-
Notifications
You must be signed in to change notification settings - Fork 9.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Peer TLS SAN check couldn't reason about non-FQDN endpoints #8797
Comments
I am not sure this is something etcd can address. We have two options:
We did 2 before, and people asked to tight security to do 1. To make this work, SAN should either contain fqdn or IP address. |
I agree that's the correct thing to happen. But what needs to be clarified is how to "verify"? SAN is provided by the server to client so that client can verify the server, not the reverse way. Now peer server is trying to use its own cert to verify the client -- this is not what SAN is for. Instead, when peer A receives a connection from peer B, A should actively request B's certificate and verify SAN against B's address that A would talk to (not necessarily the TCP connection remote address). And that's what original issue is about, when B tried to join A, only B verified A's cert, but A didn't verify B's cert. The correct fix expected would be A would try to verify B's cert. |
That was the old behavior, only the client verifies the server. etcd server communicates both way, not just single way. A peer can be both server and client to other peers depending on its role (follower vs leader). If we allow one direction, not the other then it is still a broken model. And the bi-directional verification is what you requested exactly previously. I want to understand what is really needed before making any further decision on this one. |
@hongchaodeng @xiang90 why can't we have the IP address in the SAN by automating generation of certs on the fly, rather than generating them before deploying (creating them as secrets). I mean we can use the IP address received from the downward API (status.podIP) for the pod and use an init container or a script that generates the certs before the actual etcd container comes up. |
@raoofm We do have plan to support that via k8s csr endpoint: coreos/etcd-operator#1465 . |
@xiang90 @hongchaodeng any progress here? |
@raoofm looks like @hongchaodeng 's initiated coreos/etcd-operator#1644 in etcd-operator for this issue. Is there anything needed here? Otherwise we are closing out the long pending issues. Please feel free to reopen it if it's still relevant. |
BUG REPORT
etcd version: v3.2.9
Problem
As reported in #8534
Root cause analysis
When a new secure peer connection is made, etcd server tries to verify that its remote network address (IP address) is in the SAN of the TLS cert. See: https://github.com/coreos/etcd/blob/v3.2.9/pkg/transport/listener_tls.go#L122
Then it tries to check if the IP address is in the SAN by doing (https://github.com/coreos/etcd/blob/v3.2.9/pkg/transport/listener_tls.go#L122):
Example walkthrough
Background
.c
*.b
a.b
Steps:
Result: match failed.
Expectation:
a.b
should match*.b
. It should succeed.The text was updated successfully, but these errors were encountered: