You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@servicecomb.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2018/09/15 07:20:00 UTC
[jira] [Commented] (SCB-912) rest client still verify peer host when verifyPeer flag set false

    [ https://issues.apache.org/jira/browse/SCB-912?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16615628#comment-16615628 ] 

ASF GitHub Bot commented on SCB-912:
------------------------------------

little-cui closed pull request #441: SCB-912 rest client still verify peer host when verifyPeer flag set false
URL: https://github.com/apache/incubator-servicecomb-service-center/pull/441
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/pkg/tlsutil/tlsutil.go b/pkg/tlsutil/tlsutil.go
index fcf444df..b520e2c8 100644
--- a/pkg/tlsutil/tlsutil.go
+++ b/pkg/tlsutil/tlsutil.go
@@ -152,7 +152,7 @@ func GetClientTLSConfig(opts ...SSLConfigOption) (tlsConfig *tls.Config, err err
 		RootCAs:            pool,
 		Certificates:       certs,
 		CipherSuites:       cfg.CipherSuites,
-		InsecureSkipVerify: !cfg.VerifyHostName,
+		InsecureSkipVerify: !cfg.VerifyPeer || !cfg.VerifyHostName,
 		MinVersion:         cfg.MinVersion,
 		MaxVersion:         cfg.MaxVersion,
 	}
diff --git a/pkg/tlsutil/tlsutil_test.go b/pkg/tlsutil/tlsutil_test.go
index eaa8f729..a1c88a65 100644
--- a/pkg/tlsutil/tlsutil_test.go
+++ b/pkg/tlsutil/tlsutil_test.go
@@ -112,4 +112,39 @@ func TestGetClientTLSConfig(t *testing.T) {
 	if clientTLSConfig.InsecureSkipVerify != true {
 		t.Fatalf("GetClientTLSConfig failed")
 	}
+
+	// verify peer and peer host
+	opts = append(opts,
+		WithVerifyPeer(false),
+		WithVerifyHostName(true),
+	)
+	clientTLSConfig, err = GetClientTLSConfig(opts...)
+	if err != nil {
+		t.Fatalf("GetClientTLSConfig failed")
+	}
+	if clientTLSConfig.RootCAs != nil || !clientTLSConfig.InsecureSkipVerify {
+		t.Fatalf("GetClientTLSConfig failed")
+	}
+	opts = append(opts,
+		WithVerifyPeer(true),
+		WithVerifyHostName(false),
+	)
+	clientTLSConfig, err = GetClientTLSConfig(opts...)
+	if err != nil {
+		t.Fatalf("GetClientTLSConfig failed")
+	}
+	if clientTLSConfig.RootCAs == nil || !clientTLSConfig.InsecureSkipVerify {
+		t.Fatalf("GetClientTLSConfig failed")
+	}
+	opts = append(opts,
+		WithVerifyPeer(true),
+		WithVerifyHostName(true),
+	)
+	clientTLSConfig, err = GetClientTLSConfig(opts...)
+	if err != nil {
+		t.Fatalf("GetClientTLSConfig failed")
+	}
+	if clientTLSConfig.RootCAs == nil || clientTLSConfig.InsecureSkipVerify {
+		t.Fatalf("GetClientTLSConfig failed")
+	}
 }
diff --git a/scctl/pkg/cmd/cmd.go b/scctl/pkg/cmd/cmd.go
index e015d3df..55e6dfc6 100644
--- a/scctl/pkg/cmd/cmd.go
+++ b/scctl/pkg/cmd/cmd.go
@@ -22,7 +22,6 @@ import (
 	"github.com/apache/incubator-servicecomb-service-center/scctl/pkg/version"
 	"github.com/spf13/cobra"
 	"os"
-	"path/filepath"
 )
 
 const (
@@ -52,18 +51,14 @@ func init() {
 
 	rootCmd.PersistentFlags().BoolVarP(&sc.VerifyPeer, "peer", "p", false,
 		"verify service center certificates.")
-	rootCmd.PersistentFlags().StringVar(&sc.CertPath, "cert",
-		filepath.Join(util.GetEnvString("SSL_ROOT", "."), "server.cer"),
-		"the certificate file path to access service center, can be overrode by $SSL_ROOT/server.cer.")
-	rootCmd.PersistentFlags().StringVar(&sc.KeyPath, "key",
-		filepath.Join(util.GetEnvString("SSL_ROOT", "."), "server_key.pem"),
-		"the key file path to access service center, can be overrode by $SSL_ROOT/server_key.pem.")
-	rootCmd.PersistentFlags().StringVar(&sc.CAPath, "ca",
-		filepath.Join(util.GetEnvString("SSL_ROOT", "."), "trust.cer"),
-		"the CA file path  to access service center, can be overrode by $SSL_ROOT/trust.cer.")
-	rootCmd.PersistentFlags().StringVar(&sc.KeyPassPath, "pass-file",
-		filepath.Join(util.GetEnvString("SSL_ROOT", "."), "cert_pwd"),
-		"the passphase file path to decrypt key file, can be overrode by $SSL_ROOT/cert_pwd.")
+	rootCmd.PersistentFlags().StringVar(&sc.CertPath, "cert", "",
+		"the certificate file path to access service center.")
+	rootCmd.PersistentFlags().StringVar(&sc.KeyPath, "key", "",
+		"the key file path to access service center.")
+	rootCmd.PersistentFlags().StringVar(&sc.CAPath, "ca", "",
+		"the CA file path  to access service center.")
+	rootCmd.PersistentFlags().StringVar(&sc.KeyPassPath, "pass-file", "",
+		"the passphase file path to decrypt key file.")
 	rootCmd.PersistentFlags().StringVar(&sc.KeyPass, "pass", "",
 		"the passphase string to decrypt key file.")
 }


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> rest client still verify peer host when verifyPeer flag set false
> -----------------------------------------------------------------
>
>                 Key: SCB-912
>                 URL: https://issues.apache.org/jira/browse/SCB-912
>             Project: Apache ServiceComb
>          Issue Type: Bug
>          Components: Service-Center
>            Reporter: little-cui
>            Assignee: little-cui
>            Priority: Major
>             Fix For: service-center-1.1.0
>
>




--
This message was sent by Atlassian JIRA
(v7.6.3#76005)