consul

Commit Graph

Author	SHA1	Message	Date
Dan Stough	0448e51cf5	Manual Backport of [OSS] security: update go to 1.20.1 into release/1.14.x (#16321 ) * security: update go to 1.20.1 (#16263) * changelog	2 years ago
hc-github-team-consul-core	046246403b	Backport of Regenerate certificates. into release/1.14.x (#15219 ) This pull request was automerged via backport-assistant	2 years ago
hc-github-team-consul-core	1d5ae30946	backport of commit `c7aee51b3d` (#15201 ) This pull request was automerged via backport-assistant	2 years ago
freddygv	5fbb26525b	Add awareness of server mode to TLS configurator Preivously the TLS configurator would default to presenting auto TLS certificates as client certificates. Server agents should not have this behavior and should instead present the manually configured certs. The autoTLS certs for servers are exclusively used for peering and should not be used as the default for outbound communication.	2 years ago
freddygv	650e1e32e0	Update TLS configurator for peering traffic When the TLS-enabled gRPC port receives a request for the expected it must use the auto-tls certificates.	2 years ago
Pablo Ruiz García	1f293e5244	Added new auto_encrypt.grpc_server_tls config option to control AutoTLS enabling of GRPC Server's TLS usage Fix for #14253 Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com>	2 years ago
R.B. Boyer	bb4d4040fb	server: ensure peer replication can successfully use TLS over external gRPC (#13733 ) Ensure that the peer stream replication rpc can successfully be used with TLS activated. Also: - If key material is configured for the gRPC port but HTTPS is not enabled now TLS will still be activated for the gRPC port. - peerstream replication stream opened by the establishing-side will now ignore grpc.WithBlock so that TLS errors will bubble up instead of being awkwardly delayed or suppressed	2 years ago
DanStough	95250e7915	Update go version to 1.18.1	3 years ago
Mike Morris	f8a2ae2606	agent: convert listener config to TLS types (#12522 ) * tlsutil: initial implementation of types/TLSVersion tlsutil: add test for parsing deprecated agent TLS version strings tlsutil: return TLSVersionInvalid with error tlsutil: start moving tlsutil cipher suite lookups over to types/tls tlsutil: rename tlsLookup to ParseTLSVersion, add cipherSuiteLookup agent: attempt to use types in runtime config agent: implement b.tlsVersion validation in config builder agent: fix tlsVersion nil check in builder tlsutil: update to renamed ParseTLSVersion and goTLSVersions tlsutil: fixup TestConfigurator_CommonTLSConfigTLSMinVersion tlsutil: disable invalid config parsing tests tlsutil: update tests auto_config: lookup old config strings from base.TLSMinVersion auto_config: update endpoint tests to use TLS types agent: update runtime_test to use TLS types agent: update TestRuntimeCinfig_Sanitize.golden agent: update config runtime tests to expect TLS types * website: update Consul agent tls_min_version values * agent: fixup TLS parsing and compilation errors * test: fixup lint issues in agent/config_runtime_test and tlsutil/config_test * tlsutil: add CHACHA20_POLY1305 cipher suites to goTLSCipherSuites * test: revert autoconfig tls min version fixtures to old format * types: add TLSVersions public function * agent: add warning for deprecated TLS version strings * agent: move agent config specific logic from tlsutil.ParseTLSVersion into agent config builder * tlsutil(BREAKING): change default TLS min version to TLS 1.2 * agent: move ParseCiphers logic from tlsutil into agent config builder * tlsutil: remove unused CipherString function * agent: fixup import for types package * Revert "tlsutil: remove unused CipherString function" This reverts commit `6ca7f6f58d`. * agent: fixup config builder and runtime tests * tlsutil: fixup one remaining ListenerConfig -> ProtocolConfig * test: move TLS cipher suites parsing test from tlsutil into agent config builder tests * agent: remove parseCiphers helper from auto_config_endpoint_test * test: remove unused imports from tlsutil * agent: remove resolved FIXME comment * tlsutil: remove TODO and FIXME in cipher suite validation * agent: prevent setting inherited cipher suite config when TLS 1.3 is specified * changelog: add entry for converting agent config to TLS types * agent: remove FIXME in runtime test, this is covered in builder tests with invalid tls9 value now * tlsutil: remove config tests for values checked at agent config builder boundary * tlsutil: remove tls version check from loadProtocolConfig * tlsutil: remove tests and TODOs for logic checked in TestBuilder_tlsVersion and TestBuilder_tlsCipherSuites * website: update search link for supported Consul agent cipher suites * website: apply review suggestions for tls_min_version description * website: attempt to clean up markdown list formatting for tls_min_version * website: moar linebreaks to fix tls_min_version formatting * Revert "website: moar linebreaks to fix tls_min_version formatting" This reverts commit `3858592742`. * autoconfig: translate old values for TLSMinVersion * agent: rename var for translated value of deprecated TLS version value * Update agent/config/deprecated.go Co-authored-by: Dan Upton <daniel@floppy.co> * agent: fix lint issue * agent: fixup deprecated config test assertions for updated warning Co-authored-by: Dan Upton <daniel@floppy.co>	3 years ago
