diff --git a/CHANGELOG-3.2.md b/CHANGELOG-3.2.md index bc032792d9c..adb4b21c1af 100644 --- a/CHANGELOG-3.2.md +++ b/CHANGELOG-3.2.md @@ -11,7 +11,10 @@ See [code changes](https://github.com/coreos/etcd/compare/v3.2.18...v3.2.19) and ### Security, Authentication -- Fix [TLS reload](TODO) when [cert SAN field only contains IP addresses](https://github.com/coreos/etcd/issues/9541). +- Fix [TLS reload](https://github.com/coreos/etcd/pull/9570) when [certificate SAN field only includes IP addresses but no domain names](https://github.com/coreos/etcd/issues/9541). + - In Go, server calls `(*tls.Config).GetCertificate` for TLS reload if and only if server's `(*tls.Config).Certificates` field is not empty, or `(*tls.ClientHelloInfo).ServerName` is not empty with a valid SNI from the client. Previously, etcd always populates `(*tls.Config).Certificates` on the initial client TLS handshake, as non-empty. Thus, client was always expected to supply a matching SNI in order to pass the TLS verification and to trigger `(*tls.Config).GetCertificate` to reload TLS assets. + - However, a certificate whose SAN field does [not include any domain names but only IP addresses](https://github.com/coreos/etcd/issues/9541) would request `*tls.ClientHelloInfo` with an empty `ServerName` field, thus failing to trigger the TLS reload on initial TLS handshake; this becomes a problem when expired certificates need to be replaced online. + - Now, `(*tls.Config).Certificates` is created empty on initial TLS client handshake, first to trigger `(*tls.Config).GetCertificate`, and then to populate rest of the certificates on every new TLS connection, even when client SNI is empty (e.g. cert only includes IPs). ## [v3.2.18](https://github.com/coreos/etcd/releases/tag/v3.2.18) (2018-03-29) diff --git a/CHANGELOG-3.3.md b/CHANGELOG-3.3.md index 05d3f1496d3..9764da5478c 100644 --- a/CHANGELOG-3.3.md +++ b/CHANGELOG-3.3.md @@ -11,7 +11,10 @@ See [code changes](https://github.com/coreos/etcd/compare/v3.3.3...v3.3.4) and [ ### Security, Authentication -- Fix [TLS reload](TODO) when [cert SAN field only contains IP addresses](https://github.com/coreos/etcd/issues/9541). +- Fix [TLS reload](https://github.com/coreos/etcd/pull/9570) when [certificate SAN field only includes IP addresses but no domain names](https://github.com/coreos/etcd/issues/9541). + - In Go, server calls `(*tls.Config).GetCertificate` for TLS reload if and only if server's `(*tls.Config).Certificates` field is not empty, or `(*tls.ClientHelloInfo).ServerName` is not empty with a valid SNI from the client. Previously, etcd always populates `(*tls.Config).Certificates` on the initial client TLS handshake, as non-empty. Thus, client was always expected to supply a matching SNI in order to pass the TLS verification and to trigger `(*tls.Config).GetCertificate` to reload TLS assets. + - However, a certificate whose SAN field does [not include any domain names but only IP addresses](https://github.com/coreos/etcd/issues/9541) would request `*tls.ClientHelloInfo` with an empty `ServerName` field, thus failing to trigger the TLS reload on initial TLS handshake; this becomes a problem when expired certificates need to be replaced online. + - Now, `(*tls.Config).Certificates` is created empty on initial TLS client handshake, first to trigger `(*tls.Config).GetCertificate`, and then to populate rest of the certificates on every new TLS connection, even when client SNI is empty (e.g. cert only includes IPs). ## [v3.3.3](https://github.com/coreos/etcd/releases/tag/v3.3.3) (2018-03-29) diff --git a/CHANGELOG-3.4.md b/CHANGELOG-3.4.md index 476d24b961c..55bfe7d05dd 100644 --- a/CHANGELOG-3.4.md +++ b/CHANGELOG-3.4.md @@ -103,7 +103,10 @@ See [security doc](https://github.com/coreos/etcd/blob/master/Documentation/op-g - Support [`ttl` field for `etcd` Authentication JWT token](https://github.com/coreos/etcd/pull/8302). - e.g. `etcd --auth-token jwt,pub-key=,priv-key=,sign-method=,ttl=5m`. - Allow empty token provider in [`etcdserver.ServerConfig.AuthToken`](https://github.com/coreos/etcd/pull/9369). -- Fix [TLS reload](TODO) when [cert SAN field only contains IP addresses](https://github.com/coreos/etcd/issues/9541). +- Fix [TLS reload](https://github.com/coreos/etcd/pull/9570) when [certificate SAN field only includes IP addresses but no domain names](https://github.com/coreos/etcd/issues/9541). + - In Go, server calls `(*tls.Config).GetCertificate` for TLS reload if and only if server's `(*tls.Config).Certificates` field is not empty, or `(*tls.ClientHelloInfo).ServerName` is not empty with a valid SNI from the client. Previously, etcd always populates `(*tls.Config).Certificates` on the initial client TLS handshake, as non-empty. Thus, client was always expected to supply a matching SNI in order to pass the TLS verification and to trigger `(*tls.Config).GetCertificate` to reload TLS assets. + - However, a certificate whose SAN field does [not include any domain names but only IP addresses](https://github.com/coreos/etcd/issues/9541) would request `*tls.ClientHelloInfo` with an empty `ServerName` field, thus failing to trigger the TLS reload on initial TLS handshake; this becomes a problem when expired certificates need to be replaced online. + - Now, `(*tls.Config).Certificates` is created empty on initial TLS client handshake, first to trigger `(*tls.Config).GetCertificate`, and then to populate rest of the certificates on every new TLS connection, even when client SNI is empty (e.g. cert only includes IPs). ### Added: `etcd` diff --git a/Documentation/op-guide/security.md b/Documentation/op-guide/security.md index 38a0ace2f8a..582fd1a6b48 100644 --- a/Documentation/op-guide/security.md +++ b/Documentation/op-guide/security.md @@ -321,6 +321,22 @@ I | embed: serving client requests on 127.0.0.1:22379 I | embed: serving client requests on 127.0.0.1:2379 ``` +[v3.2.19](https://github.com/coreos/etcd/blob/master/CHANGELOG-3.2.md) and [v3.3.4](https://github.com/coreos/etcd/blob/master/CHANGELOG-3.3.md) fixes TLS reload when [certificate SAN field only includes IP addresses but no domain names](https://github.com/coreos/etcd/issues/9541). For example, a member is set up with CSRs (with `cfssl`) as below: + +```json +{ + "CN": "etcd.local", + "hosts": [ + "127.0.0.1" + ], +``` + +In Go, server calls `(*tls.Config).GetCertificate` for TLS reload if and only if server's `(*tls.Config).Certificates` field is not empty, or `(*tls.ClientHelloInfo).ServerName` is not empty with a valid SNI from the client. Previously, etcd always populates `(*tls.Config).Certificates` on the initial client TLS handshake, as non-empty. Thus, client was always expected to supply a matching SNI in order to pass the TLS verification and to trigger `(*tls.Config).GetCertificate` to reload TLS assets. + +However, a certificate whose SAN field does [not include any domain names but only IP addresses](https://github.com/coreos/etcd/issues/9541) would request `*tls.ClientHelloInfo` with an empty `ServerName` field, thus failing to trigger the TLS reload on initial TLS handshake; this becomes a problem when expired certificates need to be replaced online. + +Now, `(*tls.Config).Certificates` is created empty on initial TLS client handshake, first to trigger `(*tls.Config).GetCertificate`, and then to populate rest of the certificates on every new TLS connection, even when client SNI is empty (e.g. cert only includes IPs). + ## Notes for Host Whitelist `etcd --host-whitelist` flag specifies acceptable hostnames from HTTP client requests. Client origin policy protects against ["DNS Rebinding"](https://en.wikipedia.org/wiki/DNS_rebinding) attacks to insecure etcd servers. That is, any website can simply create an authorized DNS name, and direct DNS to `"localhost"` (or any other address). Then, all HTTP endpoints of etcd server listening on `"localhost"` becomes accessible, thus vulnerable to DNS rebinding attacks. See [CVE-2018-5702](https://bugs.chromium.org/p/project-zero/issues/detail?id=1447#c2) for more detail. diff --git a/integration/cluster.go b/integration/cluster.go index eaee0e8ccd9..38b140eb073 100644 --- a/integration/cluster.go +++ b/integration/cluster.go @@ -46,6 +46,7 @@ import ( "github.com/coreos/etcd/etcdserver/api/v3rpc" pb "github.com/coreos/etcd/etcdserver/etcdserverpb" "github.com/coreos/etcd/pkg/testutil" + "github.com/coreos/etcd/pkg/tlsutil" "github.com/coreos/etcd/pkg/transport" "github.com/coreos/etcd/pkg/types" "github.com/coreos/etcd/rafthttp" @@ -83,6 +84,13 @@ var ( ClientCertAuth: true, } + testTLSInfoIP = transport.TLSInfo{ + KeyFile: "./fixtures/server-ip.key.insecure", + CertFile: "./fixtures/server-ip.crt", + TrustedCAFile: "./fixtures/ca.crt", + ClientCertAuth: true, + } + testTLSInfoExpired = transport.TLSInfo{ KeyFile: "./fixtures-expired/server.key.insecure", CertFile: "./fixtures-expired/server.crt", @@ -90,6 +98,13 @@ var ( ClientCertAuth: true, } + testTLSInfoExpiredIP = transport.TLSInfo{ + KeyFile: "./fixtures-expired/server-ip.key.insecure", + CertFile: "./fixtures-expired/server-ip.crt", + TrustedCAFile: "./fixtures-expired/ca.crt", + ClientCertAuth: true, + } + plog = capnslog.NewPackageLogger("github.com/coreos/etcd", "integration") ) @@ -110,6 +125,9 @@ type ClusterConfig struct { ClientMaxCallSendMsgSize int ClientMaxCallRecvMsgSize int + + // UseIP is true to use only IP for gRPC requests. + UseIP bool } type cluster struct { @@ -248,6 +266,7 @@ func (c *cluster) mustNewMember(t *testing.T) *member { grpcKeepAliveTimeout: c.cfg.GRPCKeepAliveTimeout, clientMaxCallSendMsgSize: c.cfg.ClientMaxCallSendMsgSize, clientMaxCallRecvMsgSize: c.cfg.ClientMaxCallRecvMsgSize, + useIP: c.cfg.UseIP, }) m.DiscoveryURL = c.cfg.DiscoveryURL if c.cfg.UseGRPC { @@ -511,6 +530,7 @@ type member struct { keepDataDirTerminate bool clientMaxCallSendMsgSize int clientMaxCallRecvMsgSize int + useIP bool } func (m *member) GRPCAddr() string { return m.grpcAddr } @@ -527,6 +547,7 @@ type memberConfig struct { grpcKeepAliveTimeout time.Duration clientMaxCallSendMsgSize int clientMaxCallRecvMsgSize int + useIP bool } // mustNewMember return an inited member with the given name. If peerTLS is @@ -600,6 +621,7 @@ func mustNewMember(t *testing.T, mcfg memberConfig) *member { } m.clientMaxCallSendMsgSize = mcfg.clientMaxCallSendMsgSize m.clientMaxCallRecvMsgSize = mcfg.clientMaxCallRecvMsgSize + m.useIP = mcfg.useIP m.InitialCorruptCheck = true @@ -610,6 +632,9 @@ func mustNewMember(t *testing.T, mcfg memberConfig) *member { func (m *member) listenGRPC() error { // prefix with localhost so cert has right domain m.grpcAddr = "localhost:" + m.Name + if m.useIP { // for IP-only sTLS certs + m.grpcAddr = "127.0.0.1:" + m.Name + } l, err := transport.NewUnixListener(m.grpcAddr) if err != nil { return fmt.Errorf("listen failed on grpc socket %s (%v)", m.grpcAddr, err) @@ -785,10 +810,45 @@ func (m *member) Launch() error { if m.ClientTLSInfo == nil { hs.Start() } else { - hs.TLS, err = m.ClientTLSInfo.ServerConfig() + info := m.ClientTLSInfo + hs.TLS, err = info.ServerConfig() if err != nil { return err } + + // baseConfig is called on initial TLS handshake start. + // + // Previously, + // 1. Server has non-empty (*tls.Config).Certificates on client hello + // 2. Server calls (*tls.Config).GetCertificate iff: + // - Server's (*tls.Config).Certificates is not empty, or + // - Client supplies SNI; non-empty (*tls.ClientHelloInfo).ServerName + // + // When (*tls.Config).Certificates is always populated on initial handshake, + // client is expected to provide a valid matching SNI to pass the TLS + // verification, thus trigger server (*tls.Config).GetCertificate to reload + // TLS assets. However, a cert whose SAN field does not include domain names + // but only IP addresses, has empty (*tls.ClientHelloInfo).ServerName, thus + // it was never able to trigger TLS reload on initial handshake; first + // ceritifcate object was being used, never being updated. + // + // Now, (*tls.Config).Certificates is created empty on initial TLS client + // handshake, in order to trigger (*tls.Config).GetCertificate and populate + // rest of the certificates on every new TLS connection, even when client + // SNI is empty (e.g. cert only includes IPs). + // + // This introduces another problem with "httptest.Server": + // when server initial certificates are empty, certificates + // are overwritten by Go's internal test certs, which have + // different SAN fields (e.g. example.com). To work around, + // re-overwrite (*tls.Config).Certificates before starting + // test server. + tlsCert, err := tlsutil.NewCert(info.CertFile, info.KeyFile, nil) + if err != nil { + return err + } + hs.TLS.Certificates = []tls.Certificate{*tlsCert} + hs.StartTLS() } closer := func() { diff --git a/integration/fixtures-expired/ca.crt b/integration/fixtures-expired/ca.crt index 699bf7fb5f7..b8b3bddb4a8 100644 --- a/integration/fixtures-expired/ca.crt +++ b/integration/fixtures-expired/ca.crt @@ -1,23 +1,23 @@ -----BEGIN CERTIFICATE----- -MIID0jCCArqgAwIBAgIUbY6SSy/rF2TQzWsH4GxG+h+Pvw8wDQYJKoZIhvcNAQEL +MIID0jCCArqgAwIBAgIUEKEIOO1O97Bz4car+7SHDxT5tB4wDQYJKoZIhvcNAQEL BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl -Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xODA0MDgxNzUzMDBaFw0yODA0MDUxNzUz +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0wMDA0MTMxODU1MDBaFw0xMDA0MTExODU1 MDBaMG8xDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT ZWN1cml0eTELMAkGA1UEAxMCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -AoIBAQCqhEOeNSLK5CcfvZgHFHPJzRWeDc/fAQ3U2GSF1+KEslOA0mmHiL1paloS -CbuwzoY/EGPCudFxIwFwjl2BAxbMdaCAKCxPwMHfn/38I45GgJFODjcOP0AX9i3O -z2jsAGm02HNicmF24TuQgij8lvhhKjNsy2Lrb8/i6NmX8AKZl9smkRRd5HpUz9DD -HelH2CXYCjbGXdpCyjN2PwfGSoCsAV8NDwbe0CAg6+dZCQrbqt2PJE2uRBoLgp3p -AsVdPiFL1igOimgQRShGvMEVLkA7cmB3fALZy1WTGGj4h76HtEz8nywN7PmoWQJv -AZFM168XPQ35S9+1CROtWUoM7dlhAgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBBjAS -BgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBSLaEU8nqrYzNEcmi0oZKd1AAFK -gTAfBgNVHSMEGDAWgBSLaEU8nqrYzNEcmi0oZKd1AAFKgTANBgkqhkiG9w0BAQsF -AAOCAQEApPHGwdcMRWMk+RS1NVb3yCPdf2Tx8pPYAJpLY46OPenGnFt6+wJs6Nhq -bj9zmEEqyn1WLXtuel+X4E4BEofkTEAM+06UT7SGgEF7zMY+zQjfPqD52jLhS11I -hp3u/hDR5c8r6RmvuH1TiPK5twxmV1w6LRGQcGJtw1PdTVfgHM+1s7kQ+Ineo4kK -8m1JR44B3GHyw+o0jsf5NqnmQnW6aMACQXiX93fnelkPOsKez/oxiy/WK5dDMrzH -JgNonK+bZRpef15XK3EOhmHp8YrY0CEq4MFsxxmkMZT0OnvIMEi9SkPV1cFq2N7r -uTB9aMzzD/1u+3+IpHCrkb0QICj3YQ== +AoIBAQDFeNJ9r2TFcJp9UHS42QN2NN1A96LQXxn/BirHzXdeTk6YEe0eloA91SJT +BAae7aGdPMkpMyAAXheGPGHAbSde5dONYx2QE4nqWRl79v6kDbX6EmqwpzTOGD/T +UfLXe65g6w6kaXcNZWiMdqfkUImke/WWM1qunsCKoGOXF8Jg1DLy7NSjqT2Kg1UP +evJ5GOrWmIj5rEnEvW0ohR7mKV23xl5okVjrlzCi+arWDdl5RzE0I9x7vKNE0TKX +NNHG9hMSJQ/ipXXXyMcahqGZXtkGvOpwpO3lpsGjo3WIUZMQW2FA3xR0nBC6Lt+0 +d+7IXOy/LbzXpkcL8Ws5BZuLDSKLAgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBBjAS +BgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBT5Z7kwwTNntO1UsuMdUv/Yq3Ad +cDAfBgNVHSMEGDAWgBT5Z7kwwTNntO1UsuMdUv/Yq3AdcDANBgkqhkiG9w0BAQsF +AAOCAQEAkFF/fIVlcgj1uRL36wP4DgkOMCpU5+vwlDdHihDzRJHZqik+3+oNz7DD +pRIURHMeeF+Wk5/GRQ/oGzKYotNLLzqCOggnLCxET6Hkb07vfve91HmYVOYix5pU +GPW8+M3XyFTL3+2BnPpqPpJWpJ28g+N3eQjAG8rIbjXESdxrpJFKY22nMbtyS1rH +dyzf3OO4S7LZiRQx0nuD9SZtX2vj5DyN8Am/zieSYm+GCtJsvIiDoB+Uhndnxxt0 +FA0/89vGJ1gCo+Z6clzqBIbesRUBnLvPbUdpxhFAtjUKZhQv05IrE81/GP7F7kEr +oODS2+D5WC6mKDO4v2k736OTw6HwOQ== -----END CERTIFICATE----- diff --git a/integration/fixtures-expired/gencerts.sh b/integration/fixtures-expired/gencerts.sh index 7b919b3f2ea..aecdd423bba 100755 --- a/integration/fixtures-expired/gencerts.sh +++ b/integration/fixtures-expired/gencerts.sh @@ -24,8 +24,19 @@ cfssl gencert \ ./server-ca-csr.json | cfssljson --bare ./server mv server.pem server.crt mv server-key.pem server.key.insecure + +# generate IP: 127.0.0.1, CN: example.com certificates +cfssl gencert \ + --ca ./ca.crt \ + --ca-key ./ca-key.pem \ + --config ./gencert.json \ + ./server-ca-csr-ip.json | cfssljson --bare ./server-ip +mv server-ip.pem server-ip.crt +mv server-ip-key.pem server-ip.key.insecure + if which openssl >/dev/null; then openssl x509 -in ./server.crt -text -noout + openssl x509 -in ./server-ip.crt -text -noout fi rm -f *.csr *.pem *.stderr *.txt diff --git a/integration/fixtures-expired/server-ca-csr-ip.json b/integration/fixtures-expired/server-ca-csr-ip.json new file mode 100644 index 00000000000..2b2c4350ba1 --- /dev/null +++ b/integration/fixtures-expired/server-ca-csr-ip.json @@ -0,0 +1,19 @@ +{ + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "etcd", + "OU": "etcd Security", + "L": "San Francisco", + "ST": "California", + "C": "USA" + } + ], + "CN": "example.com", + "hosts": [ + "127.0.0.1" + ] +} diff --git a/integration/fixtures-expired/server-ip.crt b/integration/fixtures-expired/server-ip.crt new file mode 100644 index 00000000000..35e78fabfd2 --- /dev/null +++ b/integration/fixtures-expired/server-ip.