Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow to use own certificate for metrics endpoint #10504

Closed
wants to merge 5 commits into from
Closed

Allow to use own certificate for metrics endpoint #10504

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
093db65
embed: configure TLSInfo
legionus Feb 27, 2019
575a000
etcdmain: add options to configure metrics cert
legionus Feb 27, 2019
f27a3f5
integration/fixtures: add metrics cert
legionus Feb 27, 2019
670a78a
tests/e2e: add test for certificate protected metrics
legionus Feb 27, 2019
d76775e
embed: add a warning to log that we changed certificate for metrics e…
legionus Mar 1, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions embed/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -291,6 +291,7 @@ type Config struct {
Metrics string `json:"metrics"`
ListenMetricsUrls []url.URL
ListenMetricsUrlsJSON string `json:"listen-metrics-urls"`
MetricsTLSInfo transport.TLSInfo

// Logger is logger options: currently only supports "zap".
// "capnslog" is removed in v3.5.
Expand Down
4 changes: 4 additions & 0 deletions embed/etcd.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -670,6 +670,10 @@ func (e *Etcd) serveMetrics() (err error) {

for _, murl := range e.cfg.ListenMetricsUrls {
tlsInfo := &e.cfg.ClientTLSInfo
if !e.cfg.MetricsTLSInfo.Empty() {
tlsInfo = &e.cfg.MetricsTLSInfo
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we override tlsInfo, should we add a warning to log?

When MetricsTLSInfo is provided, client who has access to other APIs will not be able to access '/metrics' and '/health'?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When MetricsTLSInfo is provided, client who has access to other APIs will not be able to access '/metrics' and '/health'?

Yes. Theoretically, we can make both work (add them to tls.Config.RootCAs and to tls.Config.ClientCAs), but it will be much more difficult solution because it requires to extend transport.TLSInfo.

If we override tlsInfo, should we add a warning to log?

This is not a hidden behavior (the admin must pass the options explicitly). I am not sure what message do I need to write to log ?
You specified other certificates for metrics. Access by client certificates will not be possible ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not a hidden behavior (the admin must pass the options explicitly). I am not sure what message do I need to write to log ?

I was thinking about the scenario where etcd clients with clientTLS (not metricsTLS) might try to access the metrics and health endpoint. Adding something like 'ignoring client certificates since metrics certificates given' would help them understand why the connection is rejected. I am not an expert in this area, please feel free to let me know if you think this is reasonable.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jingyih That's reasonable. I added the message.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For better or worse, warning messages are often noted by administrators and automated systems which analyze log output for anomalies. The proposed metrics TLS configuration when used in conjunction with client TLS configuration is a valid state. So in that regard it's not clear to me a preemptive warning makes sense. It seems possible that when using both TLS configurations (again, a valid state), this warning might be interpreted as a false negative alert of some kind.

So, I would suggest we consider changing this to INFO level or omitting it entirely.

e.cfg.logger.Warn("ignoring client certificates for additional metrics and health endpoints since metrics certificates given")
}
if murl.Scheme == "http" {
tlsInfo = nil
}
Expand Down
7 changes: 7 additions & 0 deletions etcdmain/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -210,6 +210,13 @@ func newConfig() *config {
fs.StringVar(&cfg.ec.PeerTLSInfo.CRLFile, "peer-crl-file", "", "Path to the peer certificate revocation list file.")
fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedCN, "peer-cert-allowed-cn", "", "Allowed CN for inter peer authentication.")
fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedHostname, "peer-cert-allowed-hostname", "", "Allowed TLS hostname for inter peer authentication.")
fs.StringVar(&cfg.ec.MetricsTLSInfo.CertFile, "metrics-cert-file", "", "Path to the metrics server TLS cert file.")
fs.StringVar(&cfg.ec.MetricsTLSInfo.KeyFile, "metrics-key-file", "", "Path to the metrics server TLS key file.")
fs.BoolVar(&cfg.ec.MetricsTLSInfo.ClientCertAuth, "metrics-client-cert-auth", false, "Enable metrics client cert authentication.")
fs.BoolVar(&cfg.ec.MetricsTLSInfo.InsecureSkipVerify, "metrics-auto-tls", false, "Metrics TLS using generated certificates")
fs.StringVar(&cfg.ec.MetricsTLSInfo.TrustedCAFile, "metrics-trusted-ca-file", "", "Path to the metrics server TLS trusted CA file.")
fs.StringVar(&cfg.ec.MetricsTLSInfo.CRLFile, "metrics-crl-file", "", "Path to the metrics certificate revocation list file.")
fs.StringVar(&cfg.ec.MetricsTLSInfo.AllowedCN, "metrics-cert-allowed-cn", "", "Allowed CN for metrics authentication.")
fs.Var(flags.NewStringsValue(""), "cipher-suites", "Comma-separated list of supported TLS cipher suites between client/server and peers (empty will be auto-populated by Go).")
fs.BoolVar(&cfg.ec.PeerTLSInfo.SkipClientSANVerify, "experimental-peer-skip-client-san-verification", false, "Skip verification of SAN field in client certificate for peer connections.")

