Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple CN support for TLS connections #5134

Closed
Tema opened this issue Jun 8, 2022 · 2 comments · Fixed by #8518
Closed

Multiple CN support for TLS connections #5134

Tema opened this issue Jun 8, 2022 · 2 comments · Fixed by #8518
Assignees
@lhy1024
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. type/feature-request Categorizes issue or PR as related to a new feature.

Comments

@Tema
Copy link

Tema commented Jun 8, 2022

Bug Report

I want to use different CN for clients and TiKV nodes, but pd-server fails to startup if I specify more than one. I don't use TiDB layer and my clients run on a completely separate fleet and use completely separate certificates, so just do not make sense to have same CN.

What did you do?

Specify multiple values under:

[security]
## A CN which must be provided by a client
cert-allowed-cn = ["TiKV", "Client"]

as PD config accepts multiple values under security.cert-allowed-cn:

pd/conf/config.toml

Lines 34 to 35 in af174e6

## A CN which must be provided by a client
# cert-allowed-cn = ["example.com"]

What did you expect to see?

pd-server starts up and client with different CN could connect to it.

What did you see instead?

pd-server fails to start to startup due to this check:

pd/pkg/grpcutil/grpcutil.go

Lines 93 to 103 in b4c1804

// GetOneAllowedCN only gets the first one CN.
func (s TLSConfig) GetOneAllowedCN() (string, error) {
switch len(s.CertAllowedCN) {
case 1:
return s.CertAllowedCN[0], nil
case 0:
return "", nil
default:
return "", errs.ErrSecurityConfig.FastGenByArgs("only supports one CN")
}
}
.

What version of PD are you using (pd-server -V)?

5.4, but the latest master has same issue
@Tema Tema added the type/bug The issue is confirmed as a bug. label Jun 8, 2022
@Tema Tema mentioned this issue Jun 8, 2022
Open
@nolouch nolouch added type/feature-request Categorizes issue or PR as related to a new feature. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. labels Jun 9, 2022
@nolouch
Copy link
Contributor

nolouch commented Jun 9, 2022

/assign @nolouch

@nolouch nolouch removed the type/bug The issue is confirmed as a bug. label Jun 9, 2022
@lhy1024 lhy1024 mentioned this issue Apr 29, 2024
Merged
17 tasks
This was referenced Apr 30, 2024
Merged
Merged
Merged
@lhy1024 lhy1024 mentioned this issue May 25, 2024
Merged
@lhy1024
Copy link
Contributor

lhy1024 commented Jul 30, 2024
edited
Loading

  1. make etcd support multiple cn and wait etcd release
  2. update etcd to 3.5.15 in tidb-dashboard and pd
  3. support multiple cn in pd and update doc

@lhy1024 lhy1024 mentioned this issue Jul 30, 2024
Merged
@lhy1024 lhy1024 self-assigned this Jul 30, 2024
@lhy1024 lhy1024 mentioned this issue Aug 12, 2024
Merged
ti-chi-bot bot pushed a commit that referenced this issue Aug 15, 2024
@lhy1024
*: upgrade etcd to v3.5.15 (#8441)
cc2900c 
close #3877, ref #5134

Signed-off-by: lhy1024 <[email protected]>
@ti-chi-bot ti-chi-bot bot closed this as completed in #8518 Sep 4, 2024
@ti-chi-bot ti-chi-bot bot closed this as completed in 52a53c9 Sep 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lhy1024 lhy1024

Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. type/feature-request Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

security: support multiple CN for TLS connections lhy1024/pd
3 participants
@Tema @nolouch @lhy1024