mirrors/lnd
1
0
Fork 0
mirror of https://github.com/lightningnetwork/lnd.git synced 2024-11-19 09:53:54 +01:00
Code Issues Projects Releases Wiki Activity

tls_manager: let REST proxy skip tls cert verification

Browse Source
This commit is contained in:
Elle Mouton 2024-01-29 13:30:07 +02:00
parent b76d3e64d3
commit 404a50ae25
No known key found for this signature in database
GPG Key ID: D7D916376026F177
2 changed files with 17 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
docs/release-notes/release-notes-0.17.4.md
View File

@ -41,7 +41,10 @@
nodes where the chain sync got lost because fetching of already pruned blocks nodes where the chain sync got lost because fetching of already pruned blocks
from our peers was not garbage collected when the request failed. from our peers was not garbage collected when the request failed.
* Let the REST proxy [skip TLS
verification](https://github.com/lightningnetwork/lnd/pull/8437) when
connecting to the gRPC server to prevent invalid cert use when the ephemeral
cert (used with the `--tlsencryptkey` flag) expires.
# New Features # New Features
## Functional Enhancements ## Functional Enhancements

31
tls_manager.go
View File

@ -131,32 +131,27 @@ func (t *TLSManager) getConfig() ([]grpc.ServerOption, []grpc.DialOption,
// and override the TLS config's GetCertificate function. // and override the TLS config's GetCertificate function.
cleanUp := t.setUpLetsEncrypt(&certData, tlsCfg) cleanUp := t.setUpLetsEncrypt(&certData, tlsCfg)
// If we're using the ephemeral certificate, we need to use the
// ephemeral cert path.
certPath := t.cfg.TLSCertPath
if t.ephemeralCertPath != "" {
certPath = t.ephemeralCertPath
}
// Now that we know that we have a certificate, let's generate the // Now that we know that we have a certificate, let's generate the
// required config options. // required config options.
restCreds, err := credentials.NewClientTLSFromFile(
certPath, "",
)
if err != nil {
return nil, nil, nil, nil, err
}
serverCreds := credentials.NewTLS(tlsCfg) serverCreds := credentials.NewTLS(tlsCfg)
serverOpts := []grpc.ServerOption{grpc.Creds(serverCreds)} serverOpts := []grpc.ServerOption{grpc.Creds(serverCreds)}
// For our REST dial options, we'll still use TLS, but also increase // For our REST dial options, we skip TLS verification, and we also
// the max message size that we'll decode to allow clients to hit // increase the max message size that we'll decode to allow clients to
// endpoints which return more data such as the DescribeGraph call. // hit endpoints which return more data such as the DescribeGraph call.
// We set this to 200MiB atm. Should be the same value as maxMsgRecvSize // We set this to 200MiB atm. Should be the same value as maxMsgRecvSize
// in cmd/lncli/main.go. // in cmd/lncli/main.go.
restDialOpts := []grpc.DialOption{ restDialOpts := []grpc.DialOption{
grpc.WithTransportCredentials(restCreds), // We are forwarding the requests directly to the address of our
// own local listener. To not need to mess with the TLS
// certificate (which might be tricky if we're using Let's
// Encrypt or if the ephemeral tls cert is being used), we just
// skip the certificate verification. Injecting a malicious
// hostname into the listener address will result in an error
// on startup so this should be quite safe.
grpc.WithTransportCredentials(credentials.NewTLS(
&tls.Config{InsecureSkipVerify: true},
)),
grpc.WithDefaultCallOptions( grpc.WithDefaultCallOptions(
grpc.MaxCallRecvMsgSize(lnrpc.MaxGrpcMsgSize), grpc.MaxCallRecvMsgSize(lnrpc.MaxGrpcMsgSize),
), ),