extern/zrepl
1
0
Fork 0
mirror of https://github.com/zrepl/zrepl.git synced 2025-01-24 07:09:07 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge 'joshsouza/fix_peer_cert_chains' into 'master'

Browse Source
This commit is contained in:
Christian Schwarz 2019-03-15 18:40:05 +01:00
commit 5dfe24eeee
2 changed files with 12 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
docs/configuration/transports.rst
View File

@ -76,6 +76,7 @@ Connect
The ``tls`` transport uses TCP + TLS with client authentication using client certificates. The ``tls`` transport uses TCP + TLS with client authentication using client certificates.
The client identity is the common name (CN) presented in the client certificate. The client identity is the common name (CN) presented in the client certificate.
It is recommended to set up a dedicated CA infrastructure for this transport, e.g. using OpenVPN's `EasyRSA <https://github.com/OpenVPN/easy-rsa>`_. It is recommended to set up a dedicated CA infrastructure for this transport, e.g. using OpenVPN's `EasyRSA <https://github.com/OpenVPN/easy-rsa>`_.
For a simple 2-machine setup, see the :ref:`instructions below<transport-tcp+tlsclientauth-2machineopenssl>`. For a simple 2-machine setup, see the :ref:`instructions below<transport-tcp+tlsclientauth-2machineopenssl>`.
@ -85,6 +86,10 @@ Since Go binaries are statically linked, you or your distribution need to recomp
All file paths are resolved relative to the zrepl daemon's working directory. All file paths are resolved relative to the zrepl daemon's working directory.
Specify absolute paths if you are unsure what directory that is (or find out from your init system). Specify absolute paths if you are unsure what directory that is (or find out from your init system).
If intermediate CAs are used, the **full chain** must be present in either in the ``ca`` file or the individual ``cert`` files.
Regardless, the client's certificate must be first in the ``cert`` file, with each following certificate directly certifying the one preceding it (see `TLS's specification <https://tools.ietf.org/html/rfc5246#section-7.4.2>`_).
This is the common default when using a CA management tool.
Serve Serve
~~~~~ ~~~~~
@ -96,9 +101,9 @@ Serve
serve: serve:
type: tls type: tls
listen: ":8888" listen: ":8888"
ca: /etc/zrepl/ca.crt ca: /etc/zrepl/ca.crt
cert: /etc/zrepl/prod.crt cert: /etc/zrepl/prod.fullchain
key: /etc/zrepl/prod.key key: /etc/zrepl/prod.key
client_cns: client_cns:
- "laptop1" - "laptop1"
- "homeserver" - "homeserver"
@ -116,8 +121,8 @@ Connect
connect: connect:
type: tls type: tls
address: "server1.foo.bar:8888" address: "server1.foo.bar:8888"
ca: /etc/zrepl/ca.crt ca: /etc/zrepl/ca.crt
cert: /etc/zrepl/backupserver.crt cert: /etc/zrepl/backupserver.fullchain
key: /etc/zrepl/backupserver.key key: /etc/zrepl/backupserver.key
server_cn: "server1" server_cn: "server1"
dial_timeout: # optional, default 10s dial_timeout: # optional, default 10s

4
tlsconf/tlsconf.go
View File

@ -83,8 +83,8 @@ func (l *ClientAuthListener) Accept() (tcpConn *net.TCPConn, tlsConn *tls.Conn,
tlsConn.SetDeadline(time.Time{}) tlsConn.SetDeadline(time.Time{})
peerCerts = tlsConn.ConnectionState().PeerCertificates peerCerts = tlsConn.ConnectionState().PeerCertificates
if len(peerCerts) != 1 { if len(peerCerts) < 1 {
err = errors.New("unexpected number of certificates presented by TLS client") err = errors.New("client must present full RFC5246:7.4.2 TLS client certificate chain")
goto CloseAndErr goto CloseAndErr
} }
cn = peerCerts[0].Subject.CommonName cn = peerCerts[0].Subject.CommonName