Add TLSv1.3 support. #15156
Add TLSv1.3 support. #15156
Conversation
|
Hi @serathius, please could you check this PR. Thank You! |
Codecov Report
@@ Coverage Diff @@
## main #15156 +/- ##
==========================================
- Coverage 74.93% 74.62% -0.31%
==========================================
Files 415 416 +1
Lines 34326 34351 +25
==========================================
- Hits 25721 25634 -87
- Misses 6986 7072 +86
- Partials 1619 1645 +26
Flags with carried forward coverage won't be shown. Click here to find out more.
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
Currently not, I targeted only to the minimum change. I can add server flags & config file options as well if requested. |
Sounds good |
|
I've now added config options for etcd server binary and new tests. I see the docs are in website repo so a follow up PR is needed for the docs after confirming the proposed flags are OK. |
There was a problem hiding this comment.
Thanks @tsaarni for the PR! I added two comments, let me know what you think @serathius.
|
Thanks @tuminoid I agree with your review comments, so I went ahead and made those changes. Eagerly waiting for more reviews :-) |
|
cc @ptabor |
|
@serathius One test failed but could it be a flake https://github.com/etcd-io/etcd/actions/runs/3994448937/jobs/6852174459? Would it be possible to trigger a re-run? |
|
Thank you @tsaarni Overall looks good to me, with a couple of minor comments. |
tsaarni
force-pushed
the
add-minmax-allow-tls13
branch
from
3f3e622
to
cf76be0
Compare
tsaarni
force-pushed
the
add-minmax-allow-tls13
branch
from
cf76be0
to
fc5ab82
Compare
|
Thank you @ahrtr, great feedback! If it's OK, I will leave the tests as they are, but I also like |
|
I've submitted also a proposal for the documentation change etcd-io/website#641. |
|
Please add e2e tests for new etcdserver flags. |
tsaarni
force-pushed
the
add-minmax-allow-tls13
branch
2 times, most recently
from
3fa5d2b
to
c582131
Compare
Thank you @serathius! I've made the requested changes, except for the refactoring of how
@ahrtr I've now changed to testify after all, since I anyways went through a bigger change in the previous commit. |
server/embed/config.go
Outdated
| @@ -660,6 +666,12 @@ func updateCipherSuites(tls *transport.TLSInfo, ss []string) error { | |||
| return nil | |||
| } | |||
|
|
|||
| func updateMinMaxVersions(info *transport.TLSInfo, min, max string) { | |||
| // Validate() has been called to check the user input, so it is safe to ignore errors here. | |||
There was a problem hiding this comment.
Nit: At that point we should not expect error, but in tests or during refactor someone might forget to call Validate and provide invalid input. It would make sense to just panic on errors here.
server/etcdmain/config.go
Outdated
| @@ -215,6 +216,8 @@ func newConfig() *config { | |||
| fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedHostname, "peer-cert-allowed-hostname", "", "Allowed TLS hostname for inter peer authentication.") | |||
| fs.Var(flags.NewStringsValue(""), "cipher-suites", "Comma-separated list of supported TLS cipher suites between client/server and peers (empty will be auto-populated by Go).") | |||
| fs.BoolVar(&cfg.ec.PeerTLSInfo.SkipClientSANVerify, "experimental-peer-skip-client-san-verification", false, "Skip verification of SAN field in client certificate for peer connections.") | |||
| fs.StringVar(&cfg.ec.TlsMinVersion, "tls-min-version", string(tlsutil.TLSVersion12), "Minimum TLS version supported by etcd. Possible values: TLS1.2, TLS1.3.") | |||
| fs.StringVar(&cfg.ec.TlsMaxVersion, "tls-max-version", "", "Maximum TLS version supported by etcd. Possible values: TLS1.2, TLS1.3 (empty will be auto-populated by Go).") | |||
There was a problem hiding this comment.
| fs.StringVar(&cfg.ec.TlsMaxVersion, "tls-max-version", "", "Maximum TLS version supported by etcd. Possible values: TLS1.2, TLS1.3 (empty will be auto-populated by Go).") | |
| fs.StringVar(&cfg.ec.TlsMaxVersion, "tls-max-version", string(tlsutil.TLSVersionDefault), "Maximum TLS version supported by etcd. Possible values: TLS1.2, TLS1.3 (empty will be auto-populated by Go).") |
server/etcdmain/config.go
Outdated
| @@ -215,6 +216,8 @@ func newConfig() *config { | |||
| fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedHostname, "peer-cert-allowed-hostname", "", "Allowed TLS hostname for inter peer authentication.") | |||
| fs.Var(flags.NewStringsValue(""), "cipher-suites", "Comma-separated list of supported TLS cipher suites between client/server and peers (empty will be auto-populated by Go).") | |||
| fs.BoolVar(&cfg.ec.PeerTLSInfo.SkipClientSANVerify, "experimental-peer-skip-client-san-verification", false, "Skip verification of SAN field in client certificate for peer connections.") | |||
| fs.StringVar(&cfg.ec.TlsMinVersion, "tls-min-version", string(tlsutil.TLSVersion12), "Minimum TLS version supported by etcd. Possible values: TLS1.2, TLS1.3.") | |||
| fs.StringVar(&cfg.ec.TlsMaxVersion, "tls-max-version", "", "Maximum TLS version supported by etcd. Possible values: TLS1.2, TLS1.3 (empty will be auto-populated by Go).") | |||
There was a problem hiding this comment.
| fs.StringVar(&cfg.ec.TlsMaxVersion, "tls-max-version", "", "Maximum TLS version supported by etcd. Possible values: TLS1.2, TLS1.3 (empty will be auto-populated by Go).") | |
| fs.StringVar(&cfg.ec.TlsMaxVersion, "tls-max-version", "", "Maximum TLS version supported by etcd. Possible values: TLS1.2, TLS1.3 (empty defers to Go).") |
Added optional TLS min/max protocol version and command line switches to set versions for the etcd server. If max version is not explicitly set by the user, let Go select the max version which is currently TLSv1.3. Previously max version was set to TLSv1.2. Signed-off-by: Tero Saarni <tero.saarni@est.tech>
tsaarni
force-pushed
the
add-minmax-allow-tls13
branch
from
c582131
to
588b98d
Compare
|
I have made the requested changes but tests failed, possibly flukes again? |
This adds the min and max TLS version support from etcd-io#13506 and etcd-io#15156 to the grpc proxy. Fixes etcd-io#13506 Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
This adds the min and max TLS version support from etcd-io#13506 and etcd-io#15156 to the grpc proxy. Fixes etcd-io#13506 Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
This adds the min and max TLS version support from etcd-io#13506 and etcd-io#15156 to the grpc proxy. Fixes etcd-io#13506 Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
This adds the min and max TLS version support from etcd-io#13506 and etcd-io#15156 to the grpc proxy. Fixes etcd-io#13506 Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
This adds the min and max TLS version support from etcd-io#13506 and etcd-io#15156 to the grpc proxy. Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
This PR adds optional TLS min/max protocol versions fields to
TLSInfostruct, which is used in both server and client configs. Instead of hardcoding max version to TLSv1.2 it lets Go select the max version. This effectively enables TLSv1.3 support for etcd. The min/max values are also exposed via optional server flags and config file fields so that users can explicitly set the minimum and/or maximum TLS versions, if they want.It seems that TLSv1.3 was previously supported (prior etcd 3.5) but it got disabled as a workaround to fix a test suite failure which appeared when Go 1.13 release enabled TLSv1.3 by default, see discussion #11110 (comment). In this PR, the failing test case is changed to set the max version to TLSv1.2. This approach allows testing ciphers with <TLSv1.3 without disabling TLSv1.3 altogether.
Related documentation change etcd-io/website#641.
Fixes #13506
Signed-off-by: Tero Saarni tero.saarni@est.tech