Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Add TLSv1.3 support. #15156

Merged
merged 1 commit into from
Jan 31, 2023
Merged

Add TLSv1.3 support. #15156

merged 1 commit into from
Jan 31, 2023

Conversation

tsaarni
Copy link
Contributor

@tsaarni tsaarni commented Jan 20, 2023

This PR adds optional TLS min/max protocol versions fields to TLSInfo struct, which is used in both server and client configs. Instead of hardcoding max version to TLSv1.2 it lets Go select the max version. This effectively enables TLSv1.3 support for etcd. The min/max values are also exposed via optional server flags and config file fields so that users can explicitly set the minimum and/or maximum TLS versions, if they want.

It seems that TLSv1.3 was previously supported (prior etcd 3.5) but it got disabled as a workaround to fix a test suite failure which appeared when Go 1.13 release enabled TLSv1.3 by default, see discussion #11110 (comment). In this PR, the failing test case is changed to set the max version to TLSv1.2. This approach allows testing ciphers with <TLSv1.3 without disabling TLSv1.3 altogether.

Related documentation change etcd-io/website#641.

Fixes #13506

Signed-off-by: Tero Saarni tero.saarni@est.tech

@tsaarni
Copy link
Contributor Author

tsaarni commented Jan 20, 2023

Hi @serathius, please could you check this PR. Thank You!

@codecov-commenter
Copy link

codecov-commenter commented Jan 20, 2023

Codecov Report

Merging #15156 (3f3e622) into main (ee566c4) will decrease coverage by 0.31%.
The diff coverage is 77.77%.

@@            Coverage Diff             @@
##             main   #15156      +/-   ##
==========================================
- Coverage   74.93%   74.62%   -0.31%     
==========================================
  Files         415      416       +1     
  Lines       34326    34351      +25     
==========================================
- Hits        25721    25634      -87     
- Misses       6986     7072      +86     
- Partials     1619     1645      +26     
Flag Coverage Δ
all 74.62% <77.77%> (-0.31%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
server/embed/etcd.go 77.36% <0.00%> (-0.61%) ⬇️
server/embed/config.go 75.24% <100.00%> (+0.75%) ⬆️
server/etcdmain/config.go 85.13% <100.00%> (+0.11%) ⬆️
server/proxy/grpcproxy/register.go 69.76% <0.00%> (-11.63%) ⬇️
server/storage/mvcc/watchable_store.go 85.30% <0.00%> (-8.97%) ⬇️
client/pkg/v3/fileutil/purge.go 68.85% <0.00%> (-6.56%) ⬇️
client/v3/namespace/watch.go 87.87% <0.00%> (-6.07%) ⬇️
server/lease/lease.go 94.87% <0.00%> (-5.13%) ⬇️
client/pkg/v3/testutil/leak.go 62.83% <0.00%> (-4.43%) ⬇️
client/v3/leasing/cache.go 87.77% <0.00%> (-3.89%) ⬇️
... and 25 more

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

serathius
serathius previously approved these changes Jan 23, 2023
Copy link
Member

@serathius serathius left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, is the min/max tls config exposed in etcd server binary flags?
cc @ahrtr @ptabor for second opinion

@tsaarni
Copy link
Contributor Author

tsaarni commented Jan 23, 2023

is the min/max tls config exposed in etcd server binary flags

Currently not, I targeted only to the minimum change. I can add server flags & config file options as well if requested.

@serathius
Copy link
Member

is the min/max tls config exposed in etcd server binary flags

Currently not, I targeted only to the minimum change. I can add server flags & config file options as well if requested.

Sounds good

@tsaarni
Copy link
Contributor Author

tsaarni commented Jan 23, 2023

I've now added config options for etcd server binary and new tests. I see the docs are in website repo so a follow up PR is needed for the docs after confirming the proposed flags are OK.

