Skip to content

Commit

Permalink
etcdmain, pkg: CN based auth for inter peer connection
Browse files Browse the repository at this point in the history
This commit adds an authentication mechanism to inter peer connection
(rafthttp). If the cert based peer auth is enabled and a new option
`--peer-cert-allowed-cn` is passed, an etcd process denies a peer
connection whose CN doesn't match.
  • Loading branch information
mitake committed Sep 29, 2017
1 parent 554298d commit 427c582
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 0 deletions.
1 change: 1 addition & 0 deletions etcdmain/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,7 @@ func newConfig() *config {
fs.StringVar(&cfg.PeerTLSInfo.TrustedCAFile, "peer-trusted-ca-file", "", "Path to the peer server TLS trusted CA file.")
fs.BoolVar(&cfg.PeerAutoTLS, "peer-auto-tls", false, "Peer TLS using generated certificates")
fs.StringVar(&cfg.PeerTLSInfo.CRLFile, "peer-crl-file", "", "Path to the peer certificate revocation list file.")
fs.StringVar(&cfg.PeerTLSInfo.AllowedCN, "peer-cert-allowed-cn", "", "Allowed CN for inter peer authentication.")

// logging
fs.BoolVar(&cfg.Debug, "debug", false, "Enable debug-level logging for etcd.")
Expand Down
21 changes: 21 additions & 0 deletions pkg/transport/listener.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import (
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"errors"
"fmt"
"math/big"
"net"
Expand Down Expand Up @@ -76,6 +77,9 @@ type TLSInfo struct {
// parseFunc exists to simplify testing. Typically, parseFunc
// should be left nil. In that case, tls.X509KeyPair will be used.
parseFunc func([]byte, []byte) (tls.Certificate, error)

// AllowedCN is a CN which must be provided by a client
AllowedCN string
}

func (info TLSInfo) String() string {
Expand Down Expand Up @@ -174,6 +178,23 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) {
MinVersion: tls.VersionTLS12,
ServerName: info.ServerName,
}

if info.AllowedCN != "" {
cfg.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
for _, chains := range verifiedChains {
for _, chain := range chains {
if info.AllowedCN == chain.Subject.CommonName {
return nil
} else {
return fmt.Errorf("CommonName authentication failed (allowed: %s, client: %s)", info.AllowedCN, chains[0].Subject.CommonName)
}

}
}
return errors.New("CommonName authentication failed")
}
}

// this only reloads certs when there's a client request
// TODO: support server-side refresh (e.g. inotify, SIGHUP), caching
cfg.GetCertificate = func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
Expand Down

0 comments on commit 427c582

Please sign in to comment.