Remove MaxConcurrentStreams in proxy peering (#39233)

gravitational · Mar 12, 2024 · d41acad · d41acad
1 parent 477c7ca
commit d41acad
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/lib/proxy/peer/server.go b/lib/proxy/peer/server.go
@@ -21,6 +21,7 @@ package peer
 import (
 	"crypto/tls"
 	"errors"
+	"math"
 	"net"
 	"time"
 
@@ -35,7 +36,6 @@ import (
 	"github.com/gravitational/teleport/api/metadata"
 	"github.com/gravitational/teleport/api/utils/grpc/interceptors"
 	"github.com/gravitational/teleport/lib/auth"
-	"github.com/gravitational/teleport/lib/defaults"
 	"github.com/gravitational/teleport/lib/utils"
 )
 
@@ -146,7 +146,15 @@ func NewServer(config ServerConfig) (*Server, error) {
 			MinTime:             peerKeepAlive,
 			PermitWithoutStream: true,
 		}),
-		grpc.MaxConcurrentStreams(defaults.GRPCMaxConcurrentStreams),
+
+		// the proxy peering server uses transport authentication to verify that
+		// the client is another Teleport proxy, and the proxy peering service
+		// is intended for mass connection routing (spawning an unbounded amount
+		// of streams of unbounded duration), so adding a limit on concurrent
+		// streams (for example to prevent CVE-2023-44487, see
+		// https://github.com/grpc/grpc-go/pull/6703 ) is unnecessary and
+		// counterproductive to the functionality of proxy peering
+		grpc.MaxConcurrentStreams(math.MaxUint32),
 	)
 
 	proto.RegisterProxyServiceServer(server, config.service)