Question: Is it possible to use self-signed certs but NOT use InsecureSkipVerify with rafthttp

[robin865]

Background:

I have nodes with self-signed certs, and am testing setting up a raft cluster. If I want to use TLS, and use my own custom http clients I can get this to work by doing the following for the client TLSClientConfig:

1. Set the RootCAs to include my root CA, include the sender's cert in "Certificates", and then set the "ServerName" value to be equivalent to the "CN" used for the destinations self signed cert (this destination CN is not the actual host name, but something else related to the server).

Ie. Node111 and Node222. Sending from Node111 to Node222; I can set the ServerName to '222' and this will all client cert verification to work. (again, 222 is NOT the host name)

However, in rafthttp; the only reference to self signed certs is the option that sets InsecureSkipVerify to true (which I don't want to do). But there doesn't seem to be a way to customize per-client/per-peer TLS. The only control I get is constructing the TLSInfo object.

So my question is; is there a way to get around this? Essentially I need a way to customize the TLS config based on the peer being communicated to.

[gyuho]

@Rsm10 How do you construct your TLSInfo? Do you use transport.SelfCert https://github.com/coreos/etcd/blob/master/pkg/transport/listener.go#L89?

[robin865]

I can get it to work when I use transport.SelfCert; but then it won't do hostname verification (which I want).

[robin865]

Ok, let me re-phrase. A bit new to http authentication. Using "SelfCert" will disable hostname verification (by setting InsecureSkipVerify=true). But it will still authenticate using the provided cert.pem and key.pem correct?

[gyuho]

I am not sure how you use pkg/transport and rafthttp, but I would try call func (info TLSInfo) ClientConfig() from SelfCert, and try overwriting ServerName field in tls.Config as you wish.

[gyuho]

Using "SelfCert" will disable hostname verification (by setting InsecureSkipVerify=true).

Yes, as in the code above.

Certs will still be verified when no hostname is provided, but they won't be checked against any hostname.

[robin865]

So InsecureSkipVerify still verifies the tls certs? Is InsecureSkipVerify equivalent to "skip hostname verification" or does it skip other steps as well? I guess what I really want is just the ability to skip hostname verification.

[gyuho]

I meant, you still need valid certs for encryption. But InsecureSkipVerify will skip host name checks.

[robin865]

    // InsecureSkipVerify controls whether a client verifies the
    // server's certificate chain and host name.
    // If InsecureSkipVerify is true, TLS accepts any certificate
    // presented by the server and any host name in that certificate.
    // In this mode, TLS is susceptible to man-in-the-middle attacks.
    // This should be used only for testing.

So my client and server have a common CA, and I still want to verify that the certs used are signed by this CA; just not do the host name check. Doing a bit of testing seems like when InsecureSkipVerify is true, this is NOT done.

Ex: I replaced certs on one of my servers with certs not signed by my common CA; but everything still works.

This is my tslInfo:

tlsInfo, err := transport.SelfCert("/usr/local/certs/", []string{})
if err != nil {
	logWarning(fmt.Sprintf("failed to get SelfCert %v", err))
}
tlsInfo.CAFile = "/usr/local/certs/cacert.pem"
tlsInfo.ClientCertAuth = true

[robin865]

Looking a bit deeper into the go crypto library, what I really want to be able to do is leave ServerName empty but also have InsecureSkipVerify set to false. At a higher level, this seems to be prevented (empty ServerName gets set to the host) but when I look in "crypto/x509/verify.go"; it seems like this would do exactly what I want: Skip the "VerifyHostname" check but do the rest of the validation (ServerName is translated into the DNSName config option).

[gyuho]

what I really want to be able to do is leave ServerName empty but also have InsecureSkipVerify set to false.

You can't. See golang/go@fca335e.

[robin865]

OK thanks. Filed a new feature request to add support for this. We can close this thread.

golang/go#21971

[robin865]

Just a note that the change we'd need to support my initial ask would be to expose setting "VerifyPeerCertificate" directly in TLSInfo and propagate it to the tls.Config struct.

As per a comment on my feature request (golang/go#21971):

"You can currently do this by using VerifyPeerCertificate and (*Certificate).Verify (and remembering to put the remaining rawCerts into VerifyOptions.Intermediates).

https://github.com/golang/go/blob/39e523792e33a0bd9217161ca53c6c0cb2324a99/src/crypto/tls/handshake_client.go#L315-L344"

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 21 days if no further activity occurs. Thank you for your contributions.

[NikolayUvarov]

I've got same problem. I need a way to use self-signed serts, because thay are intended to use in closed network without internet.