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEBzCCAu+gAwIBAgIUOc4vrxQ6OeHoGslhL7daP1Ye8ZYwDQYJKoZIhvcNAQEL +BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH +Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0wMDA0MTMxODU1MDBaFw0wMDA0MTMxOTU1 +MDBaMHgxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE +BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT +ZWN1cml0eTEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA +A4IBDwAwggEKAoIBAQDLUZuwXwiky2VvujM0EOP9LL85sx1dKLc/16hOl6qYRPOg +PH7zsmXMVndsD2Fi9NDbhV9rVHfVNkCyZO/D81u52UEyr2uSFHOfIqLkFGKvcxhO +FtOLA7wTjzHiYO1pFgqYBWzSfIyreYYo13tCYxHUlhn3ibqvCz9fimGsQmswhUiP +yaC4C8iBICWNd4vrXHhtKb5pHHzUDFHkOxKF6VS9f7InKBy2yTr8ekgoEYyE3gtp +ncoVbVlwxehChbZThFi0xsQc/kG/eoyGznKo9RUlUW+h3SEJR3bYizYP76ZwWXus +nP5vgLmZ0wIi/689uTQbEAK438rK3xTSziPv6B51AgMBAAGjgZEwgY4wDgYDVR0P +AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB +Af8EAjAAMB0GA1UdDgQWBBR8bgC5SVrIrOAkjED8FB6OThk0IjAfBgNVHSMEGDAW +gBT5Z7kwwTNntO1UsuMdUv/Yq3AdcDAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3 +DQEBCwUAA4IBAQDEV4Ec8TpDXvFTJYXrpME5KnKvtq1fEv100jc88cmlGb/rygge +MtisA1rYSaSEPMF0j7HoMtTwP90yrJCBTr7/vziAXCZU2H6bg24exRzqtMDpDhXg +mvqkqvMVFem8ANIF3a+qXPY/pzjh4xrPuOw10TfG0bE576lAY/KbnY3UvXo6QL54 +AMyimFhq8e9dJ7JnO3eaYmJv6oSjKjqNYSU+01UfxEJGNbx1IELMDlnVKX0Zmn9p +YbUS3nrowKoVXpuca9KzS1pINgqVsztF5XJxzqlcDwERR/QcTKwUgQ0y0BBRqiGg +WdtbyamFufvF8GPsNJ0KRHXSIRRXF7hbgiXd +-----END CERTIFICATE----- diff --git a/integration/fixtures-expired/server-ip.key.insecure b/integration/fixtures-expired/server-ip.key.insecure new file mode 100644 index 00000000000..357f52455ab --- /dev/null +++ b/integration/fixtures-expired/server-ip.key.insecure @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAy1GbsF8IpMtlb7ozNBDj/Sy/ObMdXSi3P9eoTpeqmETzoDx+ +87JlzFZ3bA9hYvTQ24Vfa1R31TZAsmTvw/NbudlBMq9rkhRznyKi5BRir3MYThbT +iwO8E48x4mDtaRYKmAVs0nyMq3mGKNd7QmMR1JYZ94m6rws/X4phrEJrMIVIj8mg +uAvIgSAljXeL61x4bSm+aRx81AxR5DsShelUvX+yJygctsk6/HpIKBGMhN4LaZ3K +FW1ZcMXoQoW2U4RYtMbEHP5Bv3qMhs5yqPUVJVFvod0hCUd22Is2D++mcFl7rJz+ +b4C5mdMCIv+vPbk0GxACuN/Kyt8U0s4j7+gedQIDAQABAoIBAAjHl1+AWxEyr0ip +07g12oJ+QiutrmDtdyxMlbn/FqDIqXSL6DeBxp+SREnoSB5L0BEKq1opJZuRYi3R +6gCeK6HU3dngdVazh2KhzkLnFnPZFn2Ywr3IBYEat968rMPS7dYutcpJEpH9B2wQ +EgSF3qk9ahWkXulcJPptMVaM77ACnZk6yYsPDPqjX/zsCXVga59QL0x1n2ai50er +W7kthCj69zZP6crbnjyCUDjNdpDio7xurvvxs0k1KWmcN9QjdOyFXDFgTUnphIFX +pEyVhu+LmLzFKc1WVQ4sIAt6ot9kpWt+cdaBVIWl2yCmqF4nbJ38DDG6wLXaZQd1 +DgEL0YECgYEAzt7QukPfjgw5CKZguQVVn0LGYdHw47qHiusjABzYH4mokMHqR/r5 +LIIRQ4JjB/vpxavj6B0e73tcfwbSzLSwsRI9/6Z27UVpXnpU5LY7+46d+ZXsQorE +8jeUX6ZQi65ujpFFKkftKlmq67XJtmSh2T+3dMqRXmFWVZThllBJcGUCgYEA+5rd +gvZhaj9Rng1CwK3FoI/mp0BtSL+TE8/JbV0yA5X6NhXlts/ysafFZsj9RkR1NhXL +ql8Bl9RxrV6mTIz6/76NC39ZUQUe5FZGv64rqjoFwOnv6ap1/8ntDFy29DgZ5Dqn +flAtbbEyVG+VCwwhDgUT+FTNNS1eg18GStr6LNECgYASgo1anUgbhax0wa5V38xR +e8AUcJyFQ+Ns4q03DV2pNMAIc9Fqr2IsQVcaG0iRJlE8hqzV0AU8mGUmWI30Exbc +QS2a+mIZyOQst/VwoX2sfI5WDrwdGB2XLrHv/Qmn9euehhESP21RJMTOYm2yDD8P +GUxo/tcTAtKexbuJn5VyoQKBgB7OH0DhmZvAlOWdCgc9P20hMURZBwhZLFDIqAjT +2EPIIRJuK+nuG/DUcb7b7OalixRMJtt9Nly4jhKD/ChzOmgFlI9L0EuzLM0YIyFk +2cPFxt6Pxef+DuR6fKN+1oegNstSwx8cAfPkNh1QbBcmLQXiaUeGWnmgTGoZQFP5 +65eBAoGAfV98Mwka+VJ3hYNPL2ZHUXHnXw9Hnf5NnaGfgz7/Ucw3H88HsrIDIZgO +NKSM3NVRIrweAx8/gDIrGqjXkvrwuCqXXYeS23gRteigUpoQrtGjBxIwtalT8K2O +jI4vqz8SsNALtR8nehmBPzTj+t+rF5b1cMfyreHccoAa+0TbPac= +-----END RSA PRIVATE KEY----- diff --git a/integration/fixtures-expired/server.crt b/integration/fixtures-expired/server.crt index 887528c860f..2939cad8856 100644 --- a/integration/fixtures-expired/server.crt +++ b/integration/fixtures-expired/server.crt @@ -1,24 +1,24 @@ -----BEGIN CERTIFICATE----- -MIIEEjCCAvqgAwIBAgIUbmmpzabDgRPOJj4EzbN+TfqIVhkwDQYJKoZIhvcNAQEL +MIIEEjCCAvqgAwIBAgIULscJmimDEFNvw3oQ5paqHc+V/w4wDQYJKoZIhvcNAQEL BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl -Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xODA0MDgxNzUzMDBaFw0xODA0MDgxODUz +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0wMDA0MTMxODU1MDBaFw0wMDA0MTMxOTU1 MDBaMHgxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT ZWN1cml0eTEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA -A4IBDwAwggEKAoIBAQCxxPIOJV9gc6CjyffN5ylSf7tWrJen8DiyETW5kmDRxnWE -RWRIFjcw6EIhyyXE4g5KEhYRqf6uVWY4a97X8xPTT0MwctifDYg2mFEzR4cswcVq -AmVG9PluWA5fE7SH0VnX2XJyslyeA/+1JlfowlcRkpCAkKPl/xGwYhBada6cA4zQ -YdA7DrNTUdVJt3EGf1wCL4BplcCjK2U53B0neUt5o1IlTwaF2yRpKiCrZ7sH6jI5 -HugSFRorq65LwFFQPz+RBmNSAEnMF9z6nToQO/S6PYfvcS6od/7UjipaeY9biRq5 -dgpnd3vr+vnR05z6hSNA/FZz5241SYsvJNFU/irfAgMBAAGjgZwwgZkwDgYDVR0P +A4IBDwAwggEKAoIBAQC090lhTNQRzaNBROiSAt0Tv2KTEqGtus7bNJjAVEpRRz6X +htuXfFf7jJoDqhz60/Xtyky+EoP+EH1sh6TwafZwl3PrCMDNL+Bvmm0BUHU00Tef +afmFf1K7FpL/eYVQcavpNJ35sQRYjsw8JWQ0+Ge0qsyfEUSIqfzdNQgniBrITM7+ +t7NWmCjm3awd0PWMFk10WnEudoWV8fb2TBSTE9gdx0wsafg2Xu7z9WUFCZWPtFRV +2qB91G8fGtZx32pxmi6WgKHIYBWceZ1IGaVsH/c+UWsxJvxoKQnRSuo8vfxHybLM +wULDqFlNE7Z29KIDEmSwUXGeWwGUrud/VgQo0FBPAgMBAAGjgZwwgZkwDgYDVR0P AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB -Af8EAjAAMB0GA1UdDgQWBBSzO25mJGCt/clSMtYNaX2vhZcVijAfBgNVHSMEGDAW -gBSLaEU8nqrYzNEcmi0oZKd1AAFKgTAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8A -AAEwDQYJKoZIhvcNAQELBQADggEBAGpOAvnIQ+YHCSYMKl4v9DpZWOoJ3PrG3bFB -FomGSIXJitWC4ONljF7o/OsDgOwfBo8L2e/HUSqCoxs4nDf/nzePYtenlL1vFQ4l -tajKUTgXKjE55uHhzVWRmcmMNM7yC2dJaoYO+mVwtjLCwvnyNvqG+rUPtk5SXP9t -rjVWNsowBSHTVSBoSLNxEI4DRrUvxm20y/E++VXwhliTHGpq+htGz7g7XSNHu7Xo -xEkBxRaavZbSEdOR3NPyDPfFAdglnxTk1DQ7DJjznEahegO+pTbID/OY3hrMDVKt -YnIt7WzS6KLnUzBOPS1jiyWVUK4QMC5yDAwYU4RH1Pr3XUCNWzk= +Af8EAjAAMB0GA1UdDgQWBBQqIZCfMH71R7RVCzGrap10FGf5ZjAfBgNVHSMEGDAW +gBT5Z7kwwTNntO1UsuMdUv/Yq3AdcDAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8A +AAEwDQYJKoZIhvcNAQELBQADggEBAKzFUSqROx2ERE06y6ZAjB7PeZuRFGIAZiSY +QGG+4vQLAxNMqQN4Td7SXrOsFq/uffrqxlOPCVS94Kd2XRmsT6gCsMWXSr8zBQyA +c//hWHU9jG9YSZ4s2IBqLTugsMUGxuq0ClEXzkrqzeJssHfJCEF+Peg39v/Bk/Hr +iA/YDoQp7hgSdvwO8XH21HBab9nsYHvOIFivWdS4/w+au6QplwDC9a0R67tkNDnQ +gxWvhA8SJ2HjumvZ0eOSZMYhOhXca52LwYBEM66600cKKvOcVAtIWAfx3MI7FY03 +sCUu4iGbo61ceomM22hmZtPUEBzpVuwnaujmD7MMvr322Wu4QJY= -----END CERTIFICATE----- diff --git a/integration/fixtures-expired/server.key.insecure b/integration/fixtures-expired/server.key.insecure index 15fc1d545ce..3092f9dfab1 100644 --- a/integration/fixtures-expired/server.key.insecure +++ b/integration/fixtures-expired/server.key.insecure @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAscTyDiVfYHOgo8n3zecpUn+7VqyXp/A4shE1uZJg0cZ1hEVk -SBY3MOhCIcslxOIOShIWEan+rlVmOGve1/MT009DMHLYnw2INphRM0eHLMHFagJl -RvT5blgOXxO0h9FZ19lycrJcngP/tSZX6MJXEZKQgJCj5f8RsGIQWnWunAOM0GHQ -Ow6zU1HVSbdxBn9cAi+AaZXAoytlOdwdJ3lLeaNSJU8GhdskaSogq2e7B+oyOR7o -EhUaK6uuS8BRUD8/kQZjUgBJzBfc+p06EDv0uj2H73EuqHf+1I4qWnmPW4kauXYK -Z3d76/r50dOc+oUjQPxWc+duNUmLLyTRVP4q3wIDAQABAoIBADykuAJ1Y10O9O0L -GDsosaMQKgN+a1oCDAVK863zro3BixNtbLFeysMnaHAI0kCg8Uj5dIfgGx6zyWRU -ADhhFxFOB9i+RQG1ZxNg0MqSix2MmOD6Ijybk3++EGEE4uA2XdTRvEY+bHQHXzMX -+oNP0M4Q1rTVIuRyKEGoonWJkeBsj1m4U5q553EWDQv9esXzuwpnZ3/1thxQhZIJ -TBSQ/RhD8/9v95+wU3tVVMoqXhAbqjx0122ZF4khZJb6YM7YaHDdstX+own3yejI -srvjNH3E3IiY0HZyhg7ohRfRDSoDLZz0F3v3Dd7wGNWkNYU3vtd1A6Y+xM6U9EwO -u5taTEkCgYEA63MkVXR0Yd3tlffm1WQxtcVix2vbnNKY88L6GW4/+RYUMAThqQF4 -L7YwNNqGjLqhp5U5cAydaMunRsOf/wYFYAaUcRWPISCzbgZh5cgr1XPafb2iMNzD -xjE/MhG3jjhKP2nA/QUrUd8woEOEq6qUijIiDyTh84rdpZ1K8uIvuuMCgYEAwUj/ -0I0gbNZB84/whfnfEkt5ZebYs1vKxRHm5xB58PEZTdoTTlZvoTGzn/NJZrOtZOLo -abbvB2xlZNBPl36ZMh5561LPnTTP94qGVfsdr83atMG6AHje7/2cw9BddRXSUjlN -SEjzhwRf6HklsiVo0QmWSLD0BDeZGtxHgBhNZNUCgYEAiTo5wgi20Fed4tty0Yqt -Imlh8iMeA6AG/4PzaqEEbjP9HiOqNmuh1gUUwalf5GPeViM2L+VaVTrlSuw3s1aa -CWasW+CZ5E//5C+aHWf2jFkSzliZUGtLO5d2YsNKvXx3YdBMZ+v8XKJ939qaV8d6 -/bTMfxEbFGwqVR2BEmDcOssCgYBPUTOZU7CwuSQLXVAoyqdeDJbe2GKpB8woHvaQ -b9R6qZXmus0dYp8gmRLLWr0OZkGLmwohB68DbtoVCt7+njcjuBn0FeGY86k8Ph5u -fkRqdqF/d9hqhS+HcJ26RXF0sOXEVDuApF87UvJApiZv+qYO0k5XujYI3P/5Y9f7 -mv13mQKBgQCyBOuHxbZWn2Y15Z6w6K7DOdFuxGjM8ATqdJ8NmGPDABlfrSZiTwkf -gLY59kZREdl13DzGCVxbk1EGq+KFNTRSovuf7DG7kY0wQcOlQOzLS7fnftJOBw4E -jaTx6novxP3dqWlYmuu1BP/foiVvKHnVYobNihe6rKiaLoH3fWotsg== +MIIEogIBAAKCAQEAtPdJYUzUEc2jQUTokgLdE79ikxKhrbrO2zSYwFRKUUc+l4bb +l3xX+4yaA6oc+tP17cpMvhKD/hB9bIek8Gn2cJdz6wjAzS/gb5ptAVB1NNE3n2n5 +hX9SuxaS/3mFUHGr6TSd+bEEWI7MPCVkNPhntKrMnxFEiKn83TUIJ4gayEzO/rez +Vpgo5t2sHdD1jBZNdFpxLnaFlfH29kwUkxPYHcdMLGn4Nl7u8/VlBQmVj7RUVdqg +fdRvHxrWcd9qcZouloChyGAVnHmdSBmlbB/3PlFrMSb8aCkJ0UrqPL38R8myzMFC +w6hZTRO2dvSiAxJksFFxnlsBlK7nf1YEKNBQTwIDAQABAoIBAFny3E93v6VFwFLN +7Ie+0qJhK58M0L4or273msFmZDY4Il1w069dR+Ipxdfyc0sdlgzm0/RaAa+EBMOw +PISfNrZKIXz+sc6LcJQofuv7UPa601nyc+suGTITC2fewCv3BEr7M1aL7SwTdmKi +90b4/ZsolmKuU5FWZPCSzoXPufg6lyyw/9AvD8gnjMPjyoPrG1AbLruogdD/gz62 +SZEHAaY0jHdQZbobo6iOuGoOKfYHr39B2xVoJAjR+1PVxzuAnZYbpUhemzHMTW03 +ikei3l6B/Qu/NdhW6CaR2dMetTVnbHwomm0cx2N4SNFFrKvnc1KQJR/b4RTxmVvd +HQlVHqECgYEAzb9vxslb6vpbpGUu787X/SFGpHi5tSAeqoL2/TphrKMBh0EJIUSK +tq2B021rzLjvVKdN2hSisa5EvBkNQnwkeF7Nvr0adPB13Xo26G45RmogUnH4UFrY +RNTosMcab6VopFmcdFLxfNHx+hVKf0+l5mNsSN0MtxyM/9q92JF+fFECgYEA4SpY +AcrldyZcmXF5ngFp24SHX0sTgjrbuq0VGk6HshVOYY/XFymlpoZLEpaRC5kKoZ7W +YLVSE1BlJ79kmqPQ6Y2oB+TN2PALVMl8K1fwJxW/OfHEbq2tDylF5/jUS3noxU2w +J2FjV4wyHoKCrVFGQjI+CWQBmvXaGsbEwQO6+p8CgYBfUz7afxiTOgOTmz2v5cm0 +geJU+YoxHPyYS61bjd0LO0rN+5fbTgJmuOTZrGyxoU1hj1JGpCDs6az26TR3hUTw +cBwrLzo+y9oQDzu5XLg0o57uE9fUgwKIgYx9uwHIkH53Bv2x92vjRPIzyAGIEsLu +h0n4SFJH1HaPZC1pVZ+gwQKBgCCWbUhNIiq9bZdzmeNpVvXDV4hOKFOnyxdYZ354 +MSFv/fkWxU1/5I6WTxUwn2trSeOcRnCWrXtIHmvDQn8zCFBVBSWnUrd7/lfWFVd8 +kbBGcHelawWNs0dHdOue0rLdwPeVR9JbQPJxwusxflIxOhboiJv5UlYoENnhPKam +sJAHAoGATyztNEOTtPk7Le4ZYzC2bR58vAPeiu6mzN37Vf4PGWJyLSzAqLnDyQ8c +REFVsgawue5hKzHz+JBsc91CURWHlMcMQ1sjmMx0MGpNyjVlZIoHMxnIo/CGwGvI +TSlyv2ErcTpiwC1gAw1G5dAp3fWASmiDxNX5UXnpVA2SMiCScY8= -----END RSA PRIVATE KEY----- diff --git a/integration/fixtures/ca.crt b/integration/fixtures/ca.crt index 69eac6cea42..c28e7f63260 100644 --- a/integration/fixtures/ca.crt +++ b/integration/fixtures/ca.crt @@ -1,23 +1,23 @@ -----BEGIN CERTIFICATE----- -MIID0jCCArqgAwIBAgIUGMTka1d/PO3J5ui12qLiCKjR1rMwDQYJKoZIhvcNAQEL +MIID0jCCArqgAwIBAgIUOJwZrjY0viD0A34jOYtZb/aNy+YwDQYJKoZIhvcNAQEL BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl -Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzEwMDUyMTU5MDBaFw0yNzEwMDMyMTU5 +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xODA0MTMxODUzMDBaFw0yODA0MTAxODUz MDBaMG8xDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT ZWN1cml0eTELMAkGA1UEAxMCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -AoIBAQC/oSHQqlc05uZYMHHxkkF/eTM4uh7Z/6TSjChMfnNk+5rZJzwSkLeL47Am -kmcGnB9xo4tKkiDjq6MbHwgK2YpgdF5rRSC89BYBWPVvSMxMWV4Pvx/q3mdUjh7N -tb9udJxG6c3rgI+2t2zcx1+qFGeKw0JSHKpcI6UKNm7E/xY0lqJ0ptHruBgFQaqy -VdqVa5QkyF2imnFEdgakO2EuQR3vVAr5sM552LLnngNsfsxLStxXWDJZ/+34k2ON -jJy5KEQ1KgYmVwi8843yQRDkvAjZ4Z1LzbcQQ83/6oT3kAfsOjy8bdsxMZBWSA53 -W9LuKUOk6WLRY0S3vUjzdw8To15RAgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBBjAS -BgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBSt4lqZZ20BpzYG8GSym10Intbr -EzAfBgNVHSMEGDAWgBSt4lqZZ20BpzYG8GSym10IntbrEzANBgkqhkiG9w0BAQsF -AAOCAQEAA6TqqLkPdI6zuda71LL68myXbN2qdxzs7HK8jkGPM2cU6Ii0G66TvesM -gf1k3VddbvF8mPCyhdLYRArQeDLxKDLq/efosOj/NiLtepXea6Ib7XEo2AKCe21S -SpBAZ2Szx8mGa7IY3ISfxkY0PpGhe2G0Rf0kOX5SYhQ/4TdAoe2pr8jFX6b7Kbdl -yBxq9nDYjSCA7fC5Yr3Pup7Uu9fh1TJr+62DMBeeQN1XFZ0hEdu5sk4jkNq3ijC7 -/vpDyzRduUGpbp8Jy4HzoyWrCmp+KEznEWNmXb/HoPHKBlAz0ovjzU+jnFYi9tVN -WODbdeGuXqBBmdAGaWBEowVP8ZhdQg== +AoIBAQCu5s9vCEwShwELpyEXbP5A69ENrkqe3qU1AR3DzWY4gFkkec+QnCdid16Z +Ayp0Xg1t1GOxTMMGjadyJampzhB/l3oCiIQyQNOy0bCJvn02lBwDFIXDzvdMUfob +OaTYGwG9vQD6b+ohwzWneF6Ov7UrqAGvRSmTP2Id5vzqGA1+nRA2J4+WOH4ouwZD +1d53fFk/eBkuHyZO/SEPWH5Ch2J9bZ7jGiTpuroqjbkJXhBfHheEV2NBxIWGWRvh +JXazBbHwogrR1Op0NkeXPamm9Y3GEL0z/e6hhTGSLFKDioy6P2QrF7C890ru0cX8 +QfLFXj7nBMB+mW6/b4dhywnFwjdpAgMBAAGjZjBkMA4GA1UdDwEB/wQEAwIBBjAS +BgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBQdqL0i7KF7tmBTUvtR2FpL+Csm +2zAfBgNVHSMEGDAWgBQdqL0i7KF7tmBTUvtR2FpL+Csm2zANBgkqhkiG9w0BAQsF +AAOCAQEAjSy+ijzcO3Hu809GvmVl/+aRL/e6iKZ8WC3kpY42ZdyAbhCSYnWmUdHX +smBVOvjZmQnEtXrrOrzBcbTFdnMzswgoPwtYPKqAqP0vxARbmnbDDuzFstaKSIYm +T2Tw6r30ivbG7dIyitewCGmTXcdgMLmYgx+zOOj8BmbK1o1jW+qFudggC95qkkiq +ismo8Ao1/Uw6bDbg/0l30V16bfI7jvPxK6+S2FUlB+ggfQtd2dfKVXNUtfBG8wf0 +1BQdiLPAQGDiprmEpAoUyRfNkMPSZD+WeBYkb0Ji2MyzJ3pUtBPwb57UcbIyp9S5 +MSqy3ciMv+FyBaX6EB2mP8GMgW5WaQ== -----END CERTIFICATE----- diff --git a/integration/fixtures/gencerts.sh b/integration/fixtures/gencerts.sh index a4e55dc13b5..67d610b9eb7 100755 --- a/integration/fixtures/gencerts.sh +++ b/integration/fixtures/gencerts.sh @@ -25,6 +25,15 @@ cfssl gencert \ mv server.pem server.crt mv server-key.pem server.key.insecure +# generate IP: 127.0.0.1, CN: example.com certificates +cfssl gencert \ + --ca ./ca.crt \ + --ca-key ./ca-key.pem \ + --config ./gencert.json \ + ./server-ca-csr-ip.json | cfssljson --bare ./server-ip +mv server-ip.pem server-ip.crt +mv server-ip-key.pem server-ip.key.insecure + # generate DNS: localhost, IP: 127.0.0.1, CN: example2.com certificates cfssl gencert \ --ca ./ca.crt \ diff --git a/integration/fixtures/revoke.crl b/integration/fixtures/revoke.crl index 0e73dfca582..5d8b030a43e 100644 Binary files a/integration/fixtures/revoke.crl and b/integration/fixtures/revoke.crl differ diff --git a/integration/fixtures/server-ca-csr-ip.json b/integration/fixtures/server-ca-csr-ip.json new file mode 100644 index 00000000000..2b2c4350ba1 --- /dev/null +++ b/integration/fixtures/server-ca-csr-ip.json @@ -0,0 +1,19 @@ +{ + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "etcd", + "OU": "etcd Security", + "L": "San Francisco", + "ST": "California", + "C": "USA" + } + ], + "CN": "example.com", + "hosts": [ + "127.0.0.1" + ] +} diff --git a/integration/fixtures/server-ip.crt b/integration/fixtures/server-ip.crt new file mode 100644 index 00000000000..0933efd32b0 --- /dev/null +++ b/integration/fixtures/server-ip.