mirror of
https://github.com/zrepl/zrepl.git
synced 2025-01-24 15:19:36 +01:00
Merge 'joshsouza/fix_peer_cert_chains' into 'master'
This commit is contained in:
commit
5dfe24eeee
@ -76,6 +76,7 @@ Connect
|
|||||||
|
|
||||||
The ``tls`` transport uses TCP + TLS with client authentication using client certificates.
|
The ``tls`` transport uses TCP + TLS with client authentication using client certificates.
|
||||||
The client identity is the common name (CN) presented in the client certificate.
|
The client identity is the common name (CN) presented in the client certificate.
|
||||||
|
|
||||||
It is recommended to set up a dedicated CA infrastructure for this transport, e.g. using OpenVPN's `EasyRSA <https://github.com/OpenVPN/easy-rsa>`_.
|
It is recommended to set up a dedicated CA infrastructure for this transport, e.g. using OpenVPN's `EasyRSA <https://github.com/OpenVPN/easy-rsa>`_.
|
||||||
For a simple 2-machine setup, see the :ref:`instructions below<transport-tcp+tlsclientauth-2machineopenssl>`.
|
For a simple 2-machine setup, see the :ref:`instructions below<transport-tcp+tlsclientauth-2machineopenssl>`.
|
||||||
|
|
||||||
@ -85,6 +86,10 @@ Since Go binaries are statically linked, you or your distribution need to recomp
|
|||||||
All file paths are resolved relative to the zrepl daemon's working directory.
|
All file paths are resolved relative to the zrepl daemon's working directory.
|
||||||
Specify absolute paths if you are unsure what directory that is (or find out from your init system).
|
Specify absolute paths if you are unsure what directory that is (or find out from your init system).
|
||||||
|
|
||||||
|
If intermediate CAs are used, the **full chain** must be present in either in the ``ca`` file or the individual ``cert`` files.
|
||||||
|
Regardless, the client's certificate must be first in the ``cert`` file, with each following certificate directly certifying the one preceding it (see `TLS's specification <https://tools.ietf.org/html/rfc5246#section-7.4.2>`_).
|
||||||
|
This is the common default when using a CA management tool.
|
||||||
|
|
||||||
Serve
|
Serve
|
||||||
~~~~~
|
~~~~~
|
||||||
|
|
||||||
@ -97,7 +102,7 @@ Serve
|
|||||||
type: tls
|
type: tls
|
||||||
listen: ":8888"
|
listen: ":8888"
|
||||||
ca: /etc/zrepl/ca.crt
|
ca: /etc/zrepl/ca.crt
|
||||||
cert: /etc/zrepl/prod.crt
|
cert: /etc/zrepl/prod.fullchain
|
||||||
key: /etc/zrepl/prod.key
|
key: /etc/zrepl/prod.key
|
||||||
client_cns:
|
client_cns:
|
||||||
- "laptop1"
|
- "laptop1"
|
||||||
@ -117,7 +122,7 @@ Connect
|
|||||||
type: tls
|
type: tls
|
||||||
address: "server1.foo.bar:8888"
|
address: "server1.foo.bar:8888"
|
||||||
ca: /etc/zrepl/ca.crt
|
ca: /etc/zrepl/ca.crt
|
||||||
cert: /etc/zrepl/backupserver.crt
|
cert: /etc/zrepl/backupserver.fullchain
|
||||||
key: /etc/zrepl/backupserver.key
|
key: /etc/zrepl/backupserver.key
|
||||||
server_cn: "server1"
|
server_cn: "server1"
|
||||||
dial_timeout: # optional, default 10s
|
dial_timeout: # optional, default 10s
|
||||||
|
@ -83,8 +83,8 @@ func (l *ClientAuthListener) Accept() (tcpConn *net.TCPConn, tlsConn *tls.Conn,
|
|||||||
tlsConn.SetDeadline(time.Time{})
|
tlsConn.SetDeadline(time.Time{})
|
||||||
|
|
||||||
peerCerts = tlsConn.ConnectionState().PeerCertificates
|
peerCerts = tlsConn.ConnectionState().PeerCertificates
|
||||||
if len(peerCerts) != 1 {
|
if len(peerCerts) < 1 {
|
||||||
err = errors.New("unexpected number of certificates presented by TLS client")
|
err = errors.New("client must present full RFC5246:7.4.2 TLS client certificate chain")
|
||||||
goto CloseAndErr
|
goto CloseAndErr
|
||||||
}
|
}
|
||||||
cn = peerCerts[0].Subject.CommonName
|
cn = peerCerts[0].Subject.CommonName
|
||||||
|
Loading…
Reference in New Issue
Block a user