Expand Down
18 changes: 18 additions & 0 deletions etcdmain/grpc_proxy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,13 @@ var (
grpcProxyListenAutoTLS bool
grpcProxyListenCRL string

// tls for clients connecting to proxy for metrics

grpcProxyMetricsListenCA string
grpcProxyMetricsListenCert string
grpcProxyMetricsListenKey string
grpcProxyMetricsListenCRL string

grpcProxyAdvertiseClientURL string
grpcProxyResolverPrefix string
grpcProxyResolverTTL int
Expand Down Expand Up @@ -150,6 +157,11 @@ func newGRPCProxyStartCommand() *cobra.Command {
cmd.Flags().BoolVar(&grpcProxyListenAutoTLS, "auto-tls", false, "proxy TLS using generated certificates")
cmd.Flags().StringVar(&grpcProxyListenCRL, "client-crl-file", "", "proxy client certificate revocation list file.")

cmd.Flags().StringVar(&grpcProxyMetricsListenCert, "metrics-cert-file", "", "identify secure connections to the /metrics endpoint using this TLS certificate file")
cmd.Flags().StringVar(&grpcProxyMetricsListenKey, "metrics-key-file", "", "identify secure connections to the /metrics endpoint using this TLS key file")
cmd.Flags().StringVar(&grpcProxyMetricsListenCA, "metrics-trusted-ca-file", "", "verify certificates of TLS-enabled secure /metrics endpoint using this CA bundle")
cmd.Flags().StringVar(&grpcProxyMetricsListenCRL, "metrics-client-crl-file", "", "/metrics endpoint client certificate revocation list file.")

// experimental flags
cmd.Flags().BoolVar(&grpcProxyEnableOrdering, "experimental-serializable-ordering", false, "Ensure serializable reads have monotonically increasing store revisions across endpoints.")
cmd.Flags().StringVar(&grpcProxyLeasing, "experimental-leasing-prefix", "", "leasing metadata prefix for disconnected linearized reads.")
Expand Down Expand Up @@ -211,6 +223,12 @@ func startGRPCProxy(cmd *cobra.Command, args []string) {
go func() { errc <- srvhttp.Serve(httpl) }()
go func() { errc <- m.Serve() }()
if len(grpcProxyMetricsListenAddr) > 0 {
if grpcProxyMetricsListenCert != "" && grpcProxyMetricsListenKey != "" {
tlsinfo = newTLS(grpcProxyMetricsListenCA, grpcProxyMetricsListenCert, grpcProxyMetricsListenKey)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pr #12114 adds health handler for grpcproxy self, if grpcProxyMetricsListenAddr uses own certificate for metrics endpoint, we should also update healthcheck client certs, otherwise, it is failed to access '/proxy/health' handle.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ironcladlou said For the health listener, honor global the global TLS configuration by default (for compatibility with today's behavior), but provide a new flag to allow control over health endpoint client certificate auth (e.g. --health-client-cert-auth=false). in issue #11993.
i agrees with it. can we add a flag to access /health,/proxy/health without cert auth?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pr #12114 adds health handler for grpcproxy self, if grpcProxyMetricsListenAddr uses own certificate for metrics endpoint, we should also update healthcheck client certs, otherwise, it is failed to access '/proxy/health' handle.

I already mentioned this before. Therefore, when using separate certificates for metrics, a warning is displayed.

i agrees with it. can we add a flag to access /health,/proxy/health without cert auth?

Do you want the server to serve some endpoints without certificates? Theoretically, this is possible, but will require rewriting the server. To do this, you will need to make authorization optional and do it not at the TLS level. This is out of scope of this proposal.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok. thanks. I will try to add --health-client-cert-auth flag in another PR. thanks.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tangcong Can this PR be merged?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. can you add changelog and doc in another pr? thanks. @hexfusion can you take a final look? thanks.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tangcong sorry for delay yes I will take a look.

if tlsinfo != nil {
tlsinfo.CRLFile = grpcProxyMetricsListenCRL
}
}
mhttpl := mustMetricsListener(lg, tlsinfo)
go func() {
mux := http.NewServeMux()
Expand Down
14 changes: 14 additions & 0 deletions etcdmain/help.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -174,6 +174,20 @@ Profiling and Monitoring:
Set level of detail for exported metrics, specify 'extensive' to include server side grpc histogram metrics.
--listen-metrics-urls ''
List of URLs to listen on for the metrics and health endpoints.
--metrics-cert-file ''
Path to the metrics server TLS cert file.
--metrics-key-file ''
Path to the metrics server TLS key file.
--metrics-client-cert-auth 'false'
Enable metrics client cert authentication.
--metrics-trusted-ca-file ''
Path to the metrics server TLS trusted CA file.
--metrics-cert-allowed-cn ''
Required CN for client certs connecting to the metrics endpoint.
--metrics-crl-file ''
Path to the metrics certificate revocation list file.
--metrics-auto-tls 'false'
Metrics TLS using generated certificates.

Logging:
--logger 'zap'
Expand Down
30 changes: 15 additions & 15 deletions integration/fixtures/ca.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,22 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDrjCCApagAwIBAgIUOl7DCgSvqQKhiihYrZDiBKNpQX4wDQYJKoZIhvcNAQEL
MIIDrjCCApagAwIBAgIUBI65ni82ZhKAq9U5g/7l+wKRhJ4wDQYJKoZIhvcNAQEL
BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl
Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xOTEwMDgyMTE5MDBaFw0yOTEwMDUyMTE5
Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0yMDA3MTMxNTM0MDBaFw0zMDA3MTExNTM0
MDBaMG8xDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE
BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT
ZWN1cml0eTELMAkGA1UEAxMCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDBNhwKD8oqOwNSDMZR+K6l6ocyXZzZPAIbv7co34xtjt25c8PPKz8FiBSU
M4YeZpzsSp7n7WSSSzVWqFTRBZzvjIrBzLu4CfxMKuUrQX1/BPYgbSxQO+5YKPzO
yaBMhIAEtW+WYsaa6PpWyL65L4giKpVoLS/UFTEBsf+lO6pwFpX2EJnIylLbpwEd
pAXIgVFsodHlP9Zc2tR1TqYetmJ6/A/p5sSZpgLy1y2+Mg4VTMKvs2kNAoh/+lEu
WPe204eMpkBXhukulOiJkVKNdhnCkLslt8ZaMWWqBvD9d94lXycMQ9wnGakPNc4W
5VX3rbLOGOX7xK37BCsh5HGodIrZAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRlB76vjaZyFLrEUGm6DQfyjmN6PjAN
BgkqhkiG9w0BAQsFAAOCAQEAD0cRNBQqOPNAUmKCH9xCr4TZFoE+P5aNePU39Jyp
qpJ1HjKI93zBk9aN5udDGPFhm2/iaKx6DuABbxCz0LwNhLiKP6UbHV8F2fTJJ5bo
crXvD0CEpor+Quh995lbq9bv29+zcDVw+Hw0QainBdHWkdw6RAgmbFnJxETDDz8z
VQ0DET3T736oxpEZ4DKQlbzK5LSgZH2lyPEEvzci4QjTZf5X/nitdx7fAdMFFPQ0
lI4l7nIuge5LTR0isEfWHx7Orx6l8dzkofG3fz5BjHCI4JInVlWq3MNNSybDI4pI
GFxeuE/U8K6kIixT8qCAh6Naq9/xuxFkffLmMKfZXoYLCg==
AoIBAQCm7MIc+Ji2KZKkm4yCxg211uWBxLXt3Pqcz7LpPh4Nl9Pujr+hhSbVmm/8
E2wl09MHQtWgxDFqrkStNI8iGAMdqodovZW5ltW+qHIcKhp8Uivoo6uJRfcC6AR8
UjFWPQV0HyT6aCwzHrGN9zIS6xwxfC4nRIGSvVezWzfVq6llJVAZ2O5h23gRztxy
eV7AtaA6HktUwiIfiyVrW8CZS6fWTWQYZLSZ5/BgJ2zt5VX0LK52bbKY9MbAr6Q2
OlMXvkhOwOIbtt1PJDbjhnNVMbUbiqsAQRQsGseP1CziW9CaYzhKZFIftg9fUFvf
7KlEMxRagr9aCXP5fkypMfm2L+q5AgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQfqp72LQd3jK+cJOHwIUW6+Nps7TAN
BgkqhkiG9w0BAQsFAAOCAQEAey4m3OtUzdH8MHlprpcSNCdDdKKOlJyYYjYDebKQ
WzIr+7N11LwRzpLztgWAw+3ayoHwbfOlQv0KUagO5yQSByMiCwiy0CeJWow0qxri
5lLRt8Ln3E9YsOcyccRpyWMfLURt17wSnikHxUVQ0l7uDLhq5E3YPAhivjPIwBGj
pca1lO+gQZWHeiLu3npHdSAFHqNuD6v/dbcFf7ypxUUt/1IQqr+/cKeMGX0ak6RH
X7Zd8xJ89j8heYc4mlmdWH/RSYuGEUl1FSmJV9O1OIz0z07PlGWFuQd44HKrbnYG
CdtSQGWF7jwf0+U5Eix1X+m05/2gj8rXAFlk9tTu+fBK3g==
-----END CERTIFICATE-----
10 changes: 9 additions & 1 deletion integration/fixtures/gencerts.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,15 @@ cfssl gencert \
mv server3.pem server3.crt
mv server3-key.pem server3.key.insecure