Copy link

@tuminoid tuminoid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @tsaarni for the PR! I added two comments, let me know what you think @serathius.

server/embed/config.go Outdated Show resolved Hide resolved
client/pkg/tlsutil/versions.go Outdated Show resolved Hide resolved
@serathius serathius dismissed their stale review January 24, 2023 08:48

PR changed since

@tsaarni
Copy link
Contributor Author

tsaarni commented Jan 24, 2023

Thanks @tuminoid I agree with your review comments, so I went ahead and made those changes. Eagerly waiting for more reviews :-)

@serathius
Copy link
Member

cc @ptabor

@tsaarni
Copy link
Contributor Author

tsaarni commented Jan 24, 2023

@serathius One test failed but could it be a flake https://github.com/etcd-io/etcd/actions/runs/3994448937/jobs/6852174459? Would it be possible to trigger a re-run?

server/embed/config.go Outdated Show resolved Hide resolved
server/etcdmain/config.go Outdated Show resolved Hide resolved
tests/integration/v3_tls_test.go Show resolved Hide resolved
server/embed/config_test.go Outdated Show resolved Hide resolved
@ahrtr
Copy link
Member

ahrtr commented Jan 24, 2023

Thank you @tsaarni

Overall looks good to me, with a couple of minor comments.

server/etcdmain/help.go Outdated Show resolved Hide resolved
Copy link
Member

@ahrtr ahrtr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Please consider to use github.com/stretchr/testify to simplify the test cases if you want.

@tsaarni
Copy link
Contributor Author

tsaarni commented Jan 25, 2023

Thank you @ahrtr, great feedback!

If it's OK, I will leave the tests as they are, but I also like github.com/stretchr/testify asserts better. When looking around the test files I touched, I thought standard testing package was preferred, so I used that mostly.

@tsaarni
Copy link
Contributor Author

tsaarni commented Jan 25, 2023

I've submitted also a proposal for the documentation change etcd-io/website#641.

server/embed/config.go Outdated Show resolved Hide resolved
server/embed/etcd.go Outdated Show resolved Hide resolved
@serathius
Copy link
Member

Please add e2e tests for new etcdserver flags.

server/embed/config.go Outdated Show resolved Hide resolved
@tsaarni tsaarni force-pushed the add-minmax-allow-tls13 branch 2 times, most recently from 3fa5d2b to c582131 Compare January 27, 2023 15:13
@@ -660,6 +666,12 @@ func updateCipherSuites(tls *transport.TLSInfo, ss []string) error {
return nil
}

func updateMinMaxVersions(info *transport.TLSInfo, min, max string) {
// Validate() has been called to check the user input, so it is safe to ignore errors here.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: At that point we should not expect error, but in tests or during refactor someone might forget to call Validate and provide invalid input. It would make sense to just panic on errors here.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

panic or cfg.logger.Fatal.

@@ -215,6 +216,8 @@ func newConfig() *config {
fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedHostname, "peer-cert-allowed-hostname", "", "Allowed TLS hostname for inter peer authentication.")
fs.Var(flags.NewStringsValue(""), "cipher-suites", "Comma-separated list of supported TLS cipher suites between client/server and peers (empty will be auto-populated by Go).")
fs.BoolVar(&cfg.ec.PeerTLSInfo.SkipClientSANVerify, "experimental-peer-skip-client-san-verification", false, "Skip verification of SAN field in client certificate for peer connections.")
fs.StringVar(&cfg.ec.TlsMinVersion, "tls-min-version", string(tlsutil.TLSVersion12), "Minimum TLS version supported by etcd. Possible values: TLS1.2, TLS1.3.")
fs.StringVar(&cfg.ec.TlsMaxVersion, "tls-max-version", "", "Maximum TLS version supported by etcd. Possible values: TLS1.2, TLS1.3 (empty will be auto-populated by Go).")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
fs.StringVar(&cfg.ec.TlsMaxVersion, "tls-max-version", "", "Maximum TLS version supported by etcd. Possible values: TLS1.2, TLS1.3 (empty will be auto-populated by Go).")
fs.StringVar(&cfg.ec.TlsMaxVersion, "tls-max-version", string(tlsutil.TLSVersionDefault), "Maximum TLS version supported by etcd. Possible values: TLS1.2, TLS1.3 (empty will be auto-populated by Go).")