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEBjCCAu6gAwIBAgITULCLY8OCPd8L4ZLShYUI99ZIFjANBgkqhkiG9w0BAQsF +ADBvMQwwCgYDVQQGEwNVU0ExEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcT +DVNhbiBGcmFuY2lzY28xDTALBgNVBAoTBGV0Y2QxFjAUBgNVBAsTDWV0Y2QgU2Vj +dXJpdHkxCzAJBgNVBAMTAmNhMB4XDTE4MDQxMzE4NTMwMFoXDTI4MDQxMDE4NTMw +MFoweDEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH +Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl +Y3VyaXR5MRQwEgYDVQQDEwtleGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBAKs3eBWGM6rsQsYOPy48fuFDEg71hNbUw1YCfNQueHpz/jqJ +E4RDfjb/Ou3V6m/MIsfmdWua+mZ/H3EXwnz0eAXSuspyNHOEaYkgqDYOVGnMD99y ++JhEVhSb+hRR4vR8qoL8fnJWdoINxaLAHm6K/93RPwyvn+m5fjUIt6yRnZ9PZaGv +CtdQKo82VoNcJyB4Fz4Ahwy4FxKBE+zPOhR/TuBia2E4r/G4qqVf+DPStXFKxrlG +Mcw9QxSCsOXArrp+E6zya875HSRBvHJO3+ECpEpP9oymisIg2xswCs0r/v5J3RS6 +EQ07vhOr/6Ez5UmCohlnsiUuj1XEqiCRFUFCa0cCAwEAAaOBkTCBjjAOBgNVHQ8B +Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB +/wQCMAAwHQYDVR0OBBYEFF/PxASI1qkJfBdnZmtsZWyR90etMB8GA1UdIwQYMBaA +FB2ovSLsoXu2YFNS+1HYWkv4KybbMA8GA1UdEQQIMAaHBH8AAAEwDQYJKoZIhvcN +AQELBQADggEBAJHrPCBhY9AMfKdh3ZRVMFxRsNCK9OzcWRMGxJ6OG/blUQZdW9FT +aeAcCuhbu+0VYjfM2hpQ2DWPRjgi2nA0BRbVHY3nExUBgZxGZ8weQWCeZVEbV6Vs +FLNBCcWIaX53bKPNFqraX7HWot9xvIb9fCc4w3z42fY8XxDg33E829Oe6F3e6+6L +b04WQ89U/0Nd7vqkUKgsCqBVIg1PW6AbkNmv/uL4eSlcaV1nafXc0BY2i4XOmNBG +fih23YHubjuLVuURBN+gDm/3bbyGWcCAnInq5/QM2aMd6GaU2Q80sw1W1PgMR+qE +QiZ+goMjqqkDljEe4+NiP1s0jKtBTGLQFc0= +-----END CERTIFICATE----- diff --git a/integration/fixtures/server-ip.key.insecure b/integration/fixtures/server-ip.key.insecure new file mode 100644 index 00000000000..5bdc1108d30 --- /dev/null +++ b/integration/fixtures/server-ip.key.insecure @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAqzd4FYYzquxCxg4/Ljx+4UMSDvWE1tTDVgJ81C54enP+OokT +hEN+Nv867dXqb8wix+Z1a5r6Zn8fcRfCfPR4BdK6ynI0c4RpiSCoNg5UacwP33L4 +mERWFJv6FFHi9Hyqgvx+clZ2gg3FosAebor/3dE/DK+f6bl+NQi3rJGdn09loa8K +11AqjzZWg1wnIHgXPgCHDLgXEoET7M86FH9O4GJrYTiv8biqpV/4M9K1cUrGuUYx +zD1DFIKw5cCuun4TrPJrzvkdJEG8ck7f4QKkSk/2jKaKwiDbGzAKzSv+/kndFLoR +DTu+E6v/oTPlSYKiGWeyJS6PVcSqIJEVQUJrRwIDAQABAoIBAE01MTh7kPcFnULU +j9cYvppz9UO7oVCDFybE7md8ISYPAliBEcT17od8ZqVzbklFw3VjThXdCAeKUbJc +5X4Ve74cfdDm2RIyZqjIijH+GkCvHYVEwidfwXV/tLDPEEnxoa55j8edh8kzzqiK +e+6bTbBIOGdPFwx9chUWPkVaULrShQRkZOMeyQyI1vhL2/TSOk+MsZPcrgQOQh9N +v3xmmXA+IPNkO2GS5I3MZlLKDIkktejsdkudiE+uDHYzHPOFmu14LYPjZCTyl0Nx +p6YP77ya/Um7f3zYyakXedGXBXX3h/zS8CarCpwNfzPwEADtommhhi6dR0rnCTfU +t+aMTakCgYEA1eF1bgd0bKySigm3xx+UXxoOEjV1chdLwnwEL0M2XNvsMsm7Vh+m +FmrY0I1m5n4bYv0UuEkPM3aUFnJuBW3fr3ypEDSfhLlP6eKX5gpyavJwC/eC+2e4 +ImxbsfRVbjLT7vMgbmMcjqe2B1rwYMDMSVMXieOxpi1ndViRAIpqjaUCgYEAzO8n +heU7OddugNV5RMn6Gg/pMfiQpoROReFNMln34BZubpAMDHDnbjQOuqZA2UYbsNnb +2Eu3TwqL+wr0CmQC0/nt1vR5dJZNX6VI61b4Qt4BdUUigonZxSHAnWjMzXmZ3Lvr +5wgZO1Tq+9KBeMMMTQR5nfw+z5E+4Mh3+IzqWXsCgYAEkaRojVA3YhhfSoXagxow +TeYvDWVM4qKDrRKJz+3BXhFVpGmUFWj+4ZlwGxUvp1H+c1mV9jmU59uR/y/KfeZh +YVBbQESIGU1Tubt09pQrJLKwDsGFjVmpopby3j1U9VEBsb/nm8ZoZbzFu3OXHYc/ +qb6++1Y4LpAfOZ0fXdWY4QKBgFM5oGxg/p9r3OWXTCtidx5UbdisYFovivYYHFih +bufjVC+0ciAvTd1UaNLmJ5nVPfOhVgXOIgCIgPaPqTH7EabybeOI3zY4v+1i220v +oZzOOftc+znWL8k9/tIuOFYN1y1sZ84oXM7amp9wCsJ3O6yfb6B4Sy3Sh52T7BzV +ZWq3AoGAeXHNJZj5CpH5tlgoJ2+3OXPTUuIUu7bJezmYkTaerKAtq+/NAlO90P5y +cUkUETOZuc/jyyD3VLX5Emi5gma4GcRiMJzaZY/apYrr+I9I0A5KPexhzBVdJls9 +2Lk1fTDdilopP6p3W8rRiqlDp7q/iiTvVtdj0tOMZEclmdtZH6Q= +-----END RSA PRIVATE KEY----- diff --git a/integration/fixtures/server-revoked.crt b/integration/fixtures/server-revoked.crt index de1c04a7323..8446a2edb7a 100644 --- a/integration/fixtures/server-revoked.crt +++ b/integration/fixtures/server-revoked.crt @@ -1,24 +1,24 @@ -----BEGIN CERTIFICATE----- -MIIEEjCCAvqgAwIBAgIUZf8MqK2zoEIlXqd8LqfVPpuEtLwwDQYJKoZIhvcNAQEL +MIIEEjCCAvqgAwIBAgIUShTszZYdtp48XQGfhqa4kLRaZV0wDQYJKoZIhvcNAQEL BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl -Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzEwMDUyMTU5MDBaFw0yNzEwMDMyMTU5 +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xODA0MTMxODUzMDBaFw0yODA0MTAxODUz MDBaMHgxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT ZWN1cml0eTEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA -A4IBDwAwggEKAoIBAQDkEmWpIDyq0O9uDB01+RPFGleylCCocnY/Im6iXZnkBuFz -DctlIJvfrUgzil2tB6OsmghyWLCpRVWwcK9MLAkRnychjPIDdSYJGFEqmuUP3uZG -BcFRlm8JGkJIIO9vGBQpW5u900FzYwT4LmjK38V+zR6qFTQknCNwOx0PTC//w/30 -s7yV5u28ojgrfVEJjHgFJ/u9vTPhZbeyqW5N2Azglvxbgz97PZwr/mxclH6xTDdy -U0o0px0c4eO5EZasUbssFF/+NHeIHh0nN2BCZYzk7CoC+CxMACYq4oCDsu1esTQN -WZmgcMSEyIq+JEHtTGsA27Mjbje/68D3P9OC+wrHAgMBAAGjgZwwgZkwDgYDVR0P +A4IBDwAwggEKAoIBAQCmIdtfFvZZUzvu6NH+VO38UTmmYoU9XCUuHX+t0B/EgKwp +SDieV+N7HxCepkyYhYfNnX2gjXaIV5h/EPSXhk2Pw13oadq6IO6CmaRFtLx+6ZVo +/dz9Gj/FBlXA915Z7gBvOM0HatBGqG2uKIvYdLmP8lqL8PCnU5bCd/HnlILKJmM1 +y2P79ZMZ8gkp9A+69fUGJeoXyBGFXT+KnNErCJHvu7GXGt5IU3qlqXZE+eWY3WYh +BhzWU3y0e/Fp6A74kVcUQm37pUr+rCH0AisdeEELtFDajmB1BKzoQdkfSQ6Sn073 +OyekwEXXc8oavFatU4MzM3CliBf+UeOLry3IU12LAgMBAAGjgZwwgZkwDgYDVR0P AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB -Af8EAjAAMB0GA1UdDgQWBBQMKqvDurICoX7YuJNGzb5OBVyCMzAfBgNVHSMEGDAW -gBSt4lqZZ20BpzYG8GSym10IntbrEzAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8A -AAEwDQYJKoZIhvcNAQELBQADggEBALCw2nC7yt53qxN8w45aA3rmHWqxYoogf75n -eub6gG2T5Nl4ab8UeK8i3U4oY1+8MZgV9WP6o9Vq9XSbF5tsLzPmid/61aU6Us35 -zI8J0/RtYCibCAcVKmNwmfhoUqMTERhSL4dcloU9n/45anZgQXqNCHXJk8+I6nAY -ZLEJ2aGFhvNypPTYrr4BvHx+LnrUzPWcd7JwXGLXGJtDEF45HIMLgduof+azDp/X -HJHVra4ChMbyJHiiC9nCJruGAtF2aJuwqrGG7KnPifDLPBsplE3zvDA6dtEPvGui -l/IE15sZ++GqTgf4fn2CNJ0PK/xYCtcBejodus88SJviaEftEB0= +Af8EAjAAMB0GA1UdDgQWBBTQW3VmF/IW/pABaCAEQtdBXtg2fDAfBgNVHSMEGDAW +gBQdqL0i7KF7tmBTUvtR2FpL+Csm2zAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8A +AAEwDQYJKoZIhvcNAQELBQADggEBABP8eEr/s7RNNt8WHhwKfbntBFQRRNTuMWkA +L0/4YhofSuq2eRYHRk5ZodLrMIloSiOErCX9MeVzAhdOcwadW/MGSdoaU5S5RIOL +OHO2ZlZueP4NRc2qYcQc+HNkakEE32aDQH1oJcGjenDUDz9yPoRWnbwNE7cjSMQ/ +qSfPIP/2X8Lf+zXQT8OzcLYF6Cp9wkm0zqS0BcIRXUpD8wDcqlfUN0DDA6mYS3jL +OoVDVj7ddrqhXTZidjlQHnd7Ig9sVDYO9upFpo55BKRxPAZf5gIk9GQl4b38oIV1 +OEZ9mO9BneodZ6HpwzhTtsaiZNeeqcfVlsi3Pccd8bn+wotHlwI= -----END CERTIFICATE----- diff --git a/integration/fixtures/server-revoked.key.insecure b/integration/fixtures/server-revoked.key.insecure index 9b47fd9c741..0733dded4f6 100644 --- a/integration/fixtures/server-revoked.key.insecure +++ b/integration/fixtures/server-revoked.key.insecure @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEA5BJlqSA8qtDvbgwdNfkTxRpXspQgqHJ2PyJuol2Z5Abhcw3L -ZSCb361IM4pdrQejrJoIcliwqUVVsHCvTCwJEZ8nIYzyA3UmCRhRKprlD97mRgXB -UZZvCRpCSCDvbxgUKVubvdNBc2ME+C5oyt/Ffs0eqhU0JJwjcDsdD0wv/8P99LO8 -lebtvKI4K31RCYx4BSf7vb0z4WW3sqluTdgM4Jb8W4M/ez2cK/5sXJR+sUw3clNK -NKcdHOHjuRGWrFG7LBRf/jR3iB4dJzdgQmWM5OwqAvgsTAAmKuKAg7LtXrE0DVmZ -oHDEhMiKviRB7UxrANuzI243v+vA9z/TgvsKxwIDAQABAoIBABjg/N/3GUcU5Zle -ju0tT3/HwNtFF07otYdrjR//D+N08LDpR0+vv/ElaOPeaxuN4sfYQaWfkR3V52QI -1sZ7Yz3d25noUxoXdF+3nFsGbIhPq1TmGdF5lIEssSBHH3dB7CkayiFp4xDgM1GT -VnES+es8GuU4zOhVc/QxLplVmULP/LL2CkAWPWFkUKwy2+k0ihZY+3NTeY3zwXgg -uYfi2gxpijfPTi8zB4hpsmS/c0UqUBwaUAlap0CwjVxLWBwqKHyCLXjL4rJovafl -ZtlELpr8LJFuw3Cty6+VxTniLT1wlCFwyxQUOHa1xvnJKr6VYtKG3OSDdNAbKQ03 -b6w0xKECgYEA78ejDfBP1K4up02CPaYiDtZK+OGTzjHnoXQk3hn/Mm4bD4GbWjFa -vugdcAspV56jR0wSBsp50Fx6z43w2M7zsfAPkp4tACaRcHCUsQc2bhNWniUW1p2Z -Xr/hHJyjJNY1aiYsXLY8Y/+gFKsNAmd5G3kc5F+qQ0CnCaa6EVs4f7ECgYEA84AC -NS1uy7jFWg+Fi8bOTt4KGiknd8D9+3aNYnPJ4yzZlFqoMPigoHso+BOeEpqSHiY9 -ZBWtp3GqSnXxo1kBxKv4abgSOiwtmVFdcEpdtnb1fsZOToDqVDTGIf1/5cRmGotv -rmYX/yhL0PAr9nHyV7vSvQaSq39yy/+vA7waB/cCgYEAlbL55bXm4U1t6x3E9mBG -WyUG4aNT+CPIDVDJw7BPV1jOpDuylfjCQvX/ivgs83sjTVv81SiMLL3QHszrVTC/ -jJPn5Q3D4pgxrRVcf7mVDdwc89cMDymNm04IaSiR4mmqJ391qtxLj9MESmMQWDPp -tHFEzH+9eQdgQfJJsJRXDcECgYEAuMFB65NjY9P4ehMY4yufUhwLUjozphubGnej -YzYz0tku5e+7ehzL07hfJ4vK/palk5a0MgJ41nnaGdFP3P8l5lINlDmEKvtmRdSE -rzTd0hqEvwI8XDhYlDfOte+gYXgZeL6fqJXyUzoB/LCeysk+de8fQSmBk/qJ4dtI -se7BWZUCgYEAvRn3UqhEVq6gZgJ48LKtCPAVdDH9I2gXf0ywa8ezRcuKSsCexKOH -gM8/MuL6KeKZMj9X01fySx9KFGIAN7GQ6bm4kZLIAQCLVhBkG8YV6t0i44oVQbSz -qTapBzKVPyuJPVE79adX+pOgQjIfnljFlrO7JCQ+XCfKGuU9MhJfuMU= +MIIEowIBAAKCAQEApiHbXxb2WVM77ujR/lTt/FE5pmKFPVwlLh1/rdAfxICsKUg4 +nlfjex8QnqZMmIWHzZ19oI12iFeYfxD0l4ZNj8Nd6GnauiDugpmkRbS8fumVaP3c +/Ro/xQZVwPdeWe4AbzjNB2rQRqhtriiL2HS5j/Jai/Dwp1OWwnfx55SCyiZjNctj ++/WTGfIJKfQPuvX1BiXqF8gRhV0/ipzRKwiR77uxlxreSFN6pal2RPnlmN1mIQYc +1lN8tHvxaegO+JFXFEJt+6VK/qwh9AIrHXhBC7RQ2o5gdQSs6EHZH0kOkp9O9zsn +pMBF13PKGrxWrVODMzNwpYgX/lHji68tyFNdiwIDAQABAoIBABe/TzRQe/ZYx4Bn +F11blokysyLtgk47FbV50f5ueZwFKJbeE/nOZl37Gs0SyHAk5jyl/ocssXzbyJih +O9VNBVk/e/T07Kceffl9LNYp96fMi+buIuCrF+J5/VgQBBSmyLkdTXF5+zueZ881 +TIgsZzoEUp0eW8gPUsWJj7Kir+9lQlZHDAJ9Kn5J/L74qsz2wgnh7lCXE+hXHT/o +uA7azm+6rMBDQG5t1ZHG5RnVJO52hRMZb40A2e96EUIyUXRP/ujtmn+PwSTN9c1k +fmHofLWCMG/mmVQ3qVj9U7RUxAxhBeQK7r2YPdG/mKSueeVgEJAZI+MU2RTsaRP0 +7642xkECgYEA1y97ljyv9fqfCbIHRPjZ4o80MkwlhhlCvkhva0GaAk3lvrWE/OjT +WCSgrm39U9Q5Oh7Fj/uBsyFHIN3WfAEDJP+PRmB+wm211YxUKfAwODFw780fPib5 +jHyAuQl4ip/sdhpE2+HZv11yJIqJ2GS0WDAIwxMwMyra2DYCmFdR6XUCgYEAxaSN +ZB0GvBJNqw5nYzLfiuekUoHQVMi24bHyJ2YvBIXSjA0XEFRmApi902gWLmrqCFR+ +IK6l391tMpbm2BZXPByqUQCG7JFsf7AymgiVrmZtMOZT/fAC4sDVHBrUcK2yIRY3 +lhOZCq9rZExzPh+v1tctoTa5EIA9mkzD4FdASv8CgYBFugkd4YRS/GbUSW+5lblk +hGqxcaMnFMBf0DDqXFN/M6aiaUcyfG8fPJ8kZleT9kyk3Ju/0Aty8/GMYNXDUMCo +GHdgopvwfIRTMimDfWTikIK78YeSKCbsstszGjKJGNESY+i0Jzbbn3gBBzMrf1ZA +zS/JpkoUCmrnbHjizEiqkQKBgQCqPeJ4gLQjXdS+6ipN/S0mlf8p/p132mgFImUG +YPNQ/wBsGH5sV3aC+BRSvE6W7wrl3/nApw9ENJPxxp/TM/MyWTKvkTenIGCH4DrG +CWz9C0c0nsFsc8fYj+dBTS7+W++apmt8/yaNWKq1e1CtC1hIQ5MPUXa5au0lMshq +Pl2n+wKBgEtm6+nKv0W/Smo6A4WiQz/IZH8+gQfOqdIQisZSSen40lmbyOOpmaWb +qS+4FKzalcSduYRz9Dy6QlGmst/cj9UvwNmO3wgv42GZNFHdK1Vw6baBYqNyjlkT +gVTwUl2jL93WnEEgvx8JENv8mkZf3IJslKvxDoPNnPHD6ha4ih2C -----END RSA PRIVATE KEY----- diff --git a/integration/fixtures/server-wildcard.crt b/integration/fixtures/server-wildcard.crt index 02025950b05..d55b552edbe 100644 --- a/integration/fixtures/server-wildcard.crt +++ b/integration/fixtures/server-wildcard.crt @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIELDCCAxSgAwIBAgIUGtkVdLvghfSjGwEVSothEo9W2mcwDQYJKoZIhvcNAQEL +MIIELDCCAxSgAwIBAgIUOabGn+frdQRBVqdYXJjDeLLgR7gwDQYJKoZIhvcNAQEL BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl -Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzEwMDUyMTU5MDBaFw0yNzEwMDMyMTU5 +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xODA0MTMxODUzMDBaFw0yODA0MTAxODUz MDBaMHgxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT ZWN1cml0eTEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA -A4IBDwAwggEKAoIBAQCzMQzTgoljoR19y2EQIUZhVBBtej6d0/lYHc+yI0EmW75K -GMcubDdFOY/g6ceg5t+MJkWpvJJ5h2l7SVV3UTDHtxJyyQcJcJ7FBQ9QqwrrK+4X -U1m2WsB6qqzd5x/wNRqncq9Ql6PnMgtem1FaZYR5K5HievT3+24vbWFAWtbOZ1Io -InZJ0Supba2SGlt7iToJ+5/jd+x5adx5ncSx/pxKHSbTFcvDosssWNzDyDZ0btO4 -QcQE5ARBnpdJA7O3PwFlDRF6JL7OK5r4hMai/S9xa3FFMWFL7lxvX+oZeSqZHL7I -NarrksOf9wWchLP5Jnf3zk2xYH+ZkMUFOx/l+CrdAgMBAAGjgbYwgbMwDgYDVR0P +A4IBDwAwggEKAoIBAQC7hoaTxOBiNCweLEaPvqTkN850gI8DSDVqrdxBwPn9Bd7C +Jq3KxI5fKT1aUryPolhOzoYAxYfoBezXZV9PpEI5B3Zg39F+BfTvPOTwsbJJDOLC +9bRvJnaq4q9lOB/Af42SoW7H4gRZOrQ8F834652QqkDwqCzrChgAT8hvjK3hj30P +kUdstAOGhsiHQ0QoTHYEV/oIFRQoa9VKCvESCJKzZE7ZSqOPenCXaKYt/TeBJBJR +UfXo4BcW6NQiFJrgUQBrC8NHXeyS3WaM5fIU0bvegcI+ZWF+h7cgQuFoZUjIzuyv +j8W7QYxOsmWwSJtE9l/qPPTyiGvxIU+Wb4a0c1B7AgMBAAGjgbYwgbMwDgYDVR0P AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB -Af8EAjAAMB0GA1UdDgQWBBQtBXmweuHsV5N700wHGmlma5a65TAfBgNVHSMEGDAW -gBSt4lqZZ20BpzYG8GSym10IntbrEzA0BgNVHREELTArggwqLmV0Y2QubG9jYWyC +Af8EAjAAMB0GA1UdDgQWBBS40qprvsYoVX6aaMwivvVzUj55JjAfBgNVHSMEGDAW +gBQdqL0i7KF7tmBTUvtR2FpL+Csm2zA0BgNVHREELTArggwqLmV0Y2QubG9jYWyC CmV0Y2QubG9jYWyCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEA -W7cyId33I5NtntbF7gAWlB426D2miq1dGbSbxLhbt4n4yQ8va7KbBK7Oi0MAVLMf -HImCXnY+TEP3jxFbQuzPhd/ghxi5xwuiPt/+sqebiiXHr8KhCFiBKx7CAHQsXKjx -vADeofmoiAA6a9HUJbDfcJYz0mUoPZPcN4emCMv9PNOOybxjRqDL2HeZWwHedPth -kfJkOHM0NXwb+XyRY3uZHdRC5VkBBmI7H/Jo0kGYB3T7YlREfGAkPd9Iop9pfitY -FfYVu2hcxQCmGYtLNC4csP8C/nL/0o/2pIz4ldFNsYqH1swRnZQ7A+xwo7oFhvfK -RchIgJR6qcPHkR7oloYDxA== +oihDJmVoNTt+UNfUOXJcNMAbAhzlgdj9ayrjq6YBcJDr8SJySM9qjRpXhEuhJzti +Yd7uN67G7UdPPnyT0555aMQ7aiG1wRWoh52ncclBqcu5fAFbB6XhMn6XniyRy3iD +hQBgVquwGFJuPeTzGtt38nNUnssgDnv4MSOQEhmXxVyEmYID5xc6ky7f1jWIbueG +EeuKjevTteKQlmKo0ofSm61mI15opt28gKgREhumLTQlSAZw7WL7LLe3DVod3pIV +s0ltBkfYnMfbOLp01WWIQfBNsDlc06/UfDeV2p2ZfGHozus9xPSxSqSmzMY+hcDM +OyWhJvpGLXfexOqiafT12w== -----END CERTIFICATE----- diff --git a/integration/fixtures/server-wildcard.key.insecure b/integration/fixtures/server-wildcard.key.insecure index 58205e59e4c..0914e0a042c 100644 --- a/integration/fixtures/server-wildcard.key.insecure +++ b/integration/fixtures/server-wildcard.key.insecure @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEAszEM04KJY6EdfcthECFGYVQQbXo+ndP5WB3PsiNBJlu+ShjH -Lmw3RTmP4OnHoObfjCZFqbySeYdpe0lVd1Ewx7cScskHCXCexQUPUKsK6yvuF1NZ -tlrAeqqs3ecf8DUap3KvUJej5zILXptRWmWEeSuR4nr09/tuL21hQFrWzmdSKCJ2 -SdErqW2tkhpbe4k6Cfuf43fseWnceZ3Esf6cSh0m0xXLw6LLLFjcw8g2dG7TuEHE -BOQEQZ6XSQOztz8BZQ0ReiS+ziua+ITGov0vcWtxRTFhS+5cb1/qGXkqmRy+yDWq -65LDn/cFnISz+SZ3985NsWB/mZDFBTsf5fgq3QIDAQABAoIBAQChJKMcMm/LIMCc -t6D6GHJqZGbBjQVyeYXqMCTvVbTpAegGSnIU1Ux+/FzfLl1P3U97gY90LRisIZJC -RJiPTHxJneEBSLcDTjv5gatcJ/URt9fNMi+jRcmChqoehBK8uYTWwNPX7gZ/iwme -cp6eZFzVetEekuRpfbqA/CRQ81/pDI7r/e0Wviq9aLJ4kuYNEnMBfG96pXtStriN -4Wb8WY8X9ujIBDNmiMRCDQ6QVguO35Kiw6FTzmEWkttVPJ9l6YxVgS96dPP3cbSe -uEyVLU8Jpx3CUBSLS9pru3XoFFWD23VUZagwLm0e6pKGgLCc/x8cv+G6uNCxCowW -/9VZyxAhAoGBAOfwDEJfMjSeoaF8ukQJVxoGht7kbOjTVOvidyuJ+kuuSuk5u6kQ -FsH7F3vYjUG9n8IPxXn36m8t2U/WFf4Sqb00TcXz8rl9XGSwN/bYgA7YVYVl/NJj -ViYCx0yTPUQYbvyHx5Fgj09RZ4D1vOpQnSiDc8VMJD0ooDDJdc82Yun7AoGBAMXI -IyjhbtSW/yErw/fBLeuGSmPWMNShuq5WeS1EyYDwTlzg2FTDep0/fzrqB17jK6Kf -hxQfL1p3zCa25h0vgfh5qZ/Ydo3CEX8dmzE9XNOh2bzZeyO57JgtL/ovoNu6vbQk -3FcYCIE148eTED6Q34GU0Gjvj/TWXBJnBFT83T8HAoGAdOtIcsjkWSxCVFK43wVK -WD9EC+ZglHm8DHEMG/GhMDd7YdiNpisLHdxCuVav1p0NhNlIdjSohEU7kAhe68Zi -tJNCRXC1QhZU1hkTDSeUXmdlrSp9aV1UFzM9Xne24bXjdP/JdZqUg6qIn7TA9+mN -X9fsK2A3wHDTV+Sms78527MCgYEAuDqCtbO3PwMfx1AzDHa/RWIjrPd5KLc1Yutd -mJM4d4hgFhfCqsIjVpIs+z2/e91zadnbQx0BSO3KFk3L72evUzpQjHpfhBA/p/51 -7tnPu7pJTaXvFAo9nkqJJCx1U/eQeVrUe7QBSApgkCgmu4DLELMDpptvpop93Q5k -dJ3NoMUCgYEAr1menJ2CogbPAy57h+0LST/w9tBQaYeu5krf3HTWrhzUaXVobkil -3aVpO9Ia8Oo5SkeTSODJoa4U/oeuThJzrBJgGRxo8mXeELmpFCKjHOyj4h+8dgcK -8KAamUqmT9WVDP+8RqTKbt/jA7HulC4ew76PMPty49Ln9t/o8BXBGVY= +MIIEpAIBAAKCAQEAu4aGk8TgYjQsHixGj76k5DfOdICPA0g1aq3cQcD5/QXewiat +ysSOXyk9WlK8j6JYTs6GAMWH6AXs12VfT6RCOQd2YN/RfgX07zzk8LGySQziwvW0 +byZ2quKvZTgfwH+NkqFux+IEWTq0PBfN+OudkKpA8Kgs6woYAE/Ib4yt4Y99D5FH +bLQDhobIh0NEKEx2BFf6CBUUKGvVSgrxEgiSs2RO2Uqjj3pwl2imLf03gSQSUVH1 +6OAXFujUIhSa4FEAawvDR13skt1mjOXyFNG73oHCPmVhfoe3IELhaGVIyM7sr4/F +u0GMTrJlsEibRPZf6jz08ohr8SFPlm+GtHNQewIDAQABAoIBAQCvNRGoHtpG5tgR +mOyUgVsun7WVxEfamSzPb4HLLbJkZYerftgCC4O6BZ39NjBXQyee+fbZ4bUJY//V +gDF9B8uX3RENkhD53jbrD8oX2O7qsc9suITNFPLq1sFpoPaJtKNhzNLkjpfhhqe/ +Pb6ERCADeg8Syw6sy9GA+QocryQHCZ1EAFFehgdfXqxXL3zaRMBBzoqV64gE4fYt +B/oy88HxkISxNbmcoPTFPw901FaDsSovQlfay1D1fZIZr+oC0Ywd5tp9IaWUzNoD +oPWeKdRjVbdZzBfC/3oR79/sC0b8fTfZNJCH2Mcw5eCfdQZc/nht9vZ5WZMOnIcO +KBoA/6CBAoGBAMJrw6H3Z5DXferWjFqXSTKyOCJk3Giy6q7viF+YLH7Ob08rih06 +kGdxv6cpAPoVbjl9408IcUZ7fF5GmvuOHEvhxCAA1/lC+Yvb40xhoSIcnFc3uRqL +EomgM9wPrHhJTB5MRoBfICWnqX0KxWx8TCpBaS+y72T33cBpK7nsvsP1AoGBAPbr +qBjJa1P1C+Tj57o7cyGUSWXmjqLT+5W8HWVH5ih5pnCna6i0ddYmC6TUznAGeAvu +NDlzlaFxsEIeXBtlfVsJGaWqvsxacvGRH5LF2vd8jXnPvULw89GVSgNKOefPssAc +3N0FiCchZQOmKGJqugplAAkChi2rq2utxSMZ4GyvAoGBAKJ7k5TiAiDPp4FC6yuu +sdL3lOhRqM6rcGzg7PUPZWhYuDfPKG9DCXoaW1SldRaMIIFVz0m2wYxpGUhk85N2 +cfmM5e7lJZpAufODwlOMaDDs/k/51u3y+nwgchbg1n/0qfPMRUN1vJUbqQ9CmDoR +K0pJPlJJ1b5pVF9AxfVtgQSdAoGAGyF/oeGX0mzNdsP39UWM+/aQLgssRwXl0ekO +jc9dobrkJ+KteKcDf5lElELxv+tmC2GMCXgCy+9y/4DYfAYlxPf2AncFaezSTmq0 +vmrRCXp9DRJfaFiTYcb2j+/69taifGtvdTWjZTFNKR57t3yknnnEjDjjx2bief1o ++NdiCm8CgYACYA4B+z9IILm3repOCpnSRUKFMGHTFwT0J6g6D+ZouLVOOoXjiO4n +HTLCScSbj0ukG5GQCv4tozJX6msEuNpufVXjpuzKg+372qp/moWiuUnsOnhLzeLO +vIQeN6D2TEu/cyA7GF5pvf52GjRsGxZ+BtPZkENnMVQUBxJUbhRk+Q== -----END RSA PRIVATE KEY----- diff --git a/integration/fixtures/server.crt b/integration/fixtures/server.crt index a15e5de894a..2df2982ff99 100644 --- a/integration/fixtures/server.crt +++ b/integration/fixtures/server.crt @@ -1,24 +1,24 @@ -----BEGIN CERTIFICATE----- -MIIEEjCCAvqgAwIBAgIURbT0TUoUtitOg0ell5xYd3mAiDUwDQYJKoZIhvcNAQEL +MIIEEjCCAvqgAwIBAgIUST7EHam81rQ58ifo9SFOMVkn49gwDQYJKoZIhvcNAQEL BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl -Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzEwMDUyMTU5MDBaFw0yNzEwMDMyMTU5 +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xODA0MTMxODUzMDBaFw0yODA0MTAxODUz MDBaMHgxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT ZWN1cml0eTEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA -A4IBDwAwggEKAoIBAQC+k2hb+zgEk2WxfXtypI03y3HUo1muX7FZdHX1yKfm/TCl -5OCR1Id8tZv3Rn3+hZEVvjNlOi/Ct5ic0SVa4OpeQTo7u5ku5/RiXE7c55I+wpmw -o1/IUlgeq3nyDKX4RlBJfymSUD+lWHsmhXkpKdU5wcERwL5FnrkdbTQwo+4nBMcc -UhLgWC9awpT7sAXW7OmTlg/szTIOzyJp2YRBoXp6mGsHF0rujVElQyCOBnAi/+zP -hGGycCOoa1eVjZebpFgcisyIwZRO6KugfYIZrQ47Swcqsy4lfkbzXxZ6UMh+FtUz -iXYSG2c8rzdpnHlFQcpfkNrbAu5Q2ObmQh21E18BAgMBAAGjgZwwgZkwDgYDVR0P +A4IBDwAwggEKAoIBAQD0TUinT6pSRiug9M/lJgjAciuKFH4r/DM8/6XKP2Dg0pyL +c0YImuJWRaCUGq/26/MnD3Zh0N4gpugaSY8uPKvLqPEVmSCYvk+tFA8ycSh+OQ6T +jroyCiQXya+7wWxtkeN/SuqBYleAZDuMS/NHtpvfY90bPBvtdFtqyZJ8IfJFbmcy +MlB3N7Kc1MuL7HJOB/Zaa6IWHUoL8CRGeUylo9k0L9rPN2URVO3okM/PbUTpcB8c +Yg0DtjJ7IOcZcFa0nCsjUFj5ps0VBnVA6QUDBRVDASSRZx2+Nj7YBFO/2i0KcJIa +dJWNeN8RH1YAtXSNEpzPfS7hqOgGsLEfnQpDYLa/AgMBAAGjgZwwgZkwDgYDVR0P AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB -Af8EAjAAMB0GA1UdDgQWBBTATssOHl8+T6AfYWGXqKHyCtUqMTAfBgNVHSMEGDAW -gBSt4lqZZ20BpzYG8GSym10IntbrEzAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8A -AAEwDQYJKoZIhvcNAQELBQADggEBAAzU+ZRqgGaVTGCl21QnfUY4Hj9aqt6uMhVv -b+BG24gNUJgwkCIZODOsig7RWXjPAMkgeGmgyw1QbvV2AZo1NFJT111YhxjdqWLg -ganDb7K2Jm5vm8mVvBVTe2y7ZBdmxJwfo9UYZkEXNQtlbvYcvYnzr0nr5QEc9v8X -bkrbxG1DVB9wU+7hy6s4v9946xQavGUqOOC70wHUMj8gKGnGkd1mOTYaabx3VzPU -uD82AsCQnxOIzk0qze3jCVVoTdzKt9iWpgLdFHY2pa0fdirTN1s80sLpXhUOihSP -+gu2NGP3+C0I6SW6Wu35vpYI+uMWrggu6OCxomAC872d6CVdtcs= +Af8EAjAAMB0GA1UdDgQWBBRG9sPqCHb2WRlBL72fMS1hb/DqyjAfBgNVHSMEGDAW +gBQdqL0i7KF7tmBTUvtR2FpL+Csm2zAaBgNVHREEEzARgglsb2NhbGhvc3SHBH8A +AAEwDQYJKoZIhvcNAQELBQADggEBAD2j8+6cp00KB8gQL5D6hWZ5kY5gh/t1pi1p +O4BFxponK2dOF0mixIRBXmnN8kjEOs/jiyWzIVxv6IdMRZe9BJnaaWi7rS0DJKBR +XuXcG24OQmJj9IEif3KfRMvuAh0rn0Sr0hde//uNqsaay+MdNg8F8QXr6A3SDxfP +H1wZMMyyO7elaITFwq7ajI1XG8rbeYyoLiPDtySCyFY+kLJOdOtbR1z0s41T+9nw +MQ2NhwXl39kuzZDTl6vSQZAWmVarDG0zwriIkDK7SRZ9voRU06H+JAuKN9aK+2TG +8oe2D1a2lSxlaBqwB7wm7sO57nqQ7egsnZ3DVV8a4hmulJpSNdU= -----END CERTIFICATE----- diff --git a/integration/fixtures/server.key.insecure b/integration/fixtures/server.key.insecure index 8b5163f7e5d..72a9d4e6dc8 100644 --- a/integration/fixtures/server.key.insecure +++ b/integration/fixtures/server.key.insecure @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEAvpNoW/s4BJNlsX17cqSNN8tx1KNZrl+xWXR19cin5v0wpeTg -kdSHfLWb90Z9/oWRFb4zZTovwreYnNElWuDqXkE6O7uZLuf0YlxO3OeSPsKZsKNf -yFJYHqt58gyl+EZQSX8pklA/pVh7JoV5KSnVOcHBEcC+RZ65HW00MKPuJwTHHFIS -4FgvWsKU+7AF1uzpk5YP7M0yDs8iadmEQaF6ephrBxdK7o1RJUMgjgZwIv/sz4Rh -snAjqGtXlY2Xm6RYHIrMiMGUTuiroH2CGa0OO0sHKrMuJX5G818WelDIfhbVM4l2 -EhtnPK83aZx5RUHKX5Da2wLuUNjm5kIdtRNfAQIDAQABAoIBAQCDTcjfZw1Hic7N -JWnCqUFrKc759Lo7fE8TFTyY5XFZoyS7iCB6GXZoJDCbhIQWsywtUOjUW+zAOgL6 -ONeF7+VKn6JhuXVnbgVhJ7xmU17dwvJlU4sQ2DtCll7kuHY5wyhaGzUnTAcuAvKG -rfu2ss3oh2hgtO3jxeJBNhZ5VNknI+EycvW1JsMXG7qwySqLwtuUhptHmxyMTcXt -LZi2zwmBKX7s44fCQrLq2CAo+GMJ7OFoUtZezu57ySki32VnL6uwM8ErKnvxUbHu -H64erRRJ7Pw/qDQyYyo9pX/pKmcjGYIpt/ywYqbvszBY6ad3cdjtBHcS+9CeLeaN -LrxAqNcpAoGBANr3dX2TMiCRiT6sTR+6ainzj/FHFA6xSU4ipe6uc/65zxh2xGaN -+FrkDMmlvEEQLboEFdkiQikZK3xNHB/GEqAEmMsDgzYsg36JjsxLYLR9XQR3TDnu -leNtjk/P05jiJchrL9m5xW1WM4QxwD7rf7TSRia/BrVyvQvhI3p8BKGbAoGBAN7O -t/UajS8xjJmx1+u92FPXHnFi+tLuEfdd6ooKdw9rXUARVgeBsGgrLLrMKoCzdfWr -txw7j5DjOlcx8ZXpyrcVyGJWuMboV3uf1IEiYZsMd7Le6yfnz4qgUPFmFy3JUQb1 -cbzc9dBuhCLQ2H7JU4EhlhtxyyY585kZtDaThmmTAoGBAIw9bVxuB+7gB1zCkeq+ -Q/x2aDyJ34jBd0e53TiPNu9wJflvJ77fMq9T2/TSV038hKzcrPmSfXlBC57i7B5V -h9xA1XNA3qq1u8oxY+noZRl0KT0RAxsfeZRduIXZf5YtUTGZpN33o0CxsvD5xD0I -K5SuEAwE0NEpmXagTU7HW1f9AoGAb+z0aEJQTjbb5JF8YEZcF7Hm7xrD2ZYSnGsn -WPTs3mgWzgpnZxn1Hj8iFyxc5Y5BYYpDUAFzm1sqgYbrT13Eobhlk1DxPaqV19pw -i/ZThen7b3WgN8mxbngecUXRuwR4mcBOxItTSMNbyYmUWAyW0DWpDFxbqvZNsslA -yHHPgdUCgYEAuIRHMNanm5eZz7iXUMShAIUgaqcEIFOQ4W43zPQ1/F2beJBx+VoN -u1Bvs7K9GBRDvJHcsjRxhYnwBwGu06M1NRG3QBW5VNuezpKzvchCgWR96ulzNOIe -5C+j3zQmut4sOx2IY0zsJCfXnLJSoYwwtM1eVzY06uHwx+F4SMv1z8w= +MIIEpAIBAAKCAQEA9E1Ip0+qUkYroPTP5SYIwHIrihR+K/wzPP+lyj9g4NKci3NG +CJriVkWglBqv9uvzJw92YdDeIKboGkmPLjyry6jxFZkgmL5PrRQPMnEofjkOk466 +MgokF8mvu8FsbZHjf0rqgWJXgGQ7jEvzR7ab32PdGzwb7XRbasmSfCHyRW5nMjJQ +dzeynNTLi+xyTgf2WmuiFh1KC/AkRnlMpaPZNC/azzdlEVTt6JDPz21E6XAfHGIN +A7YyeyDnGXBWtJwrI1BY+abNFQZ1QOkFAwUVQwEkkWcdvjY+2ARTv9otCnCSGnSV +jXjfER9WALV0jRKcz30u4ajoBrCxH50KQ2C2vwIDAQABAoIBAFuoEzYSgYhUo1HE +B6ulVWs+am9nuN6vxFmCYKU8mhA/dFQtb30S/w/3F4P5b0NoytVAy91vC6ecd0BF +kN58DMhgHfNIfB5SaHo7KGh4ZATXS0y5I8paW6hBFxmOPCvvrDa52LmqN8IH2P+O +Dzw8msZ5JR9usduo6BNshPTll4vMYGXSJJWBAczwn7ifEUp0zIzvfbzt5Gj9N7ik +E3AzIT4lWB1id94BCxXHVTBtuSf2QgkK0oZzsbQr3FN0Mw30Cy5Rk90ns6ejihNp +YHqsNzaVlxifNpf8ruM22+8tg60EnywKaAhwPnfwkigDECZdkc6SfsgahV/8wcGW +LBK5NaECgYEA/h9Nk7ghlXCLITM12G6kOTwyz41+PoDJh0v6rMZ7+5HGSCmMtWAe +ERA41D6NdS0G+RRatnM3D3iClRMD3Folp+nhZjumx/GsCGOo9x6HS1GqWjqe6uJ+ +KgXQyuRyz/v9LxTu+vXvyrwkM+yOzNkZMfB+ouKH3Kr2P7zZ+buiZhsCgYEA9htn +kKWKZdNY/ACE2v3aW5sebrP6nIatf46MqJKqlB2InhJLjZQ4Dx/d7ZNCadn8WPjc +R8RIFCTV3xaeYsJWmYWuD7MX3/8WcMo5ObQ3TblmTpWvgrPe/aAKeu0L9jSN1Irm +DlbQblPoftGrtqOhirqiSUCKujSEU4A/kd/ajC0CgYEAmPQSZ3UOkbn5o/QE1s5R +fjmjg5VwhQJTSmIK8W9ONK8bH1gS3yCJOFABRI6Z6gs+BTGhH+vdGiy4vC2Dx19j +BtwY1MXWrsXhe/MwQf1YBZeT51cdS9cjhPuXHme+Sz0quOnqpZbdy7LOP4qEsPuC +1LIiJrwedk1YhiiPMmcjaj0CgYEAmep7s9gEHTi3rys366nVlXMG7l87PgdwnJTv +XUIU0ntCBPIWNF5dTQA2EK4HXCILky1Yvr2AArEi3NnNhqBZ/ru/J2xvYxSq2TFv +5qnR6Jcp573vvUN3E5Gy3DxCPeGSTjnsNU2QH1/0yNOim5/smNGuSzfFSz0rAPn1 +R+sDSKUCgYBl+TSWIAoJG76eqPVXShwhA2kgNgfrYdyY9CEoRXMyxF0nWYXeR5yS +sn/6WlQz9fNahpQnrqMjgMMYqr1NoLeQa13Yfb7PrLToVZ4AOQOC541ddNQ9352W +1sf8ZkDljKz8uywdhE5XG8fvomtCp8IuNA5shR6A9qITjMXt+OPiAQ== -----END RSA PRIVATE KEY----- diff --git a/integration/fixtures/server2.crt b/integration/fixtures/server2.crt index 52330da5da1..849ff41ee37 100644 --- a/integration/fixtures/server2.crt +++ b/integration/fixtures/server2.crt @@ -1,24 +1,24 @@ -----BEGIN CERTIFICATE----- -MIIEEzCCAvugAwIBAgIUev7+NZl9RzdnsOGshKbMEHIxtD8wDQYJKoZIhvcNAQEL +MIIEEzCCAvugAwIBAgIUSrWivTxPFCDcSO9wcsAfaQRpncowDQYJKoZIhvcNAQEL BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl -Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xNzEwMDUyMTU5MDBaFw0yNzEwMDMyMTU5 +Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xODA0MTMxODUzMDBaFw0yODA0MTAxODUz MDBaMHkxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT ZWN1cml0eTEVMBMGA1UEAxMMZXhhbXBsZTIuY29tMIIBIjANBgkqhkiG9w0BAQEF -AAOCAQ8AMIIBCgKCAQEA3VZyO4MoZjGpPU9hbb6SDV3ESNjUiS+pojigIVJi7C4b -W1eJvPDpodetKQg22Htq+Vj8mpCmnqn7/8pegbxV9Fc3Fyy0kxiEfHnaOpzo8GWh -pReubHJ2+kj2I6gY7HnKPJ3KP3Z9txKECNm9CtHuoOxjRvHR8SThcVYZqxz6cjkg -ZB/AUlhhmxbnCIc+jr5sJWp9H0IDufLLGSeUQlFa700JJmF6qzpwDAcqv1ZiWJZz -LdCJbeR1yGimluVsiA/XOobz/m63QA/PfCUwVidnbRFy2JP40R19GU9+5Nbqe1Cy -JDWqcqcEkv/jG7UtsdDXSpm2FUnoyxBIv/U/n/MHPwIDAQABo4GcMIGZMA4GA1Ud +AAOCAQ8AMIIBCgKCAQEAr/MXz/jk2+YWddZNFCA8uBmWBhytJYxt9vO5cs1h2y2A +S/cm0u3xSqwe8KSknQNdNpaxnA0j6pryKX9diiMoETowUNu4GzUrLaU1GouA3qHi +hAFdeXAvRZeV4LXP7rToU7KBigCQKTS1G0Qc++GztzHsn9o0pk4fn76SNHFDfb6r +3F6WRNXQkDGnZinxZfEQvS5/jJ/8lxJGJ1UpmRDr+vrIG/+UUldv5Noaxgvpgrvu +uZFkdxerh0LrZyBkFRJlsqiCDLXD2Phbcb9WAsXKjs7hPScQJDGpEd8HKdiMmk0F +c/5ZcO4PXtUbIxDX250tjCzDd7kjvg/ON8DeZjRFZQIDAQABo4GcMIGZMA4GA1Ud DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0T -AQH/BAIwADAdBgNVHQ4EFgQUno0oT7FhR8s5LUqCHHpR2oLyWM4wHwYDVR0jBBgw -FoAUreJamWdtAac2BvBksptdCJ7W6xMwGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/ -AAABMA0GCSqGSIb3DQEBCwUAA4IBAQASJMwhcXXFwFElnaFE/z6fCiu1+fnVdDyJ -ARjawqNjZS/wI1uC9LOkfDOMfDm7vF6/HVA0VijCR+3p4+bXY3SyXigMkZGlwkHO -R12Tnph2+RVsUaCcSmKNNcJxKjYXlU1bH3vyZ8/EmtGzsYnUlGtHfsHSHBdL/eHN -g958qOHHYLtUWQsCf0az51mXO0yeaD+9pzTcnUX6tk2Er3OVKF51AdrdQVjQ9uub -ST8onCbuICF6nRzXiF+sxv8h78ilIkdr3iCJw3TnIOLgXs8uh9PK3Du7Qh/2UD/5 -EucAVCeNgJQQ7Bvtcw+VIPLWwXnq71qu8p9Datir5dghK9FGmYeu +AQH/BAIwADAdBgNVHQ4EFgQU/IJXo8uD0E/mJTq+ZGdHoG6+otcwHwYDVR0jBBgw +FoAUHai9Iuyhe7ZgU1L7UdhaS/grJtswGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/ +AAABMA0GCSqGSIb3DQEBCwUAA4IBAQCbu6QCw/K8VZbiXoCYTiMYznCEfYvOjyer +rMpDGslu4NrPUksHuiWCff4B/Nolw2e1Pq1xBJCpiroLbRGcFOnSJEhK3qHFdzQ1 +NNps85Ckr5bLC8h0SYDhNXlhnvyRQJjnNUqhApZQ5HkjlDrJPP41grhLsgNmIszz +hf8bjUBzC03C5tfYSpY420htFgTt1hVKFoNeL71OZPlujza7ZGOohP122QTp7TP/ +xjrnzOv1s261H9biCc91tNTlp2vgLfwUWuw6yxNHQyzHFq91YlAGoP5/F7AtCd+n +5V+B4FaFvQwA7To1E+DwF0fBm2uw814/jj8HekJt7gi4Xp/wybBM -----END CERTIFICATE----- diff --git a/integration/fixtures/server2.key.insecure b/integration/fixtures/server2.key.insecure index b2592089017..57c1fc77f4a 100644 --- a/integration/fixtures/server2.key.insecure +++ b/integration/fixtures/server2.key.insecure @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA3VZyO4MoZjGpPU9hbb6SDV3ESNjUiS+pojigIVJi7C4bW1eJ -vPDpodetKQg22Htq+Vj8mpCmnqn7/8pegbxV9Fc3Fyy0kxiEfHnaOpzo8GWhpReu -bHJ2+kj2I6gY7HnKPJ3KP3Z9txKECNm9CtHuoOxjRvHR8SThcVYZqxz6cjkgZB/A -UlhhmxbnCIc+jr5sJWp9H0IDufLLGSeUQlFa700JJmF6qzpwDAcqv1ZiWJZzLdCJ -beR1yGimluVsiA/XOobz/m63QA/PfCUwVidnbRFy2JP40R19GU9+5Nbqe1CyJDWq -cqcEkv/jG7UtsdDXSpm2FUnoyxBIv/U/n/MHPwIDAQABAoIBAD67tK7XcsjcRHqD -GDsxq1WsgOigxESJxMucvw4SusT0IH7YJcrugVmEtqiNknXzLRO1PAtW+lK4HRuX -sQeWaMpTOeMQobGbXlmlc8vvEzqno5QWTTKhksVHjrP2ffHwZvidRGiOXf1YeyHD -DQiXDcqAlXbTLUzqxhcIb0gHc5iRv0FlM+91mbhZ/el/gJ7UBhzsr0Rx0ohlTmuE -7KRXeYu/A5mlIa2Kq0hrUzNcT55qucOPsQVe5Ak6aFlC5Vuee+o4/uyyvcgXmtUX -ugNWIPIni6cYTBGktMZZAwNzyvVyDxpij6c4xFVL4v7NySmH78hJJfnMwEQAr1g5 -jV3ZAQECgYEA37WdidaZTD2Heq72Yn6jhGSDQhps/Mr1fRvtNwltY46L6jGThsn4 -DAJPIpBUqV0LmKi07d2Chsgu2cFD9TBSQchMA7Orx477u5ssA6wy37N+AGRDk7h4 -Nw/GvYA0LweDxuKO5C6musxV0MlLinMCMsvupfUL8MO4S3wB2UTyuIECgYEA/Ukw -7BfOVm5IICD8NKmgl1YjHEwOXEEze+1HCpT3WGZiLBTWZYRICzZEgMQwf7VfqI5u -lLMgy19z+snC1mrbuzoDy4Me2vrOfllBLwwbv/AJF7R/UftD+x4kJGHv5Ex+em5g -6cVd3C5USeGcO1MwefXpJar5n4m/1OY4l0aj378CgYEA3IVwHT8g8Gm60jIEiIUj -dU+LoC7ifrMnGUPdK6KsZTZQL/Tc40LWtCfWkFDMVAN3ee3cJJp1n51Xqan87obK -nzPt0rxbOiV1erL0yU4G/EM4kvRDNSvjvQtdMtJdHnr+6J/OkZp3Gq5wbZbwUzMZ -2K70uj17nsOgOTCttdpklYECgYB0ajGMMhzqaOHJsp947QYcyMB2fxaSnH03VoWy -fWl6PgSdUi6All4umRC/Rm0sJYcECAMXYYWPNB4whI+C0baQxUd9QJTr/R7vv8JQ -B3axr3feZ12lpqFGSEJAXqtN+UKgrx7oE4jibIDdPE78jW3YgIhagc0d4MhE6FPW -Y+dqLQKBgQCUQEMiTwGadmDy0VmzAYVmKQV0qqb+hHswPt2Nyr5tNs7ZGJXaiW1+ -t2AtWeFFvpvdCaN9q7G5sZedIeB/zAByNTGF8ztBB3dSyv7IiMhthAWaC1UZefD6 -zw7N2UCuvjwvh+T1fi8BpMvK4YizmSyw04tEvoZMnhK1fQ2r/PWsjw== +MIIEowIBAAKCAQEAr/MXz/jk2+YWddZNFCA8uBmWBhytJYxt9vO5cs1h2y2AS/cm +0u3xSqwe8KSknQNdNpaxnA0j6pryKX9diiMoETowUNu4GzUrLaU1GouA3qHihAFd +eXAvRZeV4LXP7rToU7KBigCQKTS1G0Qc++GztzHsn9o0pk4fn76SNHFDfb6r3F6W +RNXQkDGnZinxZfEQvS5/jJ/8lxJGJ1UpmRDr+vrIG/+UUldv5NoaxgvpgrvuuZFk +dxerh0LrZyBkFRJlsqiCDLXD2Phbcb9WAsXKjs7hPScQJDGpEd8HKdiMmk0Fc/5Z +cO4PXtUbIxDX250tjCzDd7kjvg/ON8DeZjRFZQIDAQABAoIBAE+99r7U6LQYtXk2 +ZLyIV7yALBQdDwQDfxr7HsM+/eid2JWVL81M9ZyIIYWiuNBIZAiHh3tYIT0EeFgC +V1xxzojwPFGJIwmBsU4An+6l5wP/jm+RRtHw3BvINa8f91sSNnEoZ7kpxCxIrQPs +fM5TXmXahIl2FYKByadWcWC/LH1iGmZkFwnO2UwwC3Y3w6RzkQARqdjjjTRi+6ZO +IWTWrJo/OEBpLU8me2MnDCeHodR5TdO6jdVa7GKKD8CENxSYHyrKyXRDD7W/DBvi +mlwDbOViSPGL7F7PiPlrKU4Nidpwj0WyJM4fXpDTZR6GXoKjwvw39IfrhZMyHtmU +pPxcbkkCgYEAyyNgMeLQrtJ6+FyiD0pnSL7zXvS7rBt1D/B4g5U/XK1B+d5zMxMc +jilDI5do3v0DDuZ4wKP5zr6A8A5/NY+fC3zcOzJyeD+VZMLxqLiqTGv88PmHK6X3 +ZScik5xKIYVWQeg9If4t4uf50ez1njOrs5YTQyEfSnsxvvtjg8VCRIsCgYEA3bx4 +t5dSEn5r9eH5+2kzpe8kX7+LUHdWZe9YAWbiWrPtSmzn4Yu7zKMBNWxZswoDZCI/ +17qQOIvRY9Zc9SWHUOBm3TWwL/W5NL+ar2MfFm0E36pfSR8gfxqJIL+2GcnExsRn +TKYIK6KbUQ4nP5PBXmGANyocCJuGSKP8a6JCq88CgYABstYHFMJx88ibcwrX3eNn +NFGMpbc8BS7BZ11anFDfUYOPt1B3SN2gQrARCB8UXkE8SqkP008vb2BcoYJmzECk +M/MTe6SBZOa25PpoUsL5yJ1g1nVO5CBhdCZR3aixBxBllK+OLTXtA8uO+dBD9mKl +KcgXc5tzX/xWgHuginG3aQKBgQCL0WVZdvyUls0izayg4JRlxKbuDU0enzGGs2aN +8781rJErRgLtkPwJrJt9gWYKZH0A7ivNr2Fzlo6hYrFZD6IE2ItkX49Knqp7XXp/ +r4QR0wqosrjE1fDa1PO1B84e8sC3CW+NwIAUa8N+V+tdxqC/D8IWhuIId3E0atsn +T7i0twKBgCCvRaUaJo78pmQfVHM9IXENCt/bI8LxcMDcXy+AOg3+AQmrcM5aNr7z +yGkaHtSHidKj0y+lWyGhUcxRE/c2zlNQaW/yqO9aFFc5/m10biO3VEl5NMaK+WHB +LgGxZ35IBcncNBpJpcUBQ9kAUZ0FVtjnj2E6XJi12IQB+iS/4GXV -----END RSA PRIVATE KEY----- diff --git a/integration/v3_grpc_test.go b/integration/v3_grpc_test.go index 4d1c9d81193..c936703d5e3 100644 --- a/integration/v3_grpc_test.go +++ b/integration/v3_grpc_test.go @@ -1654,7 +1654,7 @@ func TestTLSReloadAtomicReplace(t *testing.T) { t.Fatal(err) } } - testTLSReload(t, cloneFunc, replaceFunc, revertFunc) + testTLSReload(t, cloneFunc, replaceFunc, revertFunc, false) } // TestTLSReloadCopy ensures server reloads expired/valid certs @@ -1684,17 +1684,57 @@ func TestTLSReloadCopy(t *testing.T) { t.Fatal(err) } } - testTLSReload(t, cloneFunc, replaceFunc, revertFunc) + testTLSReload(t, cloneFunc, replaceFunc, revertFunc, false) } -func testTLSReload(t *testing.T, cloneFunc func() transport.TLSInfo, replaceFunc func(), revertFunc func()) { +// TestTLSReloadCopyIPOnly ensures server reloads expired/valid certs +// when new certs are copied over, one by one. And expects server +// to reject client requests, and vice versa. +func TestTLSReloadCopyIPOnly(t *testing.T) { + certsDir, err := ioutil.TempDir(os.TempDir(), "fixtures-to-load") + if err != nil { + t.Fatal(err) + } + defer os.RemoveAll(certsDir) + + cloneFunc := func() transport.TLSInfo { + tlsInfo, terr := copyTLSFiles(testTLSInfoIP, certsDir) + if terr != nil { + t.Fatal(terr) + } + return tlsInfo + } + replaceFunc := func() { + if _, err = copyTLSFiles(testTLSInfoExpiredIP, certsDir); err != nil { + t.Fatal(err) + } + } + revertFunc := func() { + if _, err = copyTLSFiles(testTLSInfoIP, certsDir); err != nil { + t.Fatal(err) + } + } + testTLSReload(t, cloneFunc, replaceFunc, revertFunc, true) +} + +func testTLSReload( + t *testing.T, + cloneFunc func() transport.TLSInfo, + replaceFunc func(), + revertFunc func(), + useIP bool) { defer testutil.AfterTest(t) // 1. separate copies for TLS assets modification tlsInfo := cloneFunc() // 2. start cluster with valid certs - clus := NewClusterV3(t, &ClusterConfig{Size: 1, PeerTLS: &tlsInfo, ClientTLS: &tlsInfo}) + clus := NewClusterV3(t, &ClusterConfig{ + Size: 1, + PeerTLS: &tlsInfo, + ClientTLS: &tlsInfo, + UseIP: useIP, + }) defer clus.Terminate(t) // 3. concurrent client dialing while certs become expired diff --git a/pkg/transport/listener.go b/pkg/transport/listener.go index d2c017b6e9a..d29d7f94b63 100644 --- a/pkg/transport/listener.go +++ b/pkg/transport/listener.go @@ -194,6 +194,26 @@ func SelfCert(lg *zap.Logger, dirpath string, hosts []string) (info TLSInfo, err return SelfCert(lg, dirpath, hosts) } +// baseConfig is called on initial TLS handshake start. +// +// Previously, +// 1. Server has non-empty (*tls.Config).Certificates on client hello +// 2. Server calls (*tls.Config).GetCertificate iff: +// - Server's (*tls.Config).Certificates is not empty, or +// - Client supplies SNI; non-empty (*tls.ClientHelloInfo).ServerName +// +// When (*tls.Config).Certificates is always populated on initial handshake, +// client is expected to provide a valid matching SNI to pass the TLS +// verification, thus trigger server (*tls.Config).GetCertificate to reload +// TLS assets. However, a cert whose SAN field does not include domain names +// but only IP addresses, has empty (*tls.ClientHelloInfo).ServerName, thus +// it was never able to trigger TLS reload on initial handshake; first +// ceritifcate object was being used, never being updated. +// +// Now, (*tls.Config).Certificates is created empty on initial TLS client +// handshake, in order to trigger (*tls.Config).GetCertificate and populate +// rest of the certificates on every new TLS connection, even when client +// SNI is empty (e.g. cert only includes IPs). func (info TLSInfo) baseConfig() (*tls.Config, error) { if info.KeyFile == "" || info.CertFile == "" { return nil, fmt.Errorf("KeyFile and CertFile must both be present[key: %v, cert: %v]", info.KeyFile, info.CertFile) @@ -202,15 +222,14 @@ func (info TLSInfo) baseConfig() (*tls.Config, error) { info.Logger = zap.NewNop() } - tlsCert, err := tlsutil.NewCert(info.CertFile, info.KeyFile, info.parseFunc) + _, err := tlsutil.NewCert(info.CertFile, info.KeyFile, info.parseFunc) if err != nil { return nil, err } cfg := &tls.Config{ - Certificates: []tls.Certificate{*tlsCert}, - MinVersion: tls.VersionTLS12, - ServerName: info.ServerName, + MinVersion: tls.VersionTLS12, + ServerName: info.ServerName, } if info.AllowedCN != "" {