# generate DNS: localhost, IP: 127.0.0.1, CN: example.com certificates
cfssl gencert \
--ca ./ca.crt \
--ca-key ./ca-key.pem \
--config ./gencert.json \
./server-ca-csr4.json | cfssljson --bare ./server4
mv server4.pem server4.crt
mv server4-key.pem server4.key.insecure

# generate revoked certificates and crl
cfssl gencert --ca ./ca.crt \
--ca-key ./ca-key.pem \
Expand All @@ -89,5 +98,4 @@ cfssl gencert \
mv server-wildcard.pem server-wildcard.crt
mv server-wildcard-key.pem server-wildcard.key.insecure


rm -f *.csr *.pem *.stderr *.txt
Binary file modified integration/fixtures/revoke.crl
View file
Open in desktop
Binary file not shown.
20 changes: 20 additions & 0 deletions integration/fixtures/server-ca-csr4.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
{
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"O": "etcd",
"OU": "etcd Monitoring",
"L": "San Francisco",
"ST": "California",
"C": "USA"
}
],
"CN": "ca",
"hosts": [
"127.0.0.1",
"localhost"
]
}
24 changes: 12 additions & 12 deletions integration/fixtures/server-ecdsa.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,20 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDRzCCAi+gAwIBAgIUKgQJ/CMaFxc4JcwwGyiT/7KpedIwDQYJKoZIhvcNAQEL
MIIDRzCCAi+gAwIBAgIUG6bU78IkoRkkdGL00WW1JtC3OQEwDQYJKoZIhvcNAQEL
BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl
Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xOTEwMDgyMTE5MDBaFw0yOTEwMDUyMTE5
Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0yMDA3MTMxNTM0MDBaFw0zMDA3MTExNTM0
MDBaMHgxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE
BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT
ZWN1cml0eTEUMBIGA1UEAxMLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjO
PQMBBwNCAARXbc8naiFZ3Y2LujrnDCScVNRks/TR+aXPmnuPGjDxbuHxSSbC8Q2z
iTvCkgsIcsifmUIEQcI4v3Kbkj3qMF1so4GcMIGZMA4GA1UdDwEB/wQEAwIFoDAd
PQMBBwNCAARhtj79iJdLGf6RHvKnd8GM3lmWjucG2frYduUf19aMWKoZ/huoYnlB
ztZI8SQrTJ3rQ5Lq/PeIT/IwtUsgITAXo4GcMIGZMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV
HQ4EFgQU3z1DifT82BfoU5DfMe08meeYmSUwHwYDVR0jBBgwFoAUZQe+r42mchS6
xFBpug0H8o5jej4wGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3
DQEBCwUAA4IBAQAE3bhZcJuGrnMGMgebCFMuAXvoF9twYIHXpxNOg6u0HTIWOsMB
njEJW/rfZFE/RAJ6JdOMNE2bq2LbJ8dUA25PX3uz6V4omm9B3EvEG9Hh3J+C77XQ
P+ofiUd+j06SdewoxrmmQmjZZdotpFUQG3EEncs+v94jsamwGNLdq4yWDjFdmyuC
hqzSkD48aGqP2Q93wfv8uIiCEmJS1vITTm2LxssCLfiYGortpCx32/DWme8nUlni
