Skip to content

Commit

Permalink
etcdmain, pkg: CN based auth for inter peer connection
Browse files Browse the repository at this point in the history
This commit adds an authentication mechanism to inter peer connection
(rafthttp). If the cert based peer auth is enabled and a new option
`--peer-require-cn` is passed, an etcd process denies a peer
connection whose CN doesn't match.
  • Loading branch information
mitake committed Sep 27, 2017
1 parent 554298d commit 8d33f2f
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 0 deletions.
1 change: 1 addition & 0 deletions etcdmain/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,7 @@ func newConfig() *config {
fs.StringVar(&cfg.PeerTLSInfo.TrustedCAFile, "peer-trusted-ca-file", "", "Path to the peer server TLS trusted CA file.")
fs.BoolVar(&cfg.PeerAutoTLS, "peer-auto-tls", false, "Peer TLS using generated certificates")
fs.StringVar(&cfg.PeerTLSInfo.CRLFile, "peer-crl-file", "", "Path to the peer certificate revocation list file.")
fs.StringVar(&cfg.PeerTLSInfo.RequireCN, "peer-require-cn", "", "CN required for inter peer authentication.")

// logging
fs.BoolVar(&cfg.Debug, "debug", false, "Enable debug-level logging for etcd.")
Expand Down
21 changes: 21 additions & 0 deletions pkg/transport/listener.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import (
"crypto/x509"
"crypto/x509/pkix"
"encoding/pem"
"errors"
"fmt"
"math/big"
"net"
Expand Down Expand Up @@ -76,6 +77,9 @@ type TLSInfo struct {
// parseFunc exists to simplify testing. Typically, parseFunc
// should be left nil. In that case, tls.X509KeyPair will be used.
parseFunc func([]byte, []byte) (tls.Certificate, error)

// RequireCN is a CN which must be provided by a client
RequireCN string
}

func (info TLSInfo) String() string {
Expand Down Expand Up @@ -174,6 +178,23 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) {
MinVersion: tls.VersionTLS12,
ServerName: info.ServerName,
}

if info.RequireCN != "" {
cfg.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
if len(verifiedChains) != 0 {
chains := verifiedChains[0]
if len(chains) != 0 {
if info.RequireCN == chains[0].Subject.CommonName {
return nil
} else {
return fmt.Errorf("CommonName authentication failed (required: %s, client: %s)", info.RequireCN, chains[0].Subject.CommonName)
}
}
}
return errors.New("CommonName authentication failed")
}
}

// this only reloads certs when there's a client request
// TODO: support server-side refresh (e.g. inotify, SIGHUP), caching
cfg.GetCertificate = func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
Expand Down

0 comments on commit 8d33f2f

Please sign in to comment.