auth: respect default tls.verify_server_hostname=false
#19425
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In Nomad 1.7.0, we refactored much of the authentication code to eliminate nil ACLs and create "virtual" ACL objects that can be used to reduce the risk of fail-open security bugs. In doing so, we accidentally dropped support for the default `tls.verify_server_hostname=false` option. Fix the bug by including the field in the set of conditions we check for the TLS argument we pass into the constructor (this keeps "policy" separate from "mechanism" in the auth code and reduces the number of dimensions we need to test). Change the field name in the Authenticator to better match the intent.
tgross
force-pushed
the
b-tls-verify-server-hostname-fail-closed
branch
from
ac11340 to
3b029d1
Compare
|
I'm going to do some quick end-to-end testing of this as well. Will post results here. |
|
I've been able to reproduce the failure described in #19405 for servers and test the fix in this patch:
The error message shown for clients here I was not able to reproduce exactly, but I know from working on the unit tests for the big auth refactor that the error message can actually vary slightly depending on timing and whether you get the EOF before the "permission denied" error gets written (we had to account for this in the tests). After the patch, everything seems to work fine. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In Nomad 1.7.0, we refactored much of the authentication code to eliminate nil ACLs and create "virtual" ACL objects that can be used to reduce the risk of fail-open security bugs. In doing so, we accidentally dropped support for the default
tls.verify_server_hostname=falseoption.Fix the bug by including the field in the set of conditions we check for the TLS argument we pass into the constructor (this keeps "policy" separate from "mechanism" in the auth code and reduces the number of dimensions we need to test). Change the field name in the Authenticator to better match the intent.
Fixes: #19405