1U/pRTx8Brx00dMeruTGjCCpwb8k453oNV6u0D1LsQ9y5DuyEwmZtBEHBN1kVPro
yYW3/b1jcmZk8W9GXqcXy16LbWmpvJmTHPsj
HQ4EFgQUNBFaOeg3mNnzj9D7BcKBvpqjGo4wHwYDVR0jBBgwFoAUH6qe9i0Hd4yv
nCTh8CFFuvjabO0wGgYDVR0RBBMwEYIJbG9jYWxob3N0hwR/AAABMA0GCSqGSIb3
DQEBCwUAA4IBAQCmYOxZCuRnbROlT2rVYFe89cBk73tf6zrft8YMx1Mc2upRzMG3
rLEZf52J40qsUJ++Vnt/62pMetlcdjhqNb3RyKlbQJ//RXRf3+zLmdqQq/E9N4LE
m3MeRUQivkESdBBujVXXZfrSSrtN1i8TvkndrueELE8sWpI+8mWfW9tyGexE624x
dvrnJZRGZzTxM3CoioAoHnF1b/QP3EhwjRtF7RJOY4Rt8OKhHaTQW0J5DNWRISNz
hd0oDPj9kcrpXrYJhqcqQSnSXsFzo+nTs3Hfm5xSZYLnO+Ma9bw9XwR4+dK08acd
gIQ/F8/Svn70fAIuuS61IGEleADKQnpq8CVl
-----END CERTIFICATE-----
6 changes: 3 additions & 3 deletions integration/fixtures/server-ecdsa.key.insecure
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIK3K2gimOw2P0pZ4soFAopriuORuqpRptllFXNRhCRV0oAoGCCqGSM49
AwEHoUQDQgAEV23PJ2ohWd2Ni7o65wwknFTUZLP00fmlz5p7jxow8W7h8UkmwvEN
s4k7wpILCHLIn5lCBEHCOL9ym5I96jBdbA==
MHcCAQEEIE8QEd6fkx4u6/P4ytaMlLJ9EFbQXAxl9TQy8Dc4U+8yoAoGCCqGSM49
AwEHoUQDQgAEYbY+/YiXSxn+kR7yp3fBjN5Zlo7nBtn62HblH9fWjFiqGf4bqGJ5
Qc7WSPEkK0yd60OS6vz3iE/yMLVLICEwFw==
-----END EC PRIVATE KEY-----
32 changes: 16 additions & 16 deletions integration/fixtures/server-ip.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,24 +1,24 @@
-----BEGIN CERTIFICATE-----
MIIEBzCCAu+gAwIBAgIUSvxuG1lgImYpnaK4sPaCiMAd0lgwDQYJKoZIhvcNAQEL
MIIEBzCCAu+gAwIBAgIUTjMlToCeTFkQ7iUbBLtHo6uU64gwDQYJKoZIhvcNAQEL
BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl
Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xOTEwMDgyMTE5MDBaFw0yOTEwMDUyMTE5
Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0yMDA3MTMxNTM0MDBaFw0zMDA3MTExNTM0
MDBaMHgxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE
BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT
ZWN1cml0eTEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC7mJOiyqWfmNM5ptQZ22plotVfgoBf9fHTzMw/ap2Vl0/0
4V3GEyYCdPt6V87GWzjBSO9GAmlISBQQybMieZTaTm8KKW2066iJDKseBCv9m4nS
mHv0oDqp3SHsZQ2xHis4lbi7ws2thdqpmjw4Dv96SUiCJUjhcBX4kBMRcOGgk1RF
ENIOInTSKlAiwNF1NSnhj8wMNw7mjw90jpAGAuPuuiQ7+AYHJBJqtT9mRikR8ppw
isjEE6kslCCg2RC45AiF4LXNp7A7Xwm6P34XJ6T9PJUh/r3pa0xHRuI2zQLaW8Z/
b6NYkUGMbHR7AY/+2JzOfnnnQcSB8EYC9bHadvHnAgMBAAGjgZEwgY4wDgYDVR0P
A4IBDwAwggEKAoIBAQCzjkEXKLgJERWJzUxpcDxIHiz/lUolLWoMKH58wKMc6Uw8
WlhI71HY22GuKcPpZeowyz3bScNENZwDJ1T1BSk6TEmRTYiepun2C/pU9Svn9f39
R3RQYKQRm83Wzz/IhjMW1mda6hB5VngcWZAyyrDTreTOFOxlUvCPSZKShc5jWISM
082eP5woVDETszXKWMPhqsw4kNle293hAP3R3H1MpdyMJ/WofKIcQs+tDap0w/bH
