Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Document disableValidation/clientAuth incompatibility #1621

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 5, 2017
Merged

Document disableValidation/clientAuth incompatibility #1621

merged 3 commits into from
Sep 5, 2017

Conversation

hawkw
Copy link
Contributor

@hawkw hawkw commented Sep 5, 2017

As @adleong said in #1581 (comment), disabling TLS validation will force the use of the JDK SSL provider is thus incompatible with clientAuth.

I've confirmed this in the linux-test GCE instance I set up to reproduce issue #1581 – if disableValidation is set to false, everything works fine.

I've updated the docs to reflect this.

Closes #1581

@hawkw hawkw added this to the 1.2.0 milestone Sep 5, 2017
@hawkw hawkw self-assigned this Sep 5, 2017
@hawkw hawkw requested a review from adleong September 5, 2017 20:15
@hawkw
Copy link
Contributor Author

hawkw commented Sep 5, 2017
edited
Loading

I will Would like to add validation for this as well.

@hawkw
Copy link
Contributor Author

hawkw commented Sep 5, 2017
edited
Loading

Update: as of 8f57a53, TlsClientConfig now validates configs – it now requires that if disableValidation is set to true, clientAuth must not be present. I've also added tests for this validation (086ba9d).

adleong
adleong approved these changes Sep 5, 2017
View reviewed changes
Copy link
Member

@adleong adleong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⭐ 🔏 👮

@hawkw hawkw merged commit ba5c2bc into master Sep 5, 2017
pcalcado pushed a commit that referenced this pull request Sep 6, 2017
@hawkw
Make disableValidation incompatible with clientAuth (#1621)
50cf8a7 
As @adleong said in #1581 (comment), disabling TLS validation will force the use of the JDK SSL provider is thus incompatible with clientAuth.

`TlsClientConfig` now validates configs – it now `require`s that if `disableValidation` is set to `true`, `clientAuth` must not be present. I've updated the docs to reflect this.

I've confirmed this in the `linux-test` GCE instance I set up to reproduce issue #1581 – if `disableValidation` is set to `false`, everything works fine.  I've also added tests for this validation.

Closes #1581
This was referenced Sep 7, 2017
Closed
Merged
hawkw added a commit that referenced this pull request Sep 7, 2017
@hawkw
1.2.0 (#1629)
7868f51 
## 1.2.0 2017-09-07

* **Breaking Change**: `io.l5d.mesh`, `io.l5d.thriftNameInterpreter`, linkerd
  admin, and namerd admin now serve on 127.0.0.1 by default (instead of
  0.0.0.0).
* **Breaking Change**: Removed support for PKCS#1-formatted keys. PKCS#1 formatted keys must be converted to PKCS#8 format.
* Added experimental `io.l5d.dnssrv` namer for DNS SRV records (#1611)
* Kubernetes
  * Added an experimental `io.l5d.k8s.configMap` interpreter for reading dtabs from a Kubernetes ConfigMap (#1603). This interpreter will respond to changes in the ConfigMap, allowing for dynamic dtab updates without the need to run Namerd.
  * Made ingress controller's ingress class annotation configurable (#1584).
  * Fixed an issue where Linkerd would continue routing traffic to endpoints of a service after that service was removed (#1622).
  * Major refactoring and performance improvements to `io.l5d.k8s` and `io.l5d.k8s.ns` namers (#1603).
  * Ingress controller now checks all available ingress resources before using a default backend (#1607).
  * Ingress controller now correctly routes requests with host headers that contain ports (#1607).
* HTTP/2
  * Fixed an issue where long-running H2 streams would eventually hang (#1598).
  * Fixed a memory leak on long-running H2 streams (#1598)
  * Added a user-friendly error message when a HTTP/2 router receives a HTTP/1 request (#1618)
* HTTP/1
  * Removed spurious `ReaderDiscarded` exception logged on HTTP/1 retries (#1609)
* Consul
  * Added support for querying Consul by specific service health states (#1601)
  * Consul namers and Dtab store now fall back to a last known good state on Consul observation errors (#1597)
  * Improved log messages for Consul observation errors (#1597)
* TLS
  * Removed support for PKCS#1 keys (#1590)
  * Added validation to prevent incompatible `disableValidation: true` and `clientAuth` settings in TLS client configurations (#1621)
* Changed `io.l5d.mesh`, `io.l5d.thriftNameInterpreter`, linkerd
  admin, and namerd admin to serve on 127.0.0.1 by default (instead of
  0.0.0.0) (#1366)
* Deprecated `io.l5d.statsd` telemeter.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adleong adleong adleong approved these changes

Assignees

@hawkw hawkw

Labels

documentation

Projects

None yet

Milestone

1.2.0

Development

Successfully merging this pull request may close these issues.

2 participants

@hawkw @adleong