Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't use server_name config for RPC connections #5394

Merged
merged 2 commits into from
Mar 5, 2019
Merged

Don't use server_name config for RPC connections #5394

merged 2 commits into from
Mar 5, 2019

Conversation

hanshasselberg
Copy link
Member

@hanshasselberg hanshasselberg commented Feb 27, 2019
edited
Loading

server_name shouldn't be used for RPC connections. If it is hardcoded, it can never properly work in a multi dc setup, since for that it has to be dynamic to account for forwarding calls into other dcs. Fixes #5357.

This PR contains a bunch of comment wrapping.

hanshasselberg
hanshasselberg commented Feb 27, 2019
View reviewed changes
tlsutil/config.go

if tlsConfig.ServerName == "" {
tlsConfig.ServerName = c.base.NodeName
InsecureSkipVerify: !c.base.VerifyServerHostname,
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since ServerName is not used here anymore, this only depends on VerifyServerHostname now.

hanshasselberg
hanshasselberg commented Feb 27, 2019
View reviewed changes
tlsutil/config.go
tlsConfig.ServerName = c.base.ServerName
if tlsConfig.ServerName == "" {
tlsConfig.ServerName = c.base.NodeName
}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OutgoingTLSConfigForChecks is the only place where we allow setting it now. Even that I find questionable... But I don't want to change to many things at once.

hanshasselberg
hanshasselberg commented Feb 27, 2019
View reviewed changes
tlsutil/config_test.go
require.Equal(t, tlsConf.ServerName, "consul.example.com")
require.False(t, tlsConf.InsecureSkipVerify)
require.Empty(t, tlsConf.ServerName)
require.True(t, tlsConf.InsecureSkipVerify)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was thinking about this test, which I had to change to make it pass.
It is skipping the builtin check from golang tls, but we are still checking the cert chain. Since VerifyServerHostname is disabled, we do not check that. I think this is what we want.

@hanshasselberg hanshasselberg requested a review from a team February 27, 2019 16:22
mkeeler
mkeeler approved these changes Mar 1, 2019
View reviewed changes
Copy link
Member

@mkeeler mkeeler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was a good find. You are absolutely correct that our usage of server names in outgoing TLS RPC connections was not good.

@hanshasselberg hanshasselberg merged commit eb0895c into master Mar 5, 2019
@banks banks deleted the no_server_name_rpc branch April 16, 2019 09:04
@beautifulentropy beautifulentropy mentioned this pull request May 25, 2023
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mkeeler mkeeler mkeeler approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hanshasselberg @mkeeler