Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

etcdserver: config flag to skip verification of peer client address #10524

Merged
merged 4 commits into from
Jul 30, 2019

Conversation

MartinWeindel
Copy link
Contributor

On initialising the peer-to-peer communication, ETCD checks the CN/SAN for the client side. This is not feasible, if the client IP address (of the HTTPS connection) is not stable or unknown at the time of creation of the certificate.

For example, if the peers of a distributed ETCD cluster with TLS enabled run in multiple clouds (or behind NAT with some kind of DHCP),
the IP addresses of the peers are not stable. Another example for such an environment is a Kubernetes cluster using Calico CNI. Here incoming requests from outside the cluster get the client address of the accepting K8s node.

Therefore a new command line option --peer-skip-client-verify is introduced to disable the client address check optionally. Basically it should be enough to rely on the knowledge of a valid certificate.

This partially fixes #8912 "Make it possible to ignore CN/SAN mismatches" (if certificates are created for DNS names and DNS records are updated according to the current proxy IP addresses).

etcd-nat

@MartinWeindel MartinWeindel force-pushed the peer-skip-client-verify branch 2 times, most recently from 21a6d36 to ec4196b Compare March 6, 2019 12:04
@codecov-io
Copy link

codecov-io commented Mar 6, 2019

Codecov Report

Merging #10524 into master will increase coverage by 0.13%.
The diff coverage is 100%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master   #10524      +/-   ##
==========================================
+ Coverage   63.64%   63.77%   +0.13%     
==========================================
  Files         401      401              
  Lines       37470    37473       +3     
==========================================
+ Hits        23846    23899      +53     
+ Misses      12016    11938      -78     
- Partials     1608     1636      +28
Impacted Files Coverage Δ
etcdmain/config.go 83.03% <100%> (+0.07%) ⬆️
pkg/transport/listener.go 51.35% <100%> (+1.8%) ⬆️
client/keys.go 55.77% <0%> (-35.68%) ⬇️
auth/simple_token.go 65.85% <0%> (-21.14%) ⬇️
client/members.go 65.32% <0%> (-20.17%) ⬇️
clientv3/naming/grpc.go 68.42% <0%> (-7.02%) ⬇️
clientv3/leasing/util.go 91.66% <0%> (-6.67%) ⬇️
pkg/testutil/recorder.go 77.77% <0%> (-3.71%) ⬇️
clientv3/leasing/cache.go 87.77% <0%> (-3.34%) ⬇️
clientv3/balancer/balancer.go 86.36% <0%> (-2.28%) ⬇️
... and 20 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 800e723...718e9c1. Read the comment docs.

@jingyih
Copy link
Contributor

jingyih commented Mar 11, 2019

cc @gyuho

@jingyih
Copy link
Contributor

jingyih commented Mar 11, 2019

cc @wenjiaswe

@afritzler
Copy link

Any chance this gets merged anytime soon?

@MartinWeindel
Copy link
Contributor Author

Ping. Any chances for this mini pull request consisting of just 6 new lines?

@wenjiaswe
Copy link
Contributor

wenjiaswe commented Apr 23, 2019

@MartinWeindel Thanks for the PR! Sorry for the delay, would you please add a test to it? Otherwise lgtm

@hexfusion would you please also take a look to make sure?

@gyuho
Copy link
Contributor

gyuho commented Apr 24, 2019

kubernetes/kubernetes#21283 (comment)

I would say no. It's not an option supported by the go http transport, and trusting the signature but not verifying the subject/sans means you are extending your trust beyond the CA to everyone holding a certificate ever issued by the CA.

/cc @liggitt

@gyuho gyuho added the WIP label Apr 24, 2019
@MartinWeindel
Copy link
Contributor Author

MartinWeindel commented Apr 24, 2019 via email

@MartinWeindel MartinWeindel force-pushed the peer-skip-client-verify branch 4 times, most recently from bd2cd6e to 296183f Compare April 28, 2019 16:53
@MartinWeindel
Copy link
Contributor Author

@wenjiaswe As there was no test coverage for checking the client address from its certificate, the added test checks the correct behaviour for three cases:

  1. Client IP address matches the SAN entry of the client certificate and handshaking is successful.
  2. Client IP address does not match and handshaking fails.
  3. SkipClientVerify flag is set and handshaking succeeds even if client IP address does not match.

@wenjiaswe
Copy link
Contributor

Friendly ping @gyuho @liggitt for your opinion, cc @hexfusion as well. Thanks!

@@ -210,6 +210,7 @@ func newConfig() *config {
fs.StringVar(&cfg.ec.PeerTLSInfo.CRLFile, "peer-crl-file", "", "Path to the peer certificate revocation list file.")
fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedCN, "peer-cert-allowed-cn", "", "Allowed CN for inter peer authentication.")
fs.Var(flags.NewStringsValue(""), "cipher-suites", "Comma-separated list of supported TLS cipher suites between client/server and peers (empty will be auto-populated by Go).")
fs.BoolVar(&cfg.ec.PeerTLSInfo.SkipClientVerify, "peer-skip-client-verify", false, "Skip client IP verification for peer connections.")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skip client SAN field verification for peer connections?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the skip client verify is a very vague description. can we make it clear to include what exactly is skipped?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed description to Skip verification of SAN field in client certificate for peer connections.
Any more ideas?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skip verification of SAN field in client certificate for peer connections

This is clearer.

