mirrors/lnd
1
0
Fork 0
mirror of https://github.com/lightningnetwork/lnd.git synced 2024-11-19 01:43:16 +01:00
Code Issues Projects Releases Wiki Activity

tls_manager: let REST proxy skip tls cert verification

Browse Source
This commit is contained in:
Elle Mouton 2024-01-29 13:30:07 +02:00
parent b76d3e64d3
commit 404a50ae25
No known key found for this signature in database
GPG Key ID: D7D916376026F177
2 changed files with 17 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
docs/release-notes/release-notes-0.17.4.md
View File

@ -41,7 +41,10 @@
nodes where the chain sync got lost because fetching of already pruned blocks
from our peers was not garbage collected when the request failed.
* Let the REST proxy [skip TLS
verification](https://github.com/lightningnetwork/lnd/pull/8437) when
connecting to the gRPC server to prevent invalid cert use when the ephemeral
cert (used with the `--tlsencryptkey` flag) expires.
# New Features
## Functional Enhancements

31
tls_manager.go
View File

@ -131,32 +131,27 @@ func (t *TLSManager) getConfig() ([]grpc.ServerOption, []grpc.DialOption,
// and override the TLS config's GetCertificate function.
cleanUp := t.setUpLetsEncrypt(&certData, tlsCfg)
// If we're using the ephemeral certificate, we need to use the
// ephemeral cert path.
certPath := t.cfg.TLSCertPath
if t.ephemeralCertPath != "" {
certPath = t.ephemeralCertPath
}
// Now that we know that we have a certificate, let's generate the
// required config options.
restCreds, err := credentials.NewClientTLSFromFile(
certPath, "",
)
if err != nil {
return nil, nil, nil, nil, err
}
serverCreds := credentials.NewTLS(tlsCfg)
serverOpts := []grpc.ServerOption{grpc.Creds(serverCreds)}
// For our REST dial options, we'll still use TLS, but also increase
// the max message size that we'll decode to allow clients to hit
// endpoints which return more data such as the DescribeGraph call.
// For our REST dial options, we skip TLS verification, and we also
// increase the max message size that we'll decode to allow clients to
// hit endpoints which return more data such as the DescribeGraph call.
// We set this to 200MiB atm. Should be the same value as maxMsgRecvSize
// in cmd/lncli/main.go.
restDialOpts := []grpc.DialOption{
grpc.WithTransportCredentials(restCreds),
// We are forwarding the requests directly to the address of our
// own local listener. To not need to mess with the TLS
// certificate (which might be tricky if we're using Let's
// Encrypt or if the ephemeral tls cert is being used), we just
// skip the certificate verification. Injecting a malicious
// hostname into the listener address will result in an error
// on startup so this should be quite safe.
grpc.WithTransportCredentials(credentials.NewTLS(
&tls.Config{InsecureSkipVerify: true},
)),
grpc.WithDefaultCallOptions(
grpc.MaxCallRecvMsgSize(lnrpc.MaxGrpcMsgSize),
),