status-im/consul
2
0
Fork 0
mirror of https://github.com/status-im/consul.git synced 2025-01-09 21:35:52 +00:00
Code Issues Projects Releases Wiki Activity

tls: auto_encrypt and verify_incoming (#6811) (#6899)

Browse Source 
* relax requirements for auto_encrypt on server
* better error message when auto_encrypt and verify_incoming on
* docs: explain verify_incoming on Consul clients.
This commit is contained in:
Hans Hasselberg 2019-12-06 21:36:13 +01:00 committed by GitHub
parent 2ad0831b34
commit 9ff69194a2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 30 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
agent/config/builder.go
View File

@ -1122,7 +1122,7 @@ func (b *Builder) Validate(rt RuntimeConfig) error {
if rt.AutoEncryptAllowTLS { if rt.AutoEncryptAllowTLS {
if !rt.VerifyIncoming && !rt.VerifyIncomingRPC { if !rt.VerifyIncoming && !rt.VerifyIncomingRPC {
return fmt.Errorf("if auto_encrypt.allow_tls is turned on, either verify_incoming or verify_incoming_rpc must be enabled.") b.warn("if auto_encrypt.allow_tls is turned on, either verify_incoming or verify_incoming_rpc should be enabled. It is necessary to turn it off during a migration to TLS, but it should definitely be turned on afterwards.")
} }
} }

9
agent/config/runtime_test.go
View File

@ -2684,7 +2684,7 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
}, },
}, },
{ {
desc: "auto_encrypt.allow fails without verify_incoming or verify_incoming_rpc", desc: "auto_encrypt.allow warns without verify_incoming or verify_incoming_rpc",
args: []string{ args: []string{
`-data-dir=` + dataDir, `-data-dir=` + dataDir,
}, },
@ -2694,7 +2694,12 @@ func TestConfigFlagsAndEdgecases(t *testing.T) {
hcl: []string{` hcl: []string{`
auto_encrypt { allow_tls = true } auto_encrypt { allow_tls = true }
`}, `},
err: "if auto_encrypt.allow_tls is turned on, either verify_incoming or verify_incoming_rpc must be enabled.", warns: []string{"if auto_encrypt.allow_tls is turned on, either verify_incoming or verify_incoming_rpc should be enabled. It is necessary to turn it off during a migration to TLS, but it should definitely be turned on afterwards."},
patch: func(rt *RuntimeConfig) {
rt.DataDir = dataDir
rt.AutoEncryptAllowTLS = true
rt.ConnectEnabled = true
},
}, },
{ {
desc: "test connect vault provider configuration", desc: "test connect vault provider configuration",

13
tlsutil/config.go
View File

@ -323,11 +323,20 @@ func (c *Configurator) check(config Config, pool *x509.CertPool, cert *tls.Certi
// Ensure we have a CA and cert if VerifyIncoming is set // Ensure we have a CA and cert if VerifyIncoming is set
if config.anyVerifyIncoming() { if config.anyVerifyIncoming() {
autoEncryptMsg := " AutoEncrypt only secures the connection between client and server and doesn't affect incoming connections on the client."
if pool == nil { if pool == nil {
return fmt.Errorf("VerifyIncoming set, and no CA certificate provided!") errMsg := "VerifyIncoming set, and no CA certificate provided!"
if config.AutoEncryptTLS {
errMsg += autoEncryptMsg
}
return fmt.Errorf(errMsg)
} }
if cert == nil { if cert == nil {
return fmt.Errorf("VerifyIncoming set, and no Cert/Key pair provided!") errMsg := "VerifyIncoming set, and no Cert/Key pair provided!"
if config.AutoEncryptTLS {
errMsg += autoEncryptMsg
}
return fmt.Errorf(errMsg)
} }
} }
return nil return nil

17
website/source/docs/agent/options.html.md
View File

@ -1768,12 +1768,17 @@ to the old fragment -->
currently only supports numeric IDs. currently only supports numeric IDs.
- `mode` - The permission bits to set on the file. - `mode` - The permission bits to set on the file.
* <a name="verify_incoming"></a><a href="#verify_incoming">`verify_incoming`</a> - If * <a name="verify_incoming"></a><a href="#verify_incoming">`verify_incoming`</a>
set to true, Consul requires that all incoming - If set to true, Consul requires that all incoming connections make use of TLS
connections make use of TLS and that the client provides a certificate signed and that the client provides a certificate signed by a Certificate Authority
by a Certificate Authority from the [`ca_file`](#ca_file) or [`ca_path`](#ca_path). from the [`ca_file`](#ca_file) or [`ca_path`](#ca_path). This applies to
This applies to both server RPC and to the HTTPS API. By default, this is false, and both server RPC and to the HTTPS API. By default, this is false, and Consul
Consul will not enforce the use of TLS or verify a client's authenticity. will not enforce the use of TLS or verify a client's authenticity. Turning
on `verify_incoming` on consul clients protects the HTTPS endpoint, by ensuring
that the certificate that is presented by a 3rd party tool to the HTTPS
endpoint was created by the CA that the consul client was setup with. If the
UI is served, the same checks are performed.
* <a name="verify_incoming_rpc"></a><a href="#verify_incoming_rpc">`verify_incoming_rpc`</a> - If * <a name="verify_incoming_rpc"></a><a href="#verify_incoming_rpc">`verify_incoming_rpc`</a> - If
set to true, Consul requires that all incoming RPC set to true, Consul requires that all incoming RPC