-
Notifications
You must be signed in to change notification settings - Fork 9.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS based etcd can't get certs info from request. #4135
Comments
Would you be able to write a unit test to cover this? |
I found the problem is that &limitListenerConn{Conn: c, release: l.release} can't not convert to a *tls.con |
I simply comment the code in etcd/etcdmain/etcd.go below,every things works fine.
|
TLS connection is like this
so we can simple add limitListener a field called config,and it will be fine. |
@ringtail Are you trying to embed etcd into your project? We are not going to maintain a stable API or implementation guarantees for etcd itself. We do not have the bandwidth right now and we plan to change the implementation of etcd internally quite a bit. However, if you meet any issue we are happy to discuss and review pull requests. For your issue, do you want to get the TLSConn or just the static configuration? The static configuration is passed by the user, you can simply cache it when you pass it in. So you do not need to add a field. |
@xiang90 Hi,Maybe I don't describe the problem clearly. The scenario is that I enhance etcd by certs with specific role in it. you can sign a client cert with some specific role. And I need to get cert info from
but in relase-2.2, we can't get r.TLS.PeerCertificates because of the code below
because of the tls listener is wrapped by netutil.LimitListener, but netutil.LimitListener can't not create a *tls.con, so the handshake will not be successful and we can't get client cert from request in keysHandler |
@ringtail If you want to make sure etcd upgrades do not break you, you'd better try to contribute your patch to upstream. If you want to fix this issue, you can try to submit a patch. We do not plan to provide any guarantees about any sub pkgs structs or API inside etcd. |
I do not quite understand this. LimitListener is just a wrapper around the original Listener. I do not think there is any issue with handshake. Can you reproduce the handshake failure with LimitListener? |
OK. After checking the go std lib, I found
is in std library, not in your code. I will try to reproduce the issue myself then. |
Also netutil is an external dependency at https://github.com/golang/net/tree/master/netutil. Can you try to file an issue there? |
@xiang90 yes! That's exactly the problem. I'll open a issue in https://github.com/golang/net/tree/master/netutil. |
yes, I keep a private fork in my gitlab and the problem is raised when I try to upgrade my etcd version from 2.1.3 to 2.2.2 |
OK,I'll try it. thank you! |
@ringtail Why this is closed? |
It works |
@ringtail Thanks! |
Uses gexpect to test the etcd binary directly. Tests etcd-io#4135, etcd-io#4171
Uses gexpect to test the etcd binary directly. Tests etcd-io#4135, etcd-io#4171
Uses gexpect to test the etcd binary directly. Tests etcd-io#4135, etcd-io#4171
Uses gexpect to test the etcd binary directly. Tests etcd-io#4135, etcd-io#4171
Hi,I found a problem in release-2.2,I need to read cert info from request.here is the request handler.
cert info will be parsed from r
but It doesn't work in release-2.2. so I found the facts.
so when parse cert info
It can't convert to *tls.con. the simplest way is to add config filed in limitListenerConn.
The text was updated successfully, but these errors were encountered: