikin Date: Wed, 10 Jul 2019 10:13:10 +0900 Subject: [PATCH 4/5] tests: Use 'localhost' to match SAN of `integration/fixtures/server.crt` --- tests/e2e/etcd_config_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/e2e/etcd_config_test.go b/tests/e2e/etcd_config_test.go index 804f1146590..25bb4940ec6 100644 --- a/tests/e2e/etcd_config_test.go +++ b/tests/e2e/etcd_config_test.go @@ -234,7 +234,7 @@ func TestEtcdPeerNameAuth(t *testing.T) { "--peer-key-file", privateKeyPath, "--peer-trusted-ca-file", caPath, "--peer-client-cert-auth", - "--peer-cert-allowed-hostname", "example.com", + "--peer-cert-allowed-hostname", "localhost", } } else { args = []string{ From 95f3138b5ff207d1d84509db89fde63d0ce89efa Mon Sep 17 00:00:00 2001 From: John Millikin Date: Wed, 10 Jul 2019 13:32:43 +0900 Subject: [PATCH 5/5] tests: Use more deterministic error message in TestEtcdPeerNameAuth --- tests/e2e/etcd_config_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/e2e/etcd_config_test.go b/tests/e2e/etcd_config_test.go index 25bb4940ec6..8688cfc83bb 100644 --- a/tests/e2e/etcd_config_test.go +++ b/tests/e2e/etcd_config_test.go @@ -260,7 +260,7 @@ func TestEtcdPeerNameAuth(t *testing.T) { if i <= 1 { expect = etcdServerReadyLines } else { - expect = []string{"remote error: tls: bad certificate"} + expect = []string{"client certificate authentication failed"} } if err := waitReadyExpectProc(p, expect); err != nil { t.Fatal(err)