New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Setting just servername to :authority pseudo header in client when using TLS. #2518
Conversation
…ing tls. HTTP/2(RFC7540) defines :authority pseudo header includes the authority portion of target URI but it must not include userinfo part (i.e. url.Host). However, when TLS certificate specified, grpc-go requires it must match with its servername specified for certificate validation. Signed-off-by: Shingo Omura <everpeace@gmail.com>
f5b1e35
to
ccbf7f3
Compare
If there's a publicly published docker image, I would be happy to validate this fix resolves the issue I was seeing in #2510. Please just let me know. Regardless, thank you for looking into this. |
Oh, thank you very much for the offer. I published docker images built on the branch. Please try it. https://hub.docker.com/r/everpeace/buildkit/tags
docker build/push log: ~/src/github.com/moby/buildkit
❯ git rev-parse --short HEAD
ccbf7f33
❯ make images
...
❯ docker tag moby/buildkit:local everpeace/buildkit:fix-authority-header-$(git rev-parse --short HEAD)
❯ docker tag moby/buildkit:local-rootless everpeace/buildkit:rootless-fix-authority-header-$(git rev-parse --short HEAD)
❯ docker push everpeace/buildkit:fix-authority-header-$(git rev-parse --short HEAD)
...
fix-authority-header-ccbf7f33: digest: sha256:e91719f03df6f4d58282b7f3951d6ef99b2acb1d34d881daebb1d1faad66af3d size: 1158
❯ docker push everpeace/buildkit:rootless-fix-authority-header-$(git rev-parse --short HEAD)
...
rootless-fix-authority-header-ccbf7f33: digest: sha256:6d71fcfd8f13decea418882337d37151b7cfeb107c42694433015e13e1e309d9 size: 1996 |
No, thank you for helping get this fixed! I can confirm that running the build as described in #2510 with image Thank you! |
Is this fix backward compatible for old(v0.9.3) client to the new daemon and new client to old daemon configurations. If not, then can these cases be covered? |
My manual, by hand testing shows:
(again, based on running a build as described in #2510 ) |
@adriankostrubiak-tomtom Thanks. |
@adriankostrubiak-tomtom Thanks for your compatibility check! |
Thank you! |
fixes #2510
google.golang.org/grpc@v1.42.0
(updated recently in #2481) introduced better handling for:authority
pseudo-header implemented in grpc/grpc-go#4817. This requiresWithAuthority
dial option value must match with the server name of its transport creds.The current implementation always uses
url.Host ("host:port")
of--addr
as an authority pseudo-header value because HTTP/2(RFC7540) defines so, i.e the authority portion of target URI without userinfo part. This causes grpc-go's authority validation to fail.This PR fixes the issue so that it uses
ServerName
in the tls config as:authority
header when tls specified, uses normalhost:port
part otherwise.