Home Explore Help
Register Sign In
publics
/
etcd-io__etcd
0
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

transport: add ServerName to TLSConfig and add ValidateSecureEndpoints

ServerName prevents accepting forged SRV records with cross-domain
credentials. ValidateSecureEndpoints prevents downgrade attacks from SRV
records.
Anthony Romano 9 years ago
parent
6e7baab32c
commit
cd781bf30c
2 changed files with 56 additions and 1 deletions
Unified View Show Diff Stats
  1. 7 1
      pkg/transport/listener.go
  2. 49 0
      pkg/transport/tls.go

+ 7 - 1
pkg/transport/listener.go
View File 

@@ -67,6 +67,9 @@ type TLSInfo struct {
 
 	TrustedCAFile  string
 
 	TrustedCAFile  string
 
 	ClientCertAuth bool
 
 	ClientCertAuth bool
 
 
 
+	// ServerName ensures the cert matches the given host in case of discovery / virtual hosting
 
+	ServerName string
 
+
 
 	selfCert bool
 
 	selfCert bool
 
 
 
 	// parseFunc exists to simplify testing. Typically, parseFunc
 
 	// parseFunc exists to simplify testing. Typically, parseFunc
 
@@ -167,6 +170,7 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) {
 
 	cfg := &tls.Config{
 
 	cfg := &tls.Config{
 
 		Certificates: []tls.Certificate{*tlsCert},
 
 		Certificates: []tls.Certificate{*tlsCert},
 
 		MinVersion:   tls.VersionTLS12,
 
 		MinVersion:   tls.VersionTLS12,
 
+		ServerName:   info.ServerName,
 
 	}
 
 	}
 
 	return cfg, nil
 
 	return cfg, nil
 
 }
 
 }
 
@@ -218,7 +222,7 @@ func (info TLSInfo) ClientConfig() (*tls.Config, error) {
 
 			return nil, err
 
 			return nil, err
 
 		}
 
 		}
 
 	} else {
 
 	} else {
 
-		cfg = &tls.Config{}
 
+		cfg = &tls.Config{ServerName: info.ServerName}
 
 	}
 
 	}
 
 
 
 	CAFiles := info.cafiles()
 
 	CAFiles := info.cafiles()
 
@@ -227,6 +231,8 @@ func (info TLSInfo) ClientConfig() (*tls.Config, error) {
 
 		if err != nil {
 
 		if err != nil {
 
 			return nil, err
 
 			return nil, err
 
 		}
 
 		}
 
+		// if given a CA, trust any host with a cert signed by the CA
 
+		cfg.ServerName = ""
 
 	}
 
 	}
 
 
 
 	if info.selfCert {
 
 	if info.selfCert {

+ 49 - 0
pkg/transport/tls.go
View File 

@@ -0,0 +1,49 @@
 
+// Copyright 2016 The etcd Authors
 
+//
 
+// Licensed under the Apache License, Version 2.0 (the "License");
 
+// you may not use this file except in compliance with the License.
 
+// You may obtain a copy of the License at
 
+//
 
+//     http://www.apache.org/licenses/LICENSE-2.0
 
+//
 
+// Unless required by applicable law or agreed to in writing, software
 
+// distributed under the License is distributed on an "AS IS" BASIS,
 
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 
+// See the License for the specific language governing permissions and
 
+// limitations under the License.
 
+
 
+package transport
 
+
 
+import (
 
+	"fmt"
 
+	"strings"
 
+	"time"
 
+)
 
+
 
+// ValidateSecureEndpoints scans the given endpoints against tls info, returning only those
 
+// endpoints that could be validated as secure.
 
+func ValidateSecureEndpoints(tlsInfo TLSInfo, eps []string) ([]string, error) {
 
+	t, err := NewTransport(tlsInfo, 5*time.Second)
 
+	if err != nil {
 
+		return nil, err
 
+	}
 
+	var errs []string
 
+	var endpoints []string
 
+	for _, ep := range eps {
 
+		if !strings.HasPrefix(ep, "https://") {
 
+			errs = append(errs, fmt.Sprintf("%q is insecure", ep))
 
+			continue
 
+		}
 
+		conn, cerr := t.Dial("tcp", ep[len("https://"):])
 
+		if cerr != nil {
 
+			errs = append(errs, fmt.Sprintf("%q failed to dial (%v)", ep, cerr))
 
+			continue
 
+		}
 
+		conn.Close()
 
+		endpoints = append(endpoints, ep)
 
+	}
 
+	if len(errs) != 0 {
 
+		err = fmt.Errorf("%s", strings.Join(errs, ","))
 
+	}
 
+	return endpoints, err
 
+}