Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

X509 certificate configuration file syntax, documentation, and examples use obsolete mechanisms #1876

Open
briansmith opened this issue Mar 23, 2018 · 1 comment
Open

X509 certificate configuration file syntax, documentation, and examples use obsolete mechanisms #1876

briansmith opened this issue Mar 23, 2018 · 1 comment
Projects
Linkerd 1.x Backlog. See https://gith...

Comments

@briansmith
Copy link

briansmith commented Mar 23, 2018
edited
Loading

A linkerd user pointed out that our examples generate certificates that are using X509v1, not X509v3. Also, those certificates don't have a subjectAltName dNSName extension.

One effect of these two issues is that the initial TLS support in Conduit won't even be able to access services that use certificates generated based on the linkerd documentation, since the underlying crypto library webpki currently enforces the use of modern mechanisms.

Another effect of these two issues is that a release of Chrome that's due to be released very soon will not accept these certificates either, as it will be (is?) enforcing the same rules that webpki has been enforcing.

The issue extends to the documentation. The documentation frequently mentions the "common name" of the certificate, e.g. at https://linkerd.io/doc/0.7.4/linkerd/client_tls/. That's an obsolete field that webpki and (soon) Chrome don't support. We need to update all references to "common name" to refer to the subjectAltName dNSNames.

Similarly, the linkerd configuration file syntax uses "commonName" and similar as field names. We should create aliases like "dNSName" or "subject" or similar that can be used instead of "commonName", and deprecate "commonName".

The goals here is to maximize interoperability, especially between Conduit and linkerd.
@briansmith briansmith mentioned this issue Mar 23, 2018
Closed
2 tasks
@briansmith
Copy link
Author

openssl, up until the very latest, is very annoying with respect to generating certificates that have subjectAltName set. We should consider providing examples using a different tool, like CFSSL, in addition to or instead of OpenSSL.

Tim-Brooks pushed a commit to Tim-Brooks/linkerd that referenced this issue Dec 20, 2018
Add ListServices to controller public api (linkerd#1876)
f8583df 
Add a barebones ListServices endpoint, in support of autocomplete for services.
As we develop service profiles, this endpoint could probably be used to describe
more aspects of services (like, if there were some way to check whether a
service profile was enabled or not).

Accessible from the web UI via http:https://localhost:8084/api/services
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
No open projects
Linkerd 1.x Backlog. See https://gith...
Medium-Term
Milestone
No milestone
Development

No branches or pull requests
1 participant
@briansmith