From 404a50ae251467267c14c1e46cb75295b10551ee Mon Sep 17 00:00:00 2001 From: Elle Mouton Date: Mon, 29 Jan 2024 13:30:07 +0200 Subject: [PATCH] tls_manager: let REST proxy skip tls cert verification --- docs/release-notes/release-notes-0.17.4.md | 5 +++- tls_manager.go | 31 +++++++++------------- 2 files changed, 17 insertions(+), 19 deletions(-) diff --git a/docs/release-notes/release-notes-0.17.4.md b/docs/release-notes/release-notes-0.17.4.md index 142880ef7..06daa861c 100644 --- a/docs/release-notes/release-notes-0.17.4.md +++ b/docs/release-notes/release-notes-0.17.4.md @@ -41,7 +41,10 @@ nodes where the chain sync got lost because fetching of already pruned blocks from our peers was not garbage collected when the request failed. - +* Let the REST proxy [skip TLS + verification](https://github.com/lightningnetwork/lnd/pull/8437) when + connecting to the gRPC server to prevent invalid cert use when the ephemeral + cert (used with the `--tlsencryptkey` flag) expires. # New Features ## Functional Enhancements diff --git a/tls_manager.go b/tls_manager.go index 232c33060..7801279fa 100644 --- a/tls_manager.go +++ b/tls_manager.go @@ -131,32 +131,27 @@ func (t *TLSManager) getConfig() ([]grpc.ServerOption, []grpc.DialOption, // and override the TLS config's GetCertificate function. cleanUp := t.setUpLetsEncrypt(&certData, tlsCfg) - // If we're using the ephemeral certificate, we need to use the - // ephemeral cert path. - certPath := t.cfg.TLSCertPath - if t.ephemeralCertPath != "" { - certPath = t.ephemeralCertPath - } - // Now that we know that we have a certificate, let's generate the // required config options. - restCreds, err := credentials.NewClientTLSFromFile( - certPath, "", - ) - if err != nil { - return nil, nil, nil, nil, err - } - serverCreds := credentials.NewTLS(tlsCfg) serverOpts := []grpc.ServerOption{grpc.Creds(serverCreds)} - // For our REST dial options, we'll still use TLS, but also increase - // the max message size that we'll decode to allow clients to hit - // endpoints which return more data such as the DescribeGraph call. + // For our REST dial options, we skip TLS verification, and we also + // increase the max message size that we'll decode to allow clients to + // hit endpoints which return more data such as the DescribeGraph call. // We set this to 200MiB atm. Should be the same value as maxMsgRecvSize // in cmd/lncli/main.go. restDialOpts := []grpc.DialOption{ - grpc.WithTransportCredentials(restCreds), + // We are forwarding the requests directly to the address of our + // own local listener. To not need to mess with the TLS + // certificate (which might be tricky if we're using Let's + // Encrypt or if the ephemeral tls cert is being used), we just + // skip the certificate verification. Injecting a malicious + // hostname into the listener address will result in an error + // on startup so this should be quite safe. + grpc.WithTransportCredentials(credentials.NewTLS( + &tls.Config{InsecureSkipVerify: true}, + )), grpc.WithDefaultCallOptions( grpc.MaxCallRecvMsgSize(lnrpc.MaxGrpcMsgSize), ),