Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

meshtls: log errors parsing client certs #2467

Merged
merged 7 commits into from
Sep 27, 2023
Merged

meshtls: log errors parsing client certs #2467

Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
8558735
use `rustls-webpki` instead of `linkerd/webpki`
hawkw Sep 1, 2023
df23b6a
update to rustls-webpki v0.101.5
hawkw Sep 8, 2023
bf45d96
pin git dep to revision
hawkw Sep 11, 2023
2f1f99c
update deny.toml to allow git dep
hawkw Sep 11, 2023
d9af088
remove debugging printlns --- my bad!
hawkw Sep 11, 2023
dbf93fd
meshtls: log errors parsing client certs
hawkw Sep 11, 2023
802764b
Merge branch 'main' into eliza/webpki-error-logs
hawkw Sep 11, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
18 changes: 15 additions & 3 deletions linkerd/meshtls/rustls/src/server.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,14 +129,26 @@ fn client_identity<I>(tls: &tokio_rustls::server::TlsStream<I>) -> Option<Client
let (_io, session) = tls.get_ref();
let certs = session.peer_certificates()?;
let c = certs.first().map(Certificate::as_ref)?;
let end_cert = webpki::EndEntityCert::try_from(c).ok()?;
let name: &str = end_cert.dns_names().ok()?.next().map(Into::into)?;
let end_cert = webpki::EndEntityCert::try_from(c)
.map_err(|error| tracing::warn!(%error, "Failed to parse client end-entity certificate"))
.ok()?;
let name: &str = end_cert
.dns_names()
.map_err(
|error| tracing::warn!(%error, "Failed to parse DNS names from client certificate"),
)
.ok()?
.next()
.map(Into::into)?;
if name == "*" {
// Wildcards can perhaps be handled in a future path...
return None;
}

name.parse().ok().map(ClientId)
name.parse()
.map_err(|error| tracing::warn!(%error, "Client certificate contained an invalid DNS name"))
.ok()
.map(ClientId)
}

// === impl ServerIo ===
Expand Down