@@ -215,6 +216,8 @@ func newConfig() *config {
fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedHostname, "peer-cert-allowed-hostname", "", "Allowed TLS hostname for inter peer authentication.")
fs.Var(flags.NewStringsValue(""), "cipher-suites", "Comma-separated list of supported TLS cipher suites between client/server and peers (empty will be auto-populated by Go).")
fs.BoolVar(&cfg.ec.PeerTLSInfo.SkipClientSANVerify, "experimental-peer-skip-client-san-verification", false, "Skip verification of SAN field in client certificate for peer connections.")
fs.StringVar(&cfg.ec.TlsMinVersion, "tls-min-version", string(tlsutil.TLSVersion12), "Minimum TLS version supported by etcd. Possible values: TLS1.2, TLS1.3.")
fs.StringVar(&cfg.ec.TlsMaxVersion, "tls-max-version", "", "Maximum TLS version supported by etcd. Possible values: TLS1.2, TLS1.3 (empty will be auto-populated by Go).")
Copy link
Member

@serathius serathius Jan 30, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
fs.StringVar(&cfg.ec.TlsMaxVersion, "tls-max-version", "", "Maximum TLS version supported by etcd. Possible values: TLS1.2, TLS1.3 (empty will be auto-populated by Go).")
fs.StringVar(&cfg.ec.TlsMaxVersion, "tls-max-version", "", "Maximum TLS version supported by etcd. Possible values: TLS1.2, TLS1.3 (empty defers to Go).")

Added optional TLS min/max protocol version and command line switches to set
versions for the etcd server.

If max version is not explicitly set by the user, let Go select the max
version which is currently TLSv1.3. Previously max version was set to TLSv1.2.

Signed-off-by: Tero Saarni <tero.saarni@est.tech>
@tsaarni
Copy link
Contributor Author

tsaarni commented Jan 30, 2023

I have made the requested changes but tests failed, possibly flukes again?

@serathius serathius merged commit f4cc163 into etcd-io:main Jan 31, 2023
@tjungblu tjungblu mentioned this pull request Oct 31, 2024
tjungblu added a commit to tjungblu/etcd that referenced this pull request Oct 31, 2024
This adds the min and max TLS version support from etcd-io#13506 and etcd-io#15156 to the grpc proxy.

Fixes etcd-io#13506

Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
tjungblu added a commit to tjungblu/etcd that referenced this pull request Oct 31, 2024
This adds the min and max TLS version support from etcd-io#13506 and etcd-io#15156 to the grpc proxy.

Fixes etcd-io#13506

Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
tjungblu added a commit to tjungblu/etcd that referenced this pull request Nov 4, 2024
This adds the min and max TLS version support from etcd-io#13506 and etcd-io#15156 to the grpc proxy.

Fixes etcd-io#13506

Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
tjungblu added a commit to tjungblu/etcd that referenced this pull request Nov 4, 2024
This adds the min and max TLS version support from etcd-io#13506 and etcd-io#15156 to the grpc proxy.

Fixes etcd-io#13506

Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
tjungblu added a commit to tjungblu/etcd that referenced this pull request Nov 4, 2024
This adds the min and max TLS version support from etcd-io#13506 and etcd-io#15156 to the grpc proxy.

Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
tjungblu added a commit to tjungblu/etcd that referenced this pull request Nov 12, 2024
This adds the min and max TLS version support from etcd-io#13506 and etcd-io#15156 to the grpc proxy.

Fixes etcd-io#13506

Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
Elbehery pushed a commit to Elbehery/etcd that referenced this pull request Nov 14, 2024
This adds the min and max TLS version support from etcd-io#13506 and etcd-io#15156 to the grpc proxy.

Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
tjungblu added a commit to tjungblu/etcd that referenced this pull request Nov 14, 2024
This adds the min and max TLS version support from etcd-io#13506 and etcd-io#15156 to the grpc proxy.

Fixes etcd-io#13506

Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
tjungblu added a commit to tjungblu/etcd that referenced this pull request Nov 15, 2024
This adds the min and max TLS version support from etcd-io#13506 and etcd-io#15156 to the grpc proxy.

Fixes etcd-io#13506

Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

TLS1.3 support
6 participants