Home Explore Help
Register Sign In
publics
/
etcd-io__etcd
0
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

pkg/transport: Improved description of flag peer-skip-client-san-verification

Martin Weindel 6 years ago
parent
2f476f2b5a
commit
03fd396610
3 changed files with 21 additions and 21 deletions
Split View Show Diff Stats
  1. 1 1
      etcdmain/config.go
  2. 8 8
      pkg/transport/listener.go
  3. 12 12
      pkg/transport/listener_test.go

+ 1 - 1
etcdmain/config.go
View File 

@@ -213,7 +213,7 @@ func newConfig() *config {
 
 	fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedCN, "peer-cert-allowed-cn", "", "Allowed CN for inter peer authentication.")
 
 	fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedHostname, "peer-cert-allowed-hostname", "", "Allowed TLS hostname for inter peer authentication.")
 
 	fs.Var(flags.NewStringsValue(""), "cipher-suites", "Comma-separated list of supported TLS cipher suites between client/server and peers (empty will be auto-populated by Go).")
 
-	fs.BoolVar(&cfg.ec.PeerTLSInfo.SkipClientVerify, "peer-skip-client-verify", false, "Skip client IP verification for peer connections.")
 
+	fs.BoolVar(&cfg.ec.PeerTLSInfo.SkipClientSANVerify, "peer-skip-client-san-verification", false, "Skip verification of SAN field in client certificate for peer connections.")
 
 
 	fs.Var(
 
 		flags.NewUniqueURLsWithExceptions("*", "*"),

+ 8 - 8
pkg/transport/listener.go
View File 

@@ -56,20 +56,20 @@ func wrapTLS(scheme string, tlsinfo *TLSInfo, l net.Listener) (net.Listener, err
 
 	if scheme != "https" && scheme != "unixs" {
 
 		return l, nil
 
 	}
 
-	if tlsinfo != nil && tlsinfo.SkipClientVerify {
 
+	if tlsinfo != nil && tlsinfo.SkipClientSANVerify {
 
 		return NewTLSListener(l, tlsinfo)
 
 	}
 
 	return newTLSListener(l, tlsinfo, checkSAN)
 
 }
 
 
 type TLSInfo struct {
 
-	CertFile           string
 
-	KeyFile            string
 
-	TrustedCAFile      string
 
-	ClientCertAuth     bool
 
-	CRLFile            string
 
-	InsecureSkipVerify bool
 
-	SkipClientVerify   bool
 
+	CertFile            string
 
+	KeyFile             string
 
+	TrustedCAFile       string
 
+	ClientCertAuth      bool
 
+	CRLFile             string
 
+	InsecureSkipVerify  bool
 
+	SkipClientSANVerify bool
 
 
 	// ServerName ensures the cert matches the given host in case of discovery / virtual hosting
 
 	ServerName string

+ 12 - 12
pkg/transport/listener_test.go
View File 

@@ -78,18 +78,18 @@ func testNewListenerTLSInfoAccept(t *testing.T, tlsInfo TLSInfo) {
 
 	}
 
 	defer conn.Close()
 
 	if _, ok := conn.(*tls.Conn); !ok {
 
-		t.Errorf("failed to accept *tls.Conn")
 
+		t.Error("failed to accept *tls.Conn")
 
 	}
 
 }
 
 
-// TestNewListenerTLSInfoSkipClientVerify tests that if client IP address mismatches
 
+// TestNewListenerTLSInfoSkipClientSANVerify tests that if client IP address mismatches
 
 // with specified address in its certificate the connection is still accepted
 
-// if the flag SkipClientVerify is set (i.e. checkSAN() is disabled for the client side)
 
-func TestNewListenerTLSInfoSkipClientVerify(t *testing.T) {
 
+// if the flag SkipClientSANVerify is set (i.e. checkSAN() is disabled for the client side)
 
+func TestNewListenerTLSInfoSkipClientSANVerify(t *testing.T) {
 
 	tests := []struct {
 
-		skipClientVerify bool
 
-		goodClientHost   bool
 
-		acceptExpected   bool
 
+		skipClientSANVerify bool
 
+		goodClientHost      bool
 
+		acceptExpected      bool
 
 	}{
 
 		{false, true, true},
 
 		{false, false, false},
 
@@ -97,11 +97,11 @@ func TestNewListenerTLSInfoSkipClientVerify(t *testing.T) {
 
 		{true, false, true},
 
 	}
 
 	for _, test := range tests {
 
-		testNewListenerTLSInfoClientCheck(t, test.skipClientVerify, test.goodClientHost, test.acceptExpected)
 
+		testNewListenerTLSInfoClientCheck(t, test.skipClientSANVerify, test.goodClientHost, test.acceptExpected)
 
 	}
 
 }
 
 
-func testNewListenerTLSInfoClientCheck(t *testing.T, skipClientVerify, goodClientHost, acceptExpected bool) {
 
+func testNewListenerTLSInfoClientCheck(t *testing.T, skipClientSANVerify, goodClientHost, acceptExpected bool) {
 
 	tlsInfo, del, err := createSelfCert()
 
 	if err != nil {
 
 		t.Fatalf("unable to create cert: %v", err)
 
@@ -118,7 +118,7 @@ func testNewListenerTLSInfoClientCheck(t *testing.T, skipClientVerify, goodClien
 
 	}
 
 	defer del2()
 
 
-	tlsInfo.SkipClientVerify = skipClientVerify
 
+	tlsInfo.SkipClientSANVerify = skipClientSANVerify
 
 	tlsInfo.TrustedCAFile = clientTLSInfo.CertFile
 
 
 	rootCAs := x509.NewCertPool()
 
@@ -166,7 +166,7 @@ func testNewListenerTLSInfoClientCheck(t *testing.T, skipClientVerify, goodClien
 
 	select {
 
 	case <-chClientErr:
 
 		if acceptExpected {
 
-			t.Errorf("accepted for good client address: skipClientVerify=%t, goodClientHost=%t", skipClientVerify, goodClientHost)
 
+			t.Errorf("accepted for good client address: skipClientSANVerify=%t, goodClientHost=%t", skipClientSANVerify, goodClientHost)
 
 		}
 
 	case acceptErr := <-chAcceptErr:
 
 		t.Fatalf("unexpected Accept error: %v", acceptErr)
 
@@ -176,7 +176,7 @@ func testNewListenerTLSInfoClientCheck(t *testing.T, skipClientVerify, goodClien
 
 			t.Errorf("failed to accept *tls.Conn")
 
 		}
 
 		if !acceptExpected {
 
-			t.Errorf("accepted for bad client address: skipClientVerify=%t, goodClientHost=%t", skipClientVerify, goodClientHost)
 
+			t.Errorf("accepted for bad client address: skipClientSANVerify=%t, goodClientHost=%t", skipClientSANVerify, goodClientHost)
 
 		}
 
 	}
 
 }