Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Multiple CN support for TLS connections #5134

Closed
Tema opened this issue Jun 8, 2022 · 2 comments · Fixed by #8518
Closed

Multiple CN support for TLS connections #5134

Tema opened this issue Jun 8, 2022 · 2 comments · Fixed by #8518
Assignees
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. type/feature-request Categorizes issue or PR as related to a new feature.

Comments

@Tema
Copy link
Contributor

Tema commented Jun 8, 2022

Bug Report

I want to use different CN for clients and TiKV nodes, but pd-server fails to startup if I specify more than one. I don't use TiDB layer and my clients run on a completely separate fleet and use completely separate certificates, so just do not make sense to have same CN.

What did you do?

Specify multiple values under:

[security]
## A CN which must be provided by a client
cert-allowed-cn = ["TiKV", "Client"]

as PD config accepts multiple values under security.cert-allowed-cn:

pd/conf/config.toml

Lines 34 to 35 in af174e6

## A CN which must be provided by a client
# cert-allowed-cn = ["example.com"]

What did you expect to see?

pd-server starts up and client with different CN could connect to it.

What did you see instead?

pd-server fails to start to startup due to this check:

// GetOneAllowedCN only gets the first one CN.
func (s TLSConfig) GetOneAllowedCN() (string, error) {
switch len(s.CertAllowedCN) {
case 1:
return s.CertAllowedCN[0], nil
case 0:
return "", nil
default:
return "", errs.ErrSecurityConfig.FastGenByArgs("only supports one CN")
}
}
.

What version of PD are you using (pd-server -V)?

5.4, but the latest master has same issue

@Tema Tema added the type/bug The issue is confirmed as a bug. label Jun 8, 2022
@nolouch nolouch added type/feature-request Categorizes issue or PR as related to a new feature. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. labels Jun 9, 2022
@nolouch
Copy link
Contributor

nolouch commented Jun 9, 2022

/assign @nolouch

@lhy1024 lhy1024 self-assigned this Jul 30, 2024
ti-chi-bot bot pushed a commit that referenced this issue Aug 15, 2024
close #3877, ref #5134

Signed-off-by: lhy1024 <admin@liudos.us>
@ti-chi-bot ti-chi-bot bot closed this as completed in #8518 Sep 4, 2024
@ti-chi-bot ti-chi-bot bot closed this as completed in 52a53c9 Sep 4, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. type/feature-request Categorizes issue or PR as related to a new feature.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants