From fe7b094f631607c8a2a796ab331a84930cbd569e Mon Sep 17 00:00:00 2001 From: Gyu-Ho Lee Date: Wed, 15 Nov 2017 10:14:21 -0800 Subject: [PATCH 1/4] Revert "embed: fix HTTPs + DNS SRV discovery" This reverts commit f79d5aaca475f6d36985856f2fba5b2ed3df7249. --- embed/config.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/embed/config.go b/embed/config.go index 096128cf123..0aa3564ffa2 100644 --- a/embed/config.go +++ b/embed/config.go @@ -444,9 +444,7 @@ func (cfg *Config) PeerURLsMapAndToken(which string) (urlsmap types.URLsMap, tok } clusterStr := strings.Join(clusterStrs, ",") if strings.Contains(clusterStr, "https://") && cfg.PeerTLSInfo.CAFile == "" { - // SRV targets have subdomains under the given DNSCluster, so wildcard matching - // is needed. - cfg.PeerTLSInfo.ServerName = "*." + cfg.DNSCluster + cfg.PeerTLSInfo.ServerName = cfg.DNSCluster } urlsmap, err = types.NewURLsMap(clusterStr) // only etcd member must belong to the discovered cluster. From 94355cb6a58b67a045b9502987d01b08095570af Mon Sep 17 00:00:00 2001 From: Gyu-Ho Lee Date: Wed, 15 Nov 2017 13:33:08 -0800 Subject: [PATCH 2/4] CHANGELOG: add SRV ServerName auth revert change Signed-off-by: Gyu-Ho Lee --- CHANGELOG.md | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f2e3f43c389..5399b5a4e4e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,18 @@ +## [v3.2.10](https://github.com/coreos/etcd/releases/tag/v3.2.10) (2017-11-20) + +See [code changes](https://github.com/coreos/etcd/compare/v3.2.9...v3.2.10). + +### Fixed + +- Replace backend key-value database `boltdb/bolt` with [`coreos/bbolt`](https://github.com/coreos/bbolt) to address [backend database size issue](https://github.com/coreos/etcd/issues/8009) +- Fix clientv3 balancer to handle [network partition](https://github.com/coreos/etcd/issues/8711) + - Upgrade `google.golang.org/grpc` v1.2.1 to v1.7.3 + - Upgrade `github.com/grpc-ecosystem/grpc-gateway` v1.2 to v1.3 + - Upgrade gRPC v1.2.1 to v1.7.3 +- Revert [discovery SRV auth `ServerName` with `*.{ROOT_DOMAIN}`](https://github.com/coreos/etcd/pull/8651) to support non-wildcard subject alternative names in the certs (see [issue #8445](https://github.com/coreos/etcd/issues/8445) for more contexts) + - For instance, `etcd --discovery-srv=etcd.local` will only authenticate peers/clients when the provided certs have root domain `etcd.local` (**not `*.etcd.local`**) as an entry in Subject Alternative Name (SAN) field + + ## [v3.2.9](https://github.com/coreos/etcd/releases/tag/v3.2.9) (2017-10-06) See [code changes](https://github.com/coreos/etcd/compare/v3.2.8...v3.2.9). @@ -6,7 +21,8 @@ See [code changes](https://github.com/coreos/etcd/compare/v3.2.8...v3.2.9). - Compile with [Go 1.8.4](https://groups.google.com/d/msg/golang-nuts/sHfMg4gZNps/a-HDgDDDAAAJ) - Update `golang.org/x/crypto/bcrypt` (See [golang/crypto@6c586e1](https://github.com/golang/crypto/commit/6c586e17d90a7d08bbbc4069984180dce3b04117) for more) -- Fix HTTPS + DNS SRV discovery with subdomain +- Fix discovery SRV bootstrapping to [authenticate `ServerName` with `*.{ROOT_DOMAIN}`](https://github.com/coreos/etcd/pull/8651), in order to support sub-domain wildcard matching (see [issue #8445](https://github.com/coreos/etcd/issues/8445) for more contexts) + - For instance, `etcd --discovery-srv=etcd.local` will only authenticate peers/clients when the provided certs have root domain `*.etcd.local` as an entry in Subject Alternative Name (SAN) field ## [v3.2.8](https://github.com/coreos/etcd/releases/tag/v3.2.8) (2017-09-29) @@ -334,8 +350,8 @@ See [upgrade 3.1](https://github.com/coreos/etcd/blob/master/Documentation/upgra - etcd uses default route IP if advertise