v51u9vEunqf41A1q/BgZHfPmPYIR3VKQuR7Vzy2ANuALUM00z8VlgCsUFHNWDf7x
xKOV7sMhr9iobcPvaklvbQZgTZ5oKmGgFTTsQkaJAgMBAAGjgZEwgY4wDgYDVR0P
AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB
Af8EAjAAMB0GA1UdDgQWBBSPaFA2Jh7s/IJN/Yw/QFFR4pO3nDAfBgNVHSMEGDAW
gBRlB76vjaZyFLrEUGm6DQfyjmN6PjAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3
DQEBCwUAA4IBAQAO2EnUXDlZAzOJLmkzQQF/d88PjvzspFtBfj/jCGzK6bpjeZwq
oM1fQOkjuFeNvVLA3WHVT0XEpZEM8lwAr/YwnBWMFlNd3Vb2Cho5VaQq0nVfhYoB
tpzoWcf0Qx4cALesQZ3y2EnXePpzky1R4MfHqulYrmZKSBQsERob/7YgSBk+ucV9
OHLzYxm4OvYvDoR54REq+vgZ3ohoDmBrNNv9OmUHLIrUi+nBpBgnww85Dc7cKB27
EEKxqIfCNTeHSemvzfK/1M6manQX6eyGe48nOwQMV/ocfY6SeA7RABT0l/UsbeMp
g/b2RU+liZ3e8FziW4/1VTt1pmFAN/2hnb0v
Af8EAjAAMB0GA1UdDgQWBBQd2pf4a58u3WQmvQo890STZY+kXzAfBgNVHSMEGDAW
gBQfqp72LQd3jK+cJOHwIUW6+Nps7TAPBgNVHREECDAGhwR/AAABMA0GCSqGSIb3
DQEBCwUAA4IBAQBOUznmyAgmURyDP/NF4XG+xLku9+pdqwxOIIZJdkyGL12IiurS
jeQ6fr3zldoYYmfxvnbYVOFz0KKmK58zj+gT+kRXJKoWoCp5NMzgP9g3GV2+KDaL
KvDNr9gHaF7R7RLsx6w28b7SgTa4Io49z3LcC4a4NCsjKghVeGIlrgr7htqkOO03
UlbnIsHkKYHqMR4Xo0plgMLP/IuK+b9S2K7/wqbrg1i1s227tt+Yc+osiAZfZPyg
p7i98/+U4itp2iQUb2rYU1cWyTTQywR2OpVFvqW64uxUq0ejar8yxIMKgjEEGDRt
pSh9TkXFTaMVHAA+pnQiZHkrVQBWKGIPJZXi
-----END CERTIFICATE-----
50 changes: 25 additions & 25 deletions integration/fixtures/server-ip.key.insecure
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAu5iTosqln5jTOabUGdtqZaLVX4KAX/Xx08zMP2qdlZdP9OFd
xhMmAnT7elfOxls4wUjvRgJpSEgUEMmzInmU2k5vCilttOuoiQyrHgQr/ZuJ0ph7
9KA6qd0h7GUNsR4rOJW4u8LNrYXaqZo8OA7/eklIgiVI4XAV+JATEXDhoJNURRDS
DiJ00ipQIsDRdTUp4Y/MDDcO5o8PdI6QBgLj7rokO/gGByQSarU/ZkYpEfKacIrI
xBOpLJQgoNkQuOQIheC1zaewO18Juj9+Fyek/TyVIf696WtMR0biNs0C2lvGf2+j
WJFBjGx0ewGP/ticzn5550HEgfBGAvWx2nbx5wIDAQABAoIBAB0jBpM7TFwsfWov
6jOV68Gbd+6cs1m0NnpCDdsvsQgh904+jrUMFlQ9XS3UY45Vbsw+isNh7n5Gi69L
1KHfJmp90itO4fY+v++BYzaHSVnbhZ2LB32oQVROv00bKPRAjk/8mTO4fv+bkanU
BdRjJ/UTWsq0BczV/uObZQrJcJHi6+sAMYw4b/kxzTALd+UuvmOP7Z/NoWW6x8Mm
ahHgqaMwA0O1f4DsdKYnSUVMF9DNGsxKCUYSYR6RH93Bq/Eo0q1U2egmLIMcTVW9
7QSWsJoZuXlzkq7Hb7mxGdppa6kSzA/VM26qPNE9Cjg4tCMu1RJSfgkcnv27Y8vZ
fZSq3zkCgYEA68VjIqG6sj43SZSvD+Z+Dfuzc+lO4YBSI0Yru8B4ZZq0vfTVQdM/
uf0Bpk/nMbqec/kfcPMHP8zznLe8rcmfZXNQFIaajOb6rzWhCRSgbX98MeGnUe/y
9sG+zFSRrAPDaVRJZwSYILs6o6Hz4o6DBCvr8iKFfm26SLB7hIjwx8UCgYEAy7EL
dIMdsGDzfmxAYqad3oy/N1KVp96zfdnHEiIC0oiXz3YfI7YLFj54yXxx5rHR2/AK
wOo7b90Rc8R0PgtKedKrz5p/E0Bz723ToTxHjsqgVRZqYaEKUOp8wR2t2DJOF9b9
0C/qp6iUy0IOTBYyu3BCMV0aB5kRW62jXJIsQbsCgYB6uO7mOurUFsBug38wNpjM
