search

dims / etcd3-gateway

This repository is now read-only. Please see https://opendev.org/openstack/etcd3gw for the new location for this code.
https://opendev.org/openstack/etcd3gw
Apache License 2.0
10 stars 20 forks source link

Issues with TLS client authentication #20

Open ThatIsGeek opened 6 years ago

ThatIsGeek commented 6 years ago

While setting up Calico in our OpenStack deployment we've encountered issues when trying to use TLS authentication to access etcd cluster.

To reproduce:

  1. Setup etcd cluster with TLS client authentication
  2. Create new client c = Etcd3Client(host="server", protocol="https", ca_cert="server_ca.crt", cert_cert="user.crt", cert_key="user.key")
  3. try to get some random key c.get("random_key")
  4. You should get TLS alert bad certificate or CERTIFICATE_VERIFY_FAILED if you don't have server_ca in your system trust.

When looking through the source code we've noticed that the TLS parameters are stored in self.kwargs and then never used.

https://github.com/dims/etcd3-gateway/blob/11cf6c43f1f737be29a175d40eca4b714ef82548/etcd3gw/client.py#L55

When edited to actually set the values on the session object, the TLS auth started working.

Issue appeared on both Ubuntu Xenial (Python 2.7.12, OpenSSL 1.0.2g) and Fedora 27 (Python 2.7.14, OpenSSL 1.1.0h).

dims commented 6 years ago

@ThatIsGeek can you please submit a patch?

ThatIsGeek commented 6 years ago

@dims sure :) I am already working on it. Sorry for not mentioning it in the report.