Dan Upton	b36d4e16b6	Support per-listener TLS configuration ⚙️ (#12504 ) Introduces the capability to configure TLS differently for Consul's listeners/ports (i.e. HTTPS, gRPC, and the internal multiplexed RPC port) which is useful in scenarios where you may want the HTTPS or gRPC interfaces to present a certificate signed by a well-known/public CA, rather than the certificate used for internal communication which must have a SAN in the form `server.<dc>.consul`.	3 years ago
Dhia Ayachi	2801785710	regenerate expired certs (#11462 ) * regenerate expired certs * add documentation to generate tests certificates	3 years ago
Daniel Nephin	4afc24268d	tlsutil: only AuthorizerServerConn when VerifyIncomingRPC is true See github.com/hashicorp/consul/issues/11207 When VerifyIncomingRPC is false the TLS conn will not have the required certificates.	3 years ago
Daniel Nephin	3f873d2257	rpc: include error for AuthorizeServerConn failures The errs were not being captured because the value of append was not being assigned.	3 years ago
Daniel Nephin	1502547e38	Revert "Merge pull request #10588 from hashicorp/dnephin/config-fix-ports-grpc" This reverts commit `74fb650b6b`, reversing changes made to `58bd817336`.	3 years ago
Hans Hasselberg	13238dbab6	tls: consider presented intermediates during server connection tls handshake. (#10964 ) * use intermediates when verifying * extract connection state * remove useless import * add changelog entry * golint * better error * wording * collect errors * use SAN.DNSName instead of CommonName * Add test for unknown intermediate * improve changelog entry	3 years ago
Evan Culver	79c7e73618	rpc: authorize raft requests (#10925 )	3 years ago
Daniel Nephin	7d73fd7ae5	rename GRPC->XDS where appropriate	3 years ago
Daniel Nephin	dce59d9277	fix 64-bit aligment for 32-bit platforms sync/atomic must be used with 64-bit aligned fields, and that alignment is difficult to ensure unless the field is the first one in the struct. https://golang.org/pkg/sync/atomic/#pkg-note-BUG.	3 years ago
R.B. Boyer	a2876453a5	connect/ca: cease including the common name field in generated certs (#10424 ) As part of this change, we ensure that the SAN extensions are marked as critical when the subject is empty so that AWS PCA tolerates the loss of common names well and continues to function as a Connect CA provider. Parts of this currently hack around a bug in crypto/x509 and can be removed after https://go-review.googlesource.com/c/go/+/329129 lands in a Go release. Note: the AWS PCA tests do not run automatically, but the following passed locally for me: ENABLE_AWS_PCA_TESTS=1 go test ./agent/connect/ca -run TestAWS	3 years ago
Daniel Nephin	dc67042eac	Invert the logic of outgoingRPCTLSDisabled To remove the double negatives, which should make it easier to read.	3 years ago
Daniel Nephin	39f282c425	tlsutil: inline verifyIncomingHTTPS This function was only used in one place, and the indirection makes it slightly harder to see what the one caller is doing. Since it's only accesing a couple fields it seems like the logic can exist in the one caller.	3 years ago
Daniel Nephin	a25c817478	tlsutil: remove indirection and duplication VerifyIncomingRPC and verifyIncomingRPC were duplicate functions, and once one is removed, Config.verifyIncomingRPC is only called in one place. Remove 2 of the 3 functions to make the behaviour easier to follow (less indirection).	3 years ago
Daniel Nephin	13e5448c17	tlsutil: remove unnecessary getter functions These functions did nothing but hide the fields they were returning.	3 years ago
Daniel Nephin	66ba2e2463	tlsutil: unexport and remove indirection Unexport outgoingALPNRPCConfig since it is only used internally Remove the MutualTLSCapable->mutualTLSCapable indirection, we only need the exported method. Inline enableAgentTLSForChecks to make it more clear what it does, since it only has a single caller and is wrapping a single field lookup.	3 years ago
Daniel Nephin	d09027caf6	tlsutils: more test cases for OutgoingTLSConfigForCheck	3 years ago
Daniel Nephin	486b97e2c9	tlsutil: fix default server name for health checks Don't use the agent node name or agent server name when EnableAgentTLSForChecks=false.	3 years ago
Daniel Nephin	a920936c86	tlsutil: convert tests for OutgoingTLSConfigForCheck to a table In preparation for adding more test cases.	3 years ago
