Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More clearly negotiate ALPN information #19804

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

More clearly negotiate ALPN information #19804

wants to merge 1 commit into from

Conversation

cipherboy
Copy link
Contributor

Vault's cluster listener would previously select ALPN information via returning the client's list of supported protocols, after first ensuring at least one match existed in the handler list.

This had two implications:

  1. The globally set NextProtos are ignored.
  2. A client sending multiple ALPNs could result in an ALPN without a handler being negotiated.
    -> As a side effect here, we'd also present any CA information for our found ALPN handler, even if another one was chosen instead.

Thus, we explicitly restrict NextProtos to the protocol we have specified certificates for (and expect to negotiate).

This was found in discussion with Brian and Scott.

@cipherboy cipherboy added core Issues and Pull-Requests specific to Vault Core pr/no-changelog labels Mar 28, 2023
@cipherboy cipherboy added this to the 1.14 milestone Mar 28, 2023
@cipherboy cipherboy requested review from sgmiller, briankassouf, ncabatoff and a team March 28, 2023 19:38
@ncabatoff
Copy link
Collaborator

When you say "more clearly" I assume this makes things more obvious in the logs? Could you show before & after please?

@cipherboy
Copy link
Contributor Author

cipherboy commented Mar 28, 2023
edited
Loading

@ncabatoff No, this does not affect the log output at all except for bad clients. This is from a TLS protocol standpoint, rather than returning all of the client's requested protocols as the list of protocols the server supports (for Go to choose one, usually the first one), we'll instead return only the one we have a handler for.

From Brian's investigation, namely here, we only send one in the client anyways, hence why this change shouldn't impact clients or servers at all and is mostly just cleanup.

I think, at worst, you'd previously see a line from here in the logs:

cl.logger.Debug("unknown negotiated protocol on cluster port")
tlsConn.Close()

if you send a client with e.g.,. ["bogus", "replication_resolver_v1"]. To my knowledge, we don't today, and so this change should be a no-op.

(But now, this would succeed, negotiating replication_resolver_v1 as the protocol, assuming bogus isn't a valid protocol we know about).

I guess, to restate, "clearly" is from a developer's perspective, not from an operator's perspective. :-)

@cipherboy @briankassouf @sgmiller
More clearly negotiate ALPN information
87c7a5d 
Vault's cluster listener would previously select ALPN information via
returning the client's list of supported protocols, after first ensuring
at least one match existed in the handler list.

This had two implications:

 1. The globally set NextProtos are ignored.
 2. A client sending multiple ALPNs could result in an ALPN without
    a handler being negotiated.
    -> As a side effect here, we'd also present any CA information
       for our found ALPN handler, even if another one was chosen
       instead.

Thus, we explicitly restrict NextProtos to the protocol we have
specified certificates for (and expect to negotiate).

This was found in discussion with Brian and Scott.

Co-authored-by: Brian Kassouf <briankassouf@users.noreply.github.com>
Co-authored-by: Scott Miller <smiller@hashicorp.com>
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy cipherboy force-pushed the cipherboy-more-clearly-negotiate-alpns branch from 6738912 to 87c7a5d Compare March 29, 2023 12:53
@cipherboy
Copy link
Contributor Author

cipherboy commented Mar 29, 2023
edited
Loading

Fixed the build errors. :-)

But, it looks like this fails in Enterprise PR:

2023-03-29T13:08:28.756Z [WARN]  TestPerfSecondaryTokenCreationStateEntityAlias.perf-pri.core0.core.cluster-listener: no TLS config found for ALPN: ALPN=["replication_v1"]

@cipherboy cipherboy marked this pull request as draft March 29, 2023 16:23
@calvn
Copy link
Contributor

calvn commented May 31, 2023

This is missing the backport/1.14.x label now that the release branch has been cut. Do we still plan on merging this for the upcoming release?

@cipherboy cipherboy modified the milestones: 1.14, 1.15 Jun 1, 2023
@cipherboy
Copy link
Contributor Author

@calvn Most likely when I have cycles to look at this again and figure out the state it is in, it'll be an enhancement for the future, targeting 1.15+. I've updated milestones appropriately, thank you!

@VioletHynes VioletHynes added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Jul 7, 2023
@cipherboy cipherboy removed this from the 1.15.0-rc1 milestone Sep 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@briankassouf briankassouf briankassouf approved these changes

@sgmiller sgmiller Awaiting requested review from sgmiller

@ncabatoff ncabatoff Awaiting requested review from ncabatoff

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
core Issues and Pull-Requests specific to Vault Core hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed pr/no-changelog
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@cipherboy @ncabatoff @calvn @briankassouf @VioletHynes