@gyuho
Copy link
Contributor

gyuho commented Jun 10, 2019

I will check with SIG-auth https://github.com/kubernetes/community/tree/master/sig-auth. Overall, the use case is reasonable.

@gyuho
Copy link
Contributor

gyuho commented Jun 11, 2019

@MartinWeindel can you update commit title to *: ...?

@gyuho
Copy link
Contributor

gyuho commented Jun 11, 2019

/cc @deads2k @liggitt @mikedanese

@MartinWeindel MartinWeindel force-pushed the peer-skip-client-verify branch from 7694a69 to 6a28ae2 Compare June 11, 2019 21:00
@@ -210,6 +210,7 @@ func newConfig() *config {
fs.StringVar(&cfg.ec.PeerTLSInfo.CRLFile, "peer-crl-file", "", "Path to the peer certificate revocation list file.")
fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedCN, "peer-cert-allowed-cn", "", "Allowed CN for inter peer authentication.")
fs.Var(flags.NewStringsValue(""), "cipher-suites", "Comma-separated list of supported TLS cipher suites between client/server and peers (empty will be auto-populated by Go).")
fs.BoolVar(&cfg.ec.PeerTLSInfo.SkipClientVerify, "peer-skip-client-verify", false, "Skip verification of SAN field in client certificate for peer connections.")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MartinWeindel can we also change the flag naming to peer-skip-client-san-veirfy? not a fan of long flag, but we need to be clear on what is skipped on flag naming too.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed flag to peer-skip-client-san-verification

@mikedanese
Copy link

Can ETCD not be configured with different certs for client and server TLS auth? It seems like checkSAN should be OR'd with the AllowedCN check. This is allowed by the spec for both client and server auth, but is especially useful for client auth.

@hexfusion
Copy link
Contributor

I would like some time to test this before we merge. In general this feels like a flag that will promote poor usage and thus reduce overall security. While I understand the reporters networking challenge I still am not convinced this is the only path forward.

@MartinWeindel MartinWeindel force-pushed the peer-skip-client-verify branch 3 times, most recently from f3ef5bc to aeaec51 Compare June 12, 2019 13:50
@xiang90
Copy link
Contributor

xiang90 commented Jun 14, 2019

defer to @hexfusion

@MartinWeindel
Copy link
Contributor Author

@hexfusion Have you already found some time to test this?

@hexfusion
Copy link
Contributor

@MartinWeindel we are going to talk about this today at the community meeting

@hexfusion
Copy link
Contributor

@MartinWeindel it would be nice if we had a solid reproducible use case to test alternative solutions against. Your description has general networking detail but not enough to validate the need for this change. Can you provide a test ENV or steps to reproduce the ENV which we could clearly see the failure case? Thanks!

@MartinWeindel
Copy link
Contributor Author

@hexfusion You can find a test ENV using Kubernetes services in the GitHub project MartinWeindel/etcd-peer-skip-client-verify. Feel free to contact me if anything is unclear.

@hexfusion
Copy link
Contributor

@MartinWeindel after talking with the other maintainers we have decided to move this forward for v3.4 as an experimental flag. Can you please append experimental to your flag and update docs[1] as well as add details to changelog[2]?

[1] https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/configuration.md#experimental-flags
[2] https://github.com/etcd-io/etcd/blob/master/CHANGELOG-3.4.md

@MartinWeindel MartinWeindel force-pushed the peer-skip-client-verify branch from aeaec51 to ff3ded7 Compare July 30, 2019 06:26
@MartinWeindel
Copy link
Contributor Author

@hexfusion Thanks for your endurance

@MartinWeindel MartinWeindel force-pushed the peer-skip-client-verify branch from ff3ded7 to 865beb4 Compare July 30, 2019 06:43
@MartinWeindel MartinWeindel force-pushed the peer-skip-client-verify branch from 865beb4 to 718e9c1 Compare July 30, 2019 12:02
@hexfusion hexfusion removed the WIP label Jul 30, 2019
@hexfusion hexfusion added this to the etcd-v3.4 milestone Jul 30, 2019
Copy link
Contributor

@hexfusion hexfusion left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@MartinWeindel thank you for your patience.

@hexfusion hexfusion merged commit 149e5dc into etcd-io:master Jul 30, 2019
@andyliuliming
Copy link
Contributor

andyliuliming commented Oct 2, 2019

Hi @xiang90 is it possible we cherry-pick this change to the etcd 3.2/3.3 too?
if yes, I will prepare the PR, thanks :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

Make it possible to ignore CN/SAN mismatches
10 participants