mirror of
https://github.com/lightningnetwork/lnd.git
synced 2024-11-19 09:53:54 +01:00
tls_manager: let REST proxy skip tls cert verification
This commit is contained in:
parent
b76d3e64d3
commit
404a50ae25
@ -41,7 +41,10 @@
|
|||||||
nodes where the chain sync got lost because fetching of already pruned blocks
|
nodes where the chain sync got lost because fetching of already pruned blocks
|
||||||
from our peers was not garbage collected when the request failed.
|
from our peers was not garbage collected when the request failed.
|
||||||
|
|
||||||
|
* Let the REST proxy [skip TLS
|
||||||
|
verification](https://github.com/lightningnetwork/lnd/pull/8437) when
|
||||||
|
connecting to the gRPC server to prevent invalid cert use when the ephemeral
|
||||||
|
cert (used with the `--tlsencryptkey` flag) expires.
|
||||||
|
|
||||||
# New Features
|
# New Features
|
||||||
## Functional Enhancements
|
## Functional Enhancements
|
||||||
|
@ -131,32 +131,27 @@ func (t *TLSManager) getConfig() ([]grpc.ServerOption, []grpc.DialOption,
|
|||||||
// and override the TLS config's GetCertificate function.
|
// and override the TLS config's GetCertificate function.
|
||||||
cleanUp := t.setUpLetsEncrypt(&certData, tlsCfg)
|
cleanUp := t.setUpLetsEncrypt(&certData, tlsCfg)
|
||||||
|
|
||||||
// If we're using the ephemeral certificate, we need to use the
|
|
||||||
// ephemeral cert path.
|
|
||||||
certPath := t.cfg.TLSCertPath
|
|
||||||
if t.ephemeralCertPath != "" {
|
|
||||||
certPath = t.ephemeralCertPath
|
|
||||||
}
|
|
||||||
|
|
||||||
// Now that we know that we have a certificate, let's generate the
|
// Now that we know that we have a certificate, let's generate the
|
||||||
// required config options.
|
// required config options.
|
||||||
restCreds, err := credentials.NewClientTLSFromFile(
|
|
||||||
certPath, "",
|
|
||||||
)
|
|
||||||
if err != nil {
|
|
||||||
return nil, nil, nil, nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
serverCreds := credentials.NewTLS(tlsCfg)
|
serverCreds := credentials.NewTLS(tlsCfg)
|
||||||
serverOpts := []grpc.ServerOption{grpc.Creds(serverCreds)}
|
serverOpts := []grpc.ServerOption{grpc.Creds(serverCreds)}
|
||||||
|
|
||||||
// For our REST dial options, we'll still use TLS, but also increase
|
// For our REST dial options, we skip TLS verification, and we also
|
||||||
// the max message size that we'll decode to allow clients to hit
|
// increase the max message size that we'll decode to allow clients to
|
||||||
// endpoints which return more data such as the DescribeGraph call.
|
// hit endpoints which return more data such as the DescribeGraph call.
|
||||||
// We set this to 200MiB atm. Should be the same value as maxMsgRecvSize
|
// We set this to 200MiB atm. Should be the same value as maxMsgRecvSize
|
||||||
// in cmd/lncli/main.go.
|
// in cmd/lncli/main.go.
|
||||||
restDialOpts := []grpc.DialOption{
|
restDialOpts := []grpc.DialOption{
|
||||||
grpc.WithTransportCredentials(restCreds),
|
// We are forwarding the requests directly to the address of our
|
||||||
|
// own local listener. To not need to mess with the TLS
|
||||||
|
// certificate (which might be tricky if we're using Let's
|
||||||
|
// Encrypt or if the ephemeral tls cert is being used), we just
|
||||||
|
// skip the certificate verification. Injecting a malicious
|
||||||
|
// hostname into the listener address will result in an error
|
||||||
|
// on startup so this should be quite safe.
|
||||||
|
grpc.WithTransportCredentials(credentials.NewTLS(
|
||||||
|
&tls.Config{InsecureSkipVerify: true},
|
||||||
|
)),
|
||||||
grpc.WithDefaultCallOptions(
|
grpc.WithDefaultCallOptions(
|
||||||
grpc.MaxCallRecvMsgSize(lnrpc.MaxGrpcMsgSize),
|
grpc.MaxCallRecvMsgSize(lnrpc.MaxGrpcMsgSize),
|
||||||
),
|
),
|
||||||
|
Loading…
Reference in New Issue
Block a user