URL is not given - Cluster rejects removing members if quorum will be lost - SRV records (e.g., infra1.example.com) must match the discovery domain (i.e., example.com) if no custom certificate authority is given - - TLSConfig ServerName is ignored with user-provided certificates - for backwards compatibility; to be deprecated in 3.2 + - TLSConfig ServerName is ignored with user-provided certificates for backwards compatibility; to be deprecated in 3.2 + - For example, `etcd --discovery-srv=example.com` will only authenticate peers/clients when the provided certs have root domain `example.com` as an entry in Subject Alternative Name (SAN) field - Discovery now has upper limit for waiting on retries - Warn on binding listeners through domain names; to be deprecated in 3.2 From 9b772ba94cdd27c3472aee06886a4291600eeadf Mon Sep 17 00:00:00 2001 From: Gyu-Ho Lee Date: Wed, 15 Nov 2017 13:47:38 -0800 Subject: [PATCH 3/4] Documentation/op-guide: add notes for DNS SRV in security.md Signed-off-by: Gyu-Ho Lee --- Documentation/op-guide/security.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Documentation/op-guide/security.md b/Documentation/op-guide/security.md index 7c0aedc0c22..9f6f0b64a8c 100644 --- a/Documentation/op-guide/security.md +++ b/Documentation/op-guide/security.md @@ -181,6 +181,10 @@ To disable certificate chain checking, invoke curl with the `-k` flag: $ curl -k https://127.0.0.1:2379/v2/keys/foo -Xput -d value=bar -v ``` +## Notes for DNS SRV + +Since v3.1.0 (except v3.2.9), discovery SRV bootstrapping authenticates `ServerName` with a root domain name from `--discovery-srv` flag. This is to avoid man-in-the-middle cert attacks, by requiring a certificate to have matching root domain name in its Subject Alternative Name (SAN) field. For instance, `etcd --discovery-srv=etcd.local` will only authenticate peers/clients when the provided certs have root domain `etcd.local` as an entry in Subject Alternative Name (SAN) field + ## Notes for etcd proxy etcd proxy terminates the TLS from its client if the connection is secure, and uses proxy's own key/cert specified in `--peer-key-file` and `--peer-cert-file` to communicate with etcd members. From 37b3108ce5ea2c1e8adb780fb205710eaabe20dd Mon Sep 17 00:00:00 2001 From: Gyu-Ho Lee Date: Wed, 15 Nov 2017 14:00:23 -0800 Subject: [PATCH 4/4] Documentation/op-guide: add security guide link to clustering.md Signed-off-by: Gyu-Ho Lee --- Documentation/op-guide/clustering.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Documentation/op-guide/clustering.md b/Documentation/op-guide/clustering.md index efdd3aa2628..2e205beef11 100644 --- a/Documentation/op-guide/clustering.md +++ b/Documentation/op-guide/clustering.md @@ -456,6 +456,8 @@ $ etcd --name infra2 \ --listen-peer-urls http://10.0.1.12:2380 ``` +Since v3.1.0 (except v3.2.9), when `etcd --discovery-srv=example.com` is configured with TLS, server will only authenticate peers/clients when the provided certs have root domain `example.com` as an entry in Subject Alternative Name (SAN) field. See [Notes for DNS SRV][security-guide-dns-srv]. + ### Gateway etcd gateway is a simple TCP proxy that forwards network data to the etcd cluster. Please read [gateway guide][gateway] for more information. @@ -475,5 +477,6 @@ To setup an etcd cluster with proxies of v2 API, please read the the [clustering [proxy]: https://github.com/coreos/etcd/blob/release-2.3/Documentation/proxy.md [clustering_etcd2]: https://github.com/coreos/etcd/blob/release-2.3/Documentation/clustering.md [security-guide]: security.md +[security-guide-dns-srv]: security.md#notes-for-dns-srv [tls-setup]: ../../hack/tls-setup [gateway]: gateway.md