rIR3RCz0Afg/NipTe1bwBDwqWEOdFNmp9QEj0ZmU7//EfBsajtXqJsNzgswqZbWb
eA9p77qItz4rby3YbS0oceByknOmmdCNEsI+15JPyFGyBNaEUgbhmrNmM0mgVu/p
fvc8vS1hZro9VeelUCaMxQKBgFDgnXHH1fQAqu4ZwX7qNWj2bb5jtjSPgqmH3Tlf
88rwnYasmjStxb0xVPh7xyYYmQFBUKPE3ZDPMGzNJnK0PQAeHEY0TByyzNXWv98X
djpGTl86pUbakKQMVzi+thZP8x4YKXOOcxfbIimKsu6XKdGvAzlihEFcD75dNa4+
BACdAoGBAJevnrC7M/KyDDGW3ci4sFcn7MxRGqLBulwGoCuM+zecbG7NBvDynoaH
NRGpASiboRJyCEoIQivvkZf+K7L/oB4bL/ThF2ZpJUe471tq0444xnXdHRDLG0Dw
OnBl27e3iAiUctqR51ufXKOUaNEf4gcsS9duELMPBxM70GE2Q/2r
MIIEowIBAAKCAQEAs45BFyi4CREVic1MaXA8SB4s/5VKJS1qDCh+fMCjHOlMPFpY
SO9R2NthrinD6WXqMMs920nDRDWcAydU9QUpOkxJkU2Inqbp9gv6VPUr5/X9/Ud0
UGCkEZvN1s8/yIYzFtZnWuoQeVZ4HFmQMsqw063kzhTsZVLwj0mSkoXOY1iEjNPN
nj+cKFQxE7M1yljD4arMOJDZXtvd4QD90dx9TKXcjCf1qHyiHELPrQ2qdMP2x7+d
bvbxLp6n+NQNavwYGR3z5j2CEd1SkLke1c8tgDbgC1DNNM/FZYArFBRzVg3+8cSj
le7DIa/YqG3D72pJb20GYE2eaCphoBU07EJGiQIDAQABAoIBAGAo/R8EBZuFdL16
H0QQgZg14O936l+CtNqSDTuOh0yCfPuNft6AnJrA0s1NPMiQdh1vm08Hb/XlqAng
VJVsECpSlMumdFZTGdVVkNlS/BKcIUw1qksplnR/tnsmPwiLJm1CodOEqxHwhx7X
sGwjNRQIexMLDZcuFfsG8eJamq+E4Jp+UYTx4xk10szAm2MVK7YW1xBslh2lkPId
UoMMRKGn4riFJ8VddFvx+mwupuOhCnV1stAo2fdhXCzW74QA0x5GhiYsS1NpYD/u
d5OIoL1hpUv98XOSqaKM5No9v3TQYTJ4TIzb7lFUOTKf6V6lUbBBAtNw3NW65QPN
cmlM5QECgYEA3o6OfRABQtIGIarWGXsv7/X1L0M1Yujc9nLgI+WylXacWMYU4P2I
FHoRgbl0PzRk4/XNMO9DxJSbWTbwLpWQKfiE9LhDWkcAU3vmm5koSDlHZ9JVNUmg
hU8A6tCVQ/eo9zhoQs/vJtHnlUCFGcxvsBl+zZzoTdIbSORfCFNwRrECgYEAzomA
/jLe0ErCYfUV057viTjuzZ0l2VH7HxlqWq+ICuQU1QKDK7KxQxg76Dcw49xYBumx
089lJMBxIJX1WA0DUDyBrrkkDhdMPrBZ9pi+JX4AU/1EJGqmusbBt5GB8b7+6n+n
zb/4YY7EpEbcC9dWJisu9EVFxixqqIix6bxno1kCgYA+W91K54Ai8+wp5M9GpoCh
EN6ZVpCP3UWEfF2XUVX/kRNvwFi7Te6iJi3fllIfH5QhV48d5fysCSOaFM2pj9is
GelPFI4yrnBF9BKCiKCD1CDQ01tyqeWjVKaiJL2eJLegRZrZFaAh1XC5HjHtL54f
zpT8Ebn5jCR/ARYrpA1ykQKBgHYMHZAs3zFKKYP3ovwLcXmK8uLOmR13QALscd9X
SHiBGG8POo21Wp+wsDzvnp/+BsoctCkN9w9kdsRbMZmcBnLLwottAnCTXF7QSPsr
HjMrq2BV96ag1p8Wjw4uuojD08uQHwb4XCzWfwot/gM+ltzF/dZb6Z91L5kYWCfy
KYIxAoGBAM4kZQGFMBzK4ceA1lyM3n4XEWs2Hiexpf+TObQ1m3xvCe72SwHg/Ehe
ilk2F666t0E2we+JjX91asLSv8XUJ4YE4zc397tjqZn+LQy11fzezSv9BBgFqQsU
E0wFBZeOLbl6dhStF88egpy8YpYnlcK8vLfZGni/XjBmQBVNDZXD
-----END RSA PRIVATE KEY-----
32 changes: 16 additions & 16 deletions integration/fixtures/server-ipv6.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,24 +1,24 @@
-----BEGIN CERTIFICATE-----
MIIEEzCCAvugAwIBAgIUYTkp3oUkde9wFRkJA1LlvwFrZ3MwDQYJKoZIhvcNAQEL
MIIEEzCCAvugAwIBAgIUCCE37G6OMKVizSg9PRTMtsaqLKswDQYJKoZIhvcNAQEL
