-
Notifications
You must be signed in to change notification settings - Fork 9.8k
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
Add TLSv1.3 support. #15156
Add TLSv1.3 support. #15156
Conversation
Hi @serathius, please could you check this PR. Thank You! |
Codecov Report
@@ Coverage Diff @@
## main #15156 +/- ##
==========================================
- Coverage 74.93% 74.62% -0.31%
==========================================
Files 415 416 +1
Lines 34326 34351 +25
==========================================
- Hits 25721 25634 -87
- Misses 6986 7072 +86
- Partials 1619 1645 +26
Flags with carried forward coverage won't be shown. Click here to find out more.
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently not, I targeted only to the minimum change. I can add server flags & config file options as well if requested. |
Sounds good |
I've now added config options for etcd server binary and new tests. I see the docs are in website repo so a follow up PR is needed for the docs after confirming the proposed flags are OK. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @tsaarni for the PR! I added two comments, let me know what you think @serathius.
Thanks @tuminoid I agree with your review comments, so I went ahead and made those changes. Eagerly waiting for more reviews :-) |
cc @ptabor |
@serathius One test failed but could it be a flake https://github.com/etcd-io/etcd/actions/runs/3994448937/jobs/6852174459? Would it be possible to trigger a re-run? |
Thank you @tsaarni Overall looks good to me, with a couple of minor comments. |
3f3e622
to
cf76be0
Compare
cf76be0
to
fc5ab82
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Please consider to use github.com/stretchr/testify
to simplify the test cases if you want.
Thank you @ahrtr, great feedback! If it's OK, I will leave the tests as they are, but I also like |
I've submitted also a proposal for the documentation change etcd-io/website#641. |
Please add e2e tests for new etcdserver flags. |
3fa5d2b
to
c582131
Compare
server/embed/config.go
Outdated
@@ -660,6 +666,12 @@ func updateCipherSuites(tls *transport.TLSInfo, ss []string) error { | |||
return nil | |||
} | |||
|
|||
func updateMinMaxVersions(info *transport.TLSInfo, min, max string) { | |||
// Validate() has been called to check the user input, so it is safe to ignore errors here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: At that point we should not expect error, but in tests or during refactor someone might forget to call Validate and provide invalid input. It would make sense to just panic on errors here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
panic or cfg.logger.Fatal
.
server/etcdmain/config.go
Outdated
@@ -215,6 +216,8 @@ func newConfig() *config { | |||
fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedHostname, "peer-cert-allowed-hostname", "", "Allowed TLS hostname for inter peer authentication.") | |||
fs.Var(flags.NewStringsValue(""), "cipher-suites", "Comma-separated list of supported TLS cipher suites between client/server and peers (empty will be auto-populated by Go).") | |||
fs.BoolVar(&cfg.ec.PeerTLSInfo.SkipClientSANVerify, "experimental-peer-skip-client-san-verification", false, "Skip verification of SAN field in client certificate for peer connections.") | |||
fs.StringVar(&cfg.ec.TlsMinVersion, "tls-min-version", string(tlsutil.TLSVersion12), "Minimum TLS version supported by etcd. Possible values: TLS1.2, TLS1.3.") | |||
fs.StringVar(&cfg.ec.TlsMaxVersion, "tls-max-version", "", "Maximum TLS version supported by etcd. Possible values: TLS1.2, TLS1.3 (empty will be auto-populated by Go).") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fs.StringVar(&cfg.ec.TlsMaxVersion, "tls-max-version", "", "Maximum TLS version supported by etcd. Possible values: TLS1.2, TLS1.3 (empty will be auto-populated by Go).") | |
fs.StringVar(&cfg.ec.TlsMaxVersion, "tls-max-version", string(tlsutil.TLSVersionDefault), "Maximum TLS version supported by etcd. Possible values: TLS1.2, TLS1.3 (empty will be auto-populated by Go).") |
server/etcdmain/config.go
Outdated
@@ -215,6 +216,8 @@ func newConfig() *config { | |||
fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedHostname, "peer-cert-allowed-hostname", "", "Allowed TLS hostname for inter peer authentication.") | |||
fs.Var(flags.NewStringsValue(""), "cipher-suites", "Comma-separated list of supported TLS cipher suites between client/server and peers (empty will be auto-populated by Go).") | |||
fs.BoolVar(&cfg.ec.PeerTLSInfo.SkipClientSANVerify, "experimental-peer-skip-client-san-verification", false, "Skip verification of SAN field in client certificate for peer connections.") | |||
fs.StringVar(&cfg.ec.TlsMinVersion, "tls-min-version", string(tlsutil.TLSVersion12), "Minimum TLS version supported by etcd. Possible values: TLS1.2, TLS1.3.") | |||
fs.StringVar(&cfg.ec.TlsMaxVersion, "tls-max-version", "", "Maximum TLS version supported by etcd. Possible values: TLS1.2, TLS1.3 (empty will be auto-populated by Go).") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fs.StringVar(&cfg.ec.TlsMaxVersion, "tls-max-version", "", "Maximum TLS version supported by etcd. Possible values: TLS1.2, TLS1.3 (empty will be auto-populated by Go).") | |
fs.StringVar(&cfg.ec.TlsMaxVersion, "tls-max-version", "", "Maximum TLS version supported by etcd. Possible values: TLS1.2, TLS1.3 (empty defers to Go).") |
Added optional TLS min/max protocol version and command line switches to set versions for the etcd server. If max version is not explicitly set by the user, let Go select the max version which is currently TLSv1.3. Previously max version was set to TLSv1.2. Signed-off-by: Tero Saarni <tero.saarni@est.tech>
c582131
to
588b98d
Compare
I have made the requested changes but tests failed, possibly flukes again? |
This adds the min and max TLS version support from etcd-io#13506 and etcd-io#15156 to the grpc proxy. Fixes etcd-io#13506 Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
This adds the min and max TLS version support from etcd-io#13506 and etcd-io#15156 to the grpc proxy. Fixes etcd-io#13506 Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
This adds the min and max TLS version support from etcd-io#13506 and etcd-io#15156 to the grpc proxy. Fixes etcd-io#13506 Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
This adds the min and max TLS version support from etcd-io#13506 and etcd-io#15156 to the grpc proxy. Fixes etcd-io#13506 Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
This adds the min and max TLS version support from etcd-io#13506 and etcd-io#15156 to the grpc proxy. Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
This adds the min and max TLS version support from etcd-io#13506 and etcd-io#15156 to the grpc proxy. Fixes etcd-io#13506 Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
This adds the min and max TLS version support from etcd-io#13506 and etcd-io#15156 to the grpc proxy. Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
This adds the min and max TLS version support from etcd-io#13506 and etcd-io#15156 to the grpc proxy. Fixes etcd-io#13506 Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
This adds the min and max TLS version support from etcd-io#13506 and etcd-io#15156 to the grpc proxy. Fixes etcd-io#13506 Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
This PR adds optional TLS min/max protocol versions fields to
TLSInfo
struct, which is used in both server and client configs. Instead of hardcoding max version to TLSv1.2 it lets Go select the max version. This effectively enables TLSv1.3 support for etcd. The min/max values are also exposed via optional server flags and config file fields so that users can explicitly set the minimum and/or maximum TLS versions, if they want.It seems that TLSv1.3 was previously supported (prior etcd 3.5) but it got disabled as a workaround to fix a test suite failure which appeared when Go 1.13 release enabled TLSv1.3 by default, see discussion #11110 (comment). In this PR, the failing test case is changed to set the max version to TLSv1.2. This approach allows testing ciphers with <TLSv1.3 without disabling TLSv1.3 altogether.
Related documentation change etcd-io/website#641.
Fixes #13506
Signed-off-by: Tero Saarni tero.saarni@est.tech