Daniel Nephin	2aad3f80fb	tlsutil: reduce interface provided to auto-config Replace two methods with a single one that returns the cert. This moves more of the logic into the single caller (auto-config). tlsutil.Configurator is widely used. By keeping it smaller and focused only on storing and returning TLS config, we make the code easier to follow. These two methods were more related to auto-config than to tlsutil, so reducing the interface moves the logic closer to the feature that requires it.	3 years ago
Daniel Nephin	1ba5acb284	tlsutil: un-ptr and document the manual struct	3 years ago
Daniel Nephin	6289b68247	tlsutil: document Configurator and some of its fields	3 years ago
Daniel Nephin	a4432bb0b4	tlsutil: un-ptr and add godoc to autoTLs struct the autoTLS field on Configurator is only set once. By making it a value receiver it should be allocated as a single block of memory along with Configurator. Also add godoc to document what it is used for.	3 years ago
Daniel Nephin	08cd772626	tlsutil: remove unused method Method was only used in tests, and an equivalent function alraedy exists.	3 years ago
Daniel Nephin	8d9d6c6a09	tlsutil: unexport two types These types are only used internally and should not be exported. Also remove some unnecessary function wrapping.	3 years ago
Daniel Nephin	bca33d818f	tlsutil: remove the RLock from log The log method only needed the lock because it accessed version. By using an atomic instead of a lock, we can remove the risk that the comments call out, making log safer to use. Also updates the log name to match the function names, and adds some comments about how the lock is used.	3 years ago
Daniel Nephin	bcf23cd1b4	tlsutil: Un-method Configurator.check The method receiver was never used. Also rename it and add a godoc comment.	3 years ago
Daniel Nephin	b3fa778d91	tlsutil: fix a panic UpdateAutoTLSCA would panic if either of the calls errored, because the read lock was being unlocked incorrectly.	3 years ago
Daniel Nephin	6f51984313	tlsutil: un-embed the RWMutex Embedded structs make code harder to navidate because an IDE can not show all uses of the methods of that field separate from other uses. Generally embedding of structs should only be used to satisfy an interface, and in this case the Configurator type does not need to implement the RWMutex interface.	3 years ago
Daniel Nephin	bbb9a73d9b	tlsutil: fix a test for go1.16 Using a TestSigner was causing problems because go1.16 has this change: > CreateCertificate now verifies the generated certificate's signature > using the signer's public key. If the signature is invalid, an error is > returned, instead of a malformed certificate. See https://golang.org/doc/go1.16#crypto/x509	4 years ago
Hans Hasselberg	53e9c134af	introduce certopts (#9606 ) * introduce cert opts * it should be using the same signer * lint and omit serial	4 years ago
Christopher Broglie	f0307c73e5	Add support for configuring TLS ServerName for health checks Some TLS servers require SNI, but the Golang HTTP client doesn't include it in the ClientHello when connecting to an IP address. This change adds a new TLSServerName field to health check definitions to optionally set it. This fixes #9473.	4 years ago
Daniel Nephin	f744e03c05	Fix main build failing An old PR (#7623) was merged after #9585. The old code was incompatible with the new changes, but none of the lines caused a git conflict so the merge was allowed. The incompatible changes caused the tests to fail. This fixes the old code to work with the new changes.	4 years ago
Hans Hasselberg	444cdeb8fb	Add flags to support CA generation for Connect (#9585 )	4 years ago
jsosulska	fe33527412	Add RSA Test case for generating CA Cert	4 years ago
jsosulska	3a1bbf93af	Reuse Connect.parseSigner.Adds change from #8898 Co-authored-by: Aliaksandr Mianzhynski <amenzhinsky@gmail.com>	4 years ago
William	e9630ea263	Add RSA Support to KeyID	4 years ago
William	c1d6505fe3	Add support for RSA private key to TLS utils. Co-authored-by: Thomas Detoux <detoux@gmail.com>	4 years ago
Mike Morris	7af643ac37	ci: update to Go 1.15.4 and alpine:3.12 (#9036 ) * ci: stop building darwin/386 binaries Go 1.15 drops support for 32-bit binaries on Darwin https://golang.org/doc/go1.15#darwin * tls: ConnectionState::NegotiatedProtocolIsMutual is deprecated in Go 1.15, this value is always true * correct error messages that changed slightly * Completely regenerate some TLS test data Co-authored-by: R.B. Boyer <rb@hashicorp.com>	4 years ago
Daniel Nephin	e9479175a4	tlsutil: remove unused UseTLS field	4 years ago
Tim Arenz	a1fe711390	Add support for -ca-path option in the connect envoy command (#8606 ) * Add support for -ca-path option in the connect envoy command * Adding changelog entry	4 years ago
Matt Keeler	dbb461a5d3	Allow setting verify_incoming* when using auto_encrypt or auto_config (#8394 ) Ensure that enabling AutoConfig sets the tls configurator properly This also refactors the TLS configurator a bit so the naming doesn’t imply only AutoEncrypt as the source of the automatically setup TLS cert info.	4 years ago

1 2

89 Commits (0a2344a944db27cf0f5566a55291c4aeec464c8b)