BQAwbzEMMAoGA1UEBhMDVVNBMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
Ew1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKEwRldGNkMRYwFAYDVQQLEw1ldGNkIFNl
Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0xOTEwMDgyMTE5MDBaFw0yOTEwMDUyMTE5
Y3VyaXR5MQswCQYDVQQDEwJjYTAeFw0yMDA3MTMxNTM0MDBaFw0zMDA3MTExNTM0
MDBaMHgxDDAKBgNVBAYTA1VTQTETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UE
BxMNU2FuIEZyYW5jaXNjbzENMAsGA1UEChMEZXRjZDEWMBQGA1UECxMNZXRjZCBT
ZWN1cml0eTEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDcRWZxskwCNXhprj8XCtkxj9GP4z9hVgUxgquSBync1hic
or6qNgrUztv6nlALdQdf+TbPKyGEwCgAlKU/hnJK6lAG3+riyShnyM74/ulV1wYS
F3Rkeh0nNCo95TPNq4GLB+sMfzwoSsT0srPX7KzCqpGy+G7sB0JBNwkTZLkCuMZf
dkkmcZJ3zqIiOzJPlcQa4iBa0L1nV3Uuv49kLZLMCLMslg//IZxC09fnmjn+XLcV
4+RpOKIn7AMN1kqPqmaB6gk2aCbYTZZ8aS9+cOJmTERbynyX4y4sRV18ED3dRNvs
HCedgPOp53nqDneSOqOhhg+Mb95tnMQq1on0+TRDAgMBAAGjgZ0wgZowDgYDVR0P
A4IBDwAwggEKAoIBAQDAgWO6K49pQI/DENL2n+da03IjgfZM81ySsngisT58BOjB
doit2zNiEn80d8X7HSMIY2sluRSSX3SLw9hS9cNHU937kJFKfUiquBnUDXaUTah8
I+gUC0QvSqcvE49z4bWhTkunR9vFhZLPtDmsykngpztlDDvuLplpAGZcmgozil/E
dZav96jivLOPzed+FOJuob4YtM/RsOHoiWFDcPvh+ClVFolHaZ/6AbBpRTBo8x/u
J9+ebIhwPzTjf/GdLaPHPBkxRRws9I0/0SDFqg3oxXGRA+SqeUFgvhZ0KP9s1sD0
UW0F0IIw2xZ3FpDOaJwT1NlsFWV2XdUpYntMrjbZAgMBAAGjgZ0wgZowDgYDVR0P
AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB
Af8EAjAAMB0GA1UdDgQWBBTFoXLQVq+Yg2AlRIirXj5ho0PMrjAfBgNVHSMEGDAW
gBRlB76vjaZyFLrEUGm6DQfyjmN6PjAbBgNVHREEFDAShxAAAAAAAAAAAAAAAAAA
AAABMA0GCSqGSIb3DQEBCwUAA4IBAQB4bl4f8TI7k+nlHe4MhJuHP1BKHB5O5SeG
wrgI2+qV38UrKvTag2Z3OVKw12ANGN1vcOUrDS7cCtIZ8Aar7JpBgWrYvVlhAtc5
3syj74Iapg1Prc0PFRmMQTZ4mahRHEqUTm3rdzkwMjNDekBs9yyBsKa08Qrm9+Cz
Z84k/cQTBc3Bg6Xw3vUiL4EmeRQudBQAvh/vdxj6X+fwKmvLbPpgogXuQS/lHhFQ
/rZ+s22RHLlqzAMuordjxS4Nw91dqYFwdYVvEmsK89ZnSWqwLvFCJ4uNnAe8siS7
53YTpGbpLdNkQKAQJdMQSyvcDbQoQ7FI19a1EtSwpg5qSMOTpQ/C
Af8EAjAAMB0GA1UdDgQWBBRGqti3FTnDa3fXUE0wyBSl04Eu+TAfBgNVHSMEGDAW
gBQfqp72LQd3jK+cJOHwIUW6+Nps7TAbBgNVHREEFDAShxAAAAAAAAAAAAAAAAAA
AAABMA0GCSqGSIb3DQEBCwUAA4IBAQCRz/OX3ZsYwv1npsnxo77kwGGl6O+Vy8rL
XANfJTXU7OOKTzBV0fpEgAQyIukqfZ4Cfp72/8nWbwipckPjwhUEoU/LRZhmOuY7
vUB52ZHtD+THM5YJO090gpcU1tAzDwATR50Q0upMvcthxJM7tNVRXYsPmNnF/s3N
sLj5lsdzdWXLwqYxy+N5zcx5NYXpGznPDDm2aRrpxxll6ubMPoqH1c4an0OIuO6C
l7kfAs7RjnOnZxdLlyCImuTNa/CKz7d4m8M51WNZhkTqrCa0nlGMlxqQf94rpGN5
wkcJj4hRVxHHFkspWy6cM12xBCi6gMS5uctHhTTrJOhYYFNnLIqC
-----END CERTIFICATE-----
Loading