Closed
Description
A few breaking changes happened in TLS authentication in 3.2 and upcoming 3.3 release.
Need clarify/update security docs, upgrade guide, or FAQ.
3.2:
- #7687 transport: deny incoming peer certs with wrong IP SAN
- #7767 transport: resolve DNSNames when SAN checking
- #7829 pkg/transport: reload TLS certificates for every client requests
- embed: fix HTTPs + DNS SRV discovery #8651 (comment)
3.3:
- IP Address SAN broken for TLS comms between nodes under 3.2.x #8206
- Rejected peer communication in K8S cluster with TLS and 3.2+ #8268
- dns discovery: set initial-advertise-peer-urls as https url #8445
- etcd v3.2.5 tls broken or a breaking change is introduced #8534
- Question: Is it possible to use self-signed certs but NOT use InsecureSkipVerify with rafthttp #8578
- Secured Peer Communication not working for domain name only certificate #8600
- ETCD with TLS showing error "transport: remote error: tls: bad certificate" for certificates generated using OpenSSL #8603
- Peer TLS SAN check couldn't reason about non-FQDN endpoints #8797
- etcdserver: rejected TLS peer connection error message to client is not helpful #8803
- embed: fix HTTPs + DNS SRV discovery #8651 (comment)