Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revert "embed: fix HTTPs + DNS SRV discovery" #8884

Merged
merged 4 commits into from
Nov 15, 2017
Merged

Revert "embed: fix HTTPs + DNS SRV discovery" #8884

merged 4 commits into from
Nov 15, 2017

Conversation

gyuho
Copy link
Contributor

@gyuho gyuho commented Nov 15, 2017
edited
Loading

In 3.2.8, both configurations work with TLS/SRV

"hosts": [
  "m1.etcd.local",
  "m2.etcd.local",
  "m3.etcd.local",
  "etcd.local",
  "127.0.0.1",
  "localhost"
]

"hosts": [
  "*.etcd.local",
  "etcd.local",
  "127.0.0.1",
  "localhost"
]

In 3.2.9, we added wildcard to peer server name (e.g. *.etcd.local when DNS cluster is etcd.local).

Now the first configuration doesn't work

"hosts": [
  "m1.etcd.local",
  "m2.etcd.local",
  "m3.etcd.local",
  "etcd.local",
  "127.0.0.1",
  "localhost"
]

Second configuration still works

"hosts": [
  "*.etcd.local",
  "etcd.local",
  "127.0.0.1",
  "localhost"
]

But, not every tool supports wildcard certs.

We are reverting this change, also in upcoming patch release 3.2.10.

Address #8445 and #8798.
Reverts #8651.

@gyuho gyuho requested a review from xiang90 November 15, 2017 18:16
@xiang90
Copy link
Contributor

xiang90 commented Nov 15, 2017

we need to update the documentation to make it clear that the TLS certs for DNS discovery must include the root domain in SAN to prevent mitm attack.

@gyuho gyuho added the WIP label Nov 15, 2017
@gyuho
Revert "embed: fix HTTPs + DNS SRV discovery"
fe7b094 
This reverts commit f79d5aa.
@gyuho
CHANGELOG: add SRV ServerName auth revert change
94355cb 
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
@gyuho
Documentation/op-guide: add notes for DNS SRV in security.md
9b772ba 
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
@gyuho
Documentation/op-guide: add security guide link to clustering.md
37b3108 
Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
@gyuho
Copy link
Contributor Author

gyuho commented Nov 15, 2017

@xiang90 I've highlighted this change in CHANGELOG and security.md.

PTAL.

@gyuho gyuho removed the WIP label Nov 15, 2017
@xiang90
Copy link
Contributor

xiang90 commented Nov 15, 2017

lgtm

@gyuho gyuho mentioned this pull request Nov 15, 2017
Closed
@gyuho gyuho merged commit 7a55a40 into etcd-io:master Nov 15, 2017
@gyuho gyuho deleted the revert-srv-dns-patch branch November 15, 2017 22:30
This was referenced Nov 15, 2017
Merged
Merged
@codecov-io
Copy link

codecov-io commented Nov 15, 2017
edited
Loading

Codecov Report

❗ No coverage uploaded for pull request base (master@6260df7). Click here to learn what that means.
The diff coverage is 0%.

Impacted file tree graph

@@            Coverage Diff            @@
##             master    #8884   +/-   ##
=========================================
  Coverage          ?   76.19%           
=========================================
  Files             ?      359           
  Lines             ?    29721           
  Branches          ?        0           
=========================================
  Hits              ?    22646           
  Misses            ?     5504           
  Partials          ?     1571
Impacted Files Coverage Δ
embed/config.go 61.63% <0%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6260df7...37b3108. Read the comment docs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xiang90 xiang90 Awaiting requested review from xiang90

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gyuho @xiang90 @codecov-io