Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

*: fix TLS cases #128

Merged
merged 3 commits into from
Nov 2, 2022
Merged

*: fix TLS cases #128

merged 3 commits into from
Nov 2, 2022

Conversation

xhebox
Copy link
Collaborator

@xhebox xhebox commented Nov 2, 2022
edited
Loading

Signed-off-by: xhe xw897002528@gmail.com

What problem does this PR solve?

Issue Number: close None

Problem Summary: If server enables TLS, but we don't have certs to complete TLS handshake, there is a panic.

What is changed and how it works:

  1. check backendTLSConfig
  2. check GetClientCertificate

Check List

Tests

  • Unit test
  • Integration test
  • Manual test (add detailed scripts or steps below)
  • No code

Notable changes

  • Has configuration change
  • Has HTTP API interfaces change (Don't forget to add the declarative for API)
  • Has tiproxyctl change
  • Other user behavior changes

Release note

Please refer to Release Notes Language Style Guide to write a quality release note.

None

@xhebox
*: fix TLS cases
2559ca9 
Signed-off-by: xhe <xw897002528@gmail.com>
@xhebox xhebox requested a review from djshow832 November 2, 2022 03:53
@xhebox
*: fix
7d1d000 
Signed-off-by: xhe <xw897002528@gmail.com>
@xhebox
*: fix GetClientCertificates
66fe916 
Signed-off-by: xhe <xw897002528@gmail.com>
djshow832
djshow832 reviewed Nov 2, 2022
View reviewed changes
pkg/manager/cert/cert_info.go
@@ -124,7 +126,12 @@ func (ci *certInfo) customizeTLSConfig(tlsConfig *tls.Config) *tls.Config {
}
} else {
tlsConfig.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
return ci.getCertificate(), nil
cert := ci.getCertificate()
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not return the emptyCert in the getCertificate? It will also work when ci.isServer==true.

Copy link
Collaborator Author

@xhebox xhebox Nov 2, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GetCertificate and GetClientCertificate has different requirements. I mean GetCertificate should return nil. Moreover, on server-side tls config, it is promised to be nil if certs are nil.

pkg/manager/cert/cert_info.go
@@ -124,7 +126,12 @@ func (ci *certInfo) customizeTLSConfig(tlsConfig *tls.Config) *tls.Config {
}
} else {
tlsConfig.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
return ci.getCertificate(), nil
cert := ci.getCertificate()
if cert == nil {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When is cert == nil? If the tlsConfig is nil, it won't come here. If the tlsConfig is not nil, can cert be nil?

Copy link
Collaborator Author

@xhebox xhebox Nov 2, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A tls config with only CA, or even without CA insecureSkipVerify. This is client only behavior.

@djshow832 djshow832 merged commit 73255cd into pingcap:main Nov 2, 2022
xhebox added a commit to xhebox/TiProxy that referenced this pull request Mar 7, 2023
@xhebox
*: fix TLS cases (pingcap#128)
72b84d2
xhebox added a commit to xhebox/TiProxy that referenced this pull request Mar 13, 2023
@xhebox
*: fix TLS cases (pingcap#128)
7dfed7b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@djshow832 djshow832 djshow832 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@xhebox @djshow832