You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Startup Log Output:
Error detecting redirect address: Get https://[2a00:8123:a123:1190:0:1234:0:3954]:8500/v1/agent/self: x509: certificate is valid for 2a00:8123:a123:1190:0:1234:0:3954, not [2a00
Error initializing core: missing redirect address
Expected Behavior:
Vault should have come up.
Actual Behavior:
vault fails to come up.
Steps to Reproduce:
Using above mentioned hcl file and giving a proper IPv6 address, issue can be re-produced
Important Factoids:
References:
When we analysed the issue, we are observing that the ServerName set in Transport.TLSClientConfig, the IPv6 address parsing logic is resulting in setting wrong IP address.
func setupTLSConfig(conf map[string]string) (*tls.Config, error) { serverName := strings.Split(conf["address"], ":") ....... tlsClientConfig := &tls.Config{ MinVersion: tlsMinVersion, InsecureSkipVerify: insecureSkipVerify, ServerName: serverName[0], }
When the above code is analysed, when parsing IPv6 address using separator ":", the IPv6 is getting splitted into multiple parts and only the first element in the slice([2a00) serverName is being assigned.
We made below changes in the same function to get it working. func setupTLSConfig(conf map[string]string) (*tls.Config, error) { idx := strings.LastIndex(conf["address"], ":") serverName := (conf["address"])[0:idx] .................... tlsClientConfig := &tls.Config{ MinVersion: tlsMinVersion, InsecureSkipVerify: insecureSkipVerify, ServerName: serverName, }
Above change is working for us and seems to be working fine.
If above change seems fine, please me know if this change can be up-streamed and changes be made available.
Regards,
Bharath B
The text was updated successfully, but these errors were encountered:
Environment:
Vault v0.7.3 ('5758f3b00bcd2b4bf08d2ddf12eed7831721144b+CHANGES')
Red Hat Enterprise Linux Server release 7.3 (Maipo)
Vault Config File:
backend "consul" {
address = "[]:8500"
path = "vaultdata/"
scheme = "https"
service = "vault"
tls_ca_file = "/tmp/ca.crt"
tls_cert_file = "/tmp/vault.crt"
tls_key_file = "/tmp/vault.pem"
}
listener "tcp" {
address = "[]:8200"
tls_disable = 0
tls_cert_file = "/tmp/vault.crt"
tls_key_file = "/tmp/vault.pem"
tls_min_version = "tls12"
}
disable_mlock = false
default_lease_ttl = 0
max_lease_ttl = 0
Startup Log Output:
Error detecting redirect address: Get https://[2a00:8123:a123:1190:0:1234:0:3954]:8500/v1/agent/self: x509: certificate is valid for 2a00:8123:a123:1190:0:1234:0:3954, not [2a00
Error initializing core: missing redirect address
Expected Behavior:
Vault should have come up.
Actual Behavior:
vault fails to come up.
Steps to Reproduce:
Using above mentioned hcl file and giving a proper IPv6 address, issue can be re-produced
Important Factoids:
References:
When we analysed the issue, we are observing that the ServerName set in Transport.TLSClientConfig, the IPv6 address parsing logic is resulting in setting wrong IP address.
FileName : github.com/hashicorp/vault/physical/consul.go
func setupTLSConfig(conf map[string]string) (*tls.Config, error) { serverName := strings.Split(conf["address"], ":") ....... tlsClientConfig := &tls.Config{ MinVersion: tlsMinVersion, InsecureSkipVerify: insecureSkipVerify, ServerName: serverName[0], }
When the above code is analysed, when parsing IPv6 address using separator ":", the IPv6 is getting splitted into multiple parts and only the first element in the slice([2a00) serverName is being assigned.
We made below changes in the same function to get it working.
func setupTLSConfig(conf map[string]string) (*tls.Config, error) { idx := strings.LastIndex(conf["address"], ":") serverName := (conf["address"])[0:idx] .................... tlsClientConfig := &tls.Config{ MinVersion: tlsMinVersion, InsecureSkipVerify: insecureSkipVerify, ServerName: serverName, }
Above change is working for us and seems to be working fine.
If above change seems fine, please me know if this change can be up-streamed and changes be made available.
Regards,
Bharath B
The text was updated successfully, but these errors were encountered: