From 718e9c16cc68da361e574bfb928f3bab89565756 Mon Sep 17 00:00:00 2001 From: Martin Weindel Date: Tue, 30 Jul 2019 08:24:27 +0200 Subject: [PATCH] etcdserver: mark flag as experimental, add to changelog and configuration --- CHANGELOG-3.4.md | 1 + Documentation/op-guide/configuration.md | 9 +++++++++ etcdmain/config.go | 2 +- 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/CHANGELOG-3.4.md b/CHANGELOG-3.4.md index 41bee160657..4142e1cd37c 100644 --- a/CHANGELOG-3.4.md +++ b/CHANGELOG-3.4.md @@ -67,6 +67,7 @@ See [code changes](https://github.com/etcd-io/etcd/compare/v3.3.0...v3.4.0) and - Add [`Verify` function to perform corruption check on WAL contents](https://github.com/etcd-io/etcd/pull/10603). - Improve [heartbeat send failure logging](https://github.com/etcd-io/etcd/pull/10663). - Support [users with no password](https://github.com/etcd-io/etcd/pull/9817) for reducing security risk introduced by leaked password. The users can only be authenticated with CommonName based auth. +- Add flag `--experimental-peer-skip-client-san-verification` to [skip verification of peer client address](https://github.com/etcd-io/etcd/pull/10524) ### Breaking Changes diff --git a/Documentation/op-guide/configuration.md b/Documentation/op-guide/configuration.md index 3a682bcf94e..0a29676de28 100644 --- a/Documentation/op-guide/configuration.md +++ b/Documentation/op-guide/configuration.md @@ -457,3 +457,12 @@ Follow the instructions when using these flags. [tuning]: ../tuning.md#time-parameters [sample-config-file]: ../../etcd.conf.yml.sample [recovery]: recovery.md#disaster-recovery + +### --experimental-peer-skip-client-san-verification ++ Skip verification of SAN field in client certificate for peer connections. This can be helpful e.g. if +cluster members run in different networks behind a NAT. + + In this case make sure to use peer certificates based on +a private certificate authority using `--peer-cert-file`, `--peer-key-file`, `--peer-trusted-ca-file` ++ default: false ++ env variable: ETCD_EXPERIMENTAL_PEER_SKIP_CLIENT_SAN_VERIFICATION diff --git a/etcdmain/config.go b/etcdmain/config.go index 8c1472ee38b..153b18292ac 100644 --- a/etcdmain/config.go +++ b/etcdmain/config.go @@ -213,7 +213,7 @@ func newConfig() *config { fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedCN, "peer-cert-allowed-cn", "", "Allowed CN for inter peer authentication.") fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedHostname, "peer-cert-allowed-hostname", "", "Allowed TLS hostname for inter peer authentication.") fs.Var(flags.NewStringsValue(""), "cipher-suites", "Comma-separated list of supported TLS cipher suites between client/server and peers (empty will be auto-populated by Go).") - fs.BoolVar(&cfg.ec.PeerTLSInfo.SkipClientSANVerify, "peer-skip-client-san-verification", false, "Skip verification of SAN field in client certificate for peer connections.") + fs.BoolVar(&cfg.ec.PeerTLSInfo.SkipClientSANVerify, "experimental-peer-skip-client-san-verification", false, "Skip verification of SAN field in client certificate for peer connections.") fs.Var( flags.NewUniqueURLsWithExceptions("*", "*"),