tlsutil: Fix check TLS configuration#17481
Conversation
github-actions
bot
added
theme/certificates
|
@blake, this PR has been open for a while. Is there someone in particular that I should ping to get a reviewer assigned? |
trujillo-adam
left a comment
trujillo-adam
left a comment
There was a problem hiding this comment.
Sorry for the long delay on reviewing the docs. I made a suggestion and am pre-approving so that you are not blocked.
website/content/docs/services/configuration/checks-configuration-reference.mdx
Outdated
Show resolved
Hide resolved
|
Thanks @beautifulentropy this change makes sense. This change likely will need to go into a future minor release on Consul instead of a patch release since it is a breaking change. |
This is exactly what I figured. It's a super small change with a fairly big blast radius for folks who aren't presently using |
…on-reference.mdx Co-authored-by: trujillo-adam <[email protected]>
david-yu
left a comment
david-yu
left a comment
There was a problem hiding this comment.
LGTM but we'll need someone from Eng to also take a pass and review this as well. This will likely land in 1.17.0
david-yu
requested review from
a team,
hc-github-team-consul-core and
xwa153
and removed request for
a team and
hc-github-team-consul-core
|
@beautifulentropy Thanks for putting things together! I left very small comments but nothing is blocking. Approved. |
website/content/docs/services/configuration/checks-configuration-reference.mdx
Outdated
Show resolved
Hide resolved
|
Could you also add a Line 2 in 08c5048 |
|
Thanks for the comments, I'll take a look at this tomorrow. |
|
Thank for your patience, yesterday was a pretty packed day. I believe I've addressed all outstanding comments. Let me know if I've missed anything. |
|
Thanks @beautifulentropy. We reviewed the PR and it looks great. Will go ahead and merge. This will be introduced in Consul 1.17.0 as a breaking change. Thank you. |
Description
Since the introduction of #5394, the
OutgoingTLSConfigForCheckmethod oftlsutil.Configuratorhas been setting the ServerName field of TLS configurations used for executing health checks to the Consul node or server name by default.According to the crypto/tls documentation:
Unless the
check.tls_server_nameindicates otherwise, it is generally better to leave theServerNamefield empty. The crypto/tls client will infer the ServerName for SNI from the check address, unless it's an IP (as per RFC 6066, Section 3). There are two common situations where specifying this field can be beneficial:When the check address is an IP,
tls_server_namecan be specified for SNI. Note: settingtls_server_namewill also override the hostname used to verify the certificate presented by the server being checked.When the hostname in the check address won't be present in the SAN (Subject Alternative Name) field of the certificate presented by the server being checked. Note: setting
tls_server_namewill also override the hostname used for SNI.This PR also updates the documentation for
tls_server_nameandtls_skip_verifyto indicate that both fields can be used for H2Ping and gRPC checks, not just HTTP and provides a slightly slimmed down version of the above circumstances fortls_server_name.Testing & Reproduction steps
I encountered this issue while drafting letsencrypt/boulder#6908. After experiencing certificate validation failures due the Consul node name failing to be present in the SAN field of certificate of the component being health checked, we dug into the Consul code and diagnosed the issue above.
Links
Substantiating my claim that crypto/tls client will infer the ServerName based on the address being dialed: link
PR Checklist