-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
don't sign X.509 certs #34896
don't sign X.509 certs #34896
Conversation
Nodes currently don't verify X.509 self-signed certificates because peer authentication is done via TLS 1.3 CertificateVerify. Thus, encodes an invalid signature in the X.509 certificate instead.
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## master #34896 +/- ##
=========================================
- Coverage 81.7% 81.7% -0.1%
=========================================
Files 826 826
Lines 223413 223357 -56
=========================================
- Hits 182614 182553 -61
- Misses 40799 40804 +5 |
Can you push your commits directly to #34202 so we have all the context and discussions in one place? |
Unfortunately, I do not have permission to push to the firedancer repo. So the technique would not work. The real change is c1bf6c0 -- rest is just address merge conflicts. Which is just restore the issuer common name back to "Solana node" from "Solana" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm,
Can you also plz comment on #34202 pointing to this one for reference and close that as well?
client/src/connection_cache.rs
Outdated
@@ -253,7 +251,7 @@ mod tests { | |||
#[test] | |||
fn test_connection_with_specified_client_endpoint() { | |||
// Start a response receiver: | |||
let (response_recv_socket, response_recv_exit, keypair2, response_recv_ip) = server_args(); | |||
let (response_recv_socket, response_recv_exit, keypair2, _) = server_args(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If it is not used anywhere, should server_args()
be updated not to return response_recv_ip
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed. Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Just for record keeping, the CERT looks like the following: openssl x509 -in dummy.cer -inform DER -text -noout |
Thank you @lijunwangs. So happy to see this go through. 🎉 |
In solana-labs/solana#34896, Solana Labs chose a slightly different mock cert layout. This PR updates Firedancer and Solana Labs to use the same.
In solana-labs/solana#34896, Solana Labs chose a slightly different mock cert layout. This PR updates Firedancer and Solana Labs to use the same.
In solana-labs/solana#34896, Solana Labs chose a slightly different mock cert layout. This PR updates Firedancer and Solana Labs to use the same.
Problem
This is to resurrect PR from #34202 to address merge conflicts and some comments.
Summary of Changes
This get rid of 3rd party components rcgen in the path of private key access to make the code more secure.
Fixes #