KEP-3619: update cri-api version
Signed-off-by: Shingo Omura <everpeace@gmail.com>
This commit is contained in:
Shingo Omura
34
vendor/google.golang.org/grpc/credentials/tls.go
generated
vendored
34
vendor/google.golang.org/grpc/credentials/tls.go
generated
vendored
@@ -27,9 +27,13 @@ import (
|
||||
"net/url"
|
||||
"os"
|
||||
|
||||
"google.golang.org/grpc/grpclog"
|
||||
credinternal "google.golang.org/grpc/internal/credentials"
|
||||
"google.golang.org/grpc/internal/envconfig"
|
||||
)
|
||||
|
||||
var logger = grpclog.Component("credentials")
|
||||
|
||||
// TLSInfo contains the auth information for a TLS authenticated connection.
|
||||
// It implements the AuthInfo interface.
|
||||
type TLSInfo struct {
|
||||
@@ -112,6 +116,22 @@ func (c *tlsCreds) ClientHandshake(ctx context.Context, authority string, rawCon
|
||||
conn.Close()
|
||||
return nil, nil, ctx.Err()
|
||||
}
|
||||
|
||||
// The negotiated protocol can be either of the following:
|
||||
// 1. h2: When the server supports ALPN. Only HTTP/2 can be negotiated since
|
||||
// it is the only protocol advertised by the client during the handshake.
|
||||
// The tls library ensures that the server chooses a protocol advertised
|
||||
// by the client.
|
||||
// 2. "" (empty string): If the server doesn't support ALPN. ALPN is a requirement
|
||||
// for using HTTP/2 over TLS. We can terminate the connection immediately.
|
||||
np := conn.ConnectionState().NegotiatedProtocol
|
||||
if np == "" {
|
||||
if envconfig.EnforceALPNEnabled {
|
||||
conn.Close()
|
||||
return nil, nil, fmt.Errorf("credentials: cannot check peer: missing selected ALPN property")
|
||||
}
|
||||
logger.Warningf("Allowing TLS connection to server %q with ALPN disabled. TLS connections to servers with ALPN disabled will be disallowed in future grpc-go releases", cfg.ServerName)
|
||||
}
|
||||
tlsInfo := TLSInfo{
|
||||
State: conn.ConnectionState(),
|
||||
CommonAuthInfo: CommonAuthInfo{
|
||||
@@ -131,8 +151,20 @@ func (c *tlsCreds) ServerHandshake(rawConn net.Conn) (net.Conn, AuthInfo, error)
|
||||
conn.Close()
|
||||
return nil, nil, err
|
||||
}
|
||||
cs := conn.ConnectionState()
|
||||
// The negotiated application protocol can be empty only if the client doesn't
|
||||
// support ALPN. In such cases, we can close the connection since ALPN is required
|
||||
// for using HTTP/2 over TLS.
|
||||
if cs.NegotiatedProtocol == "" {
|
||||
if envconfig.EnforceALPNEnabled {
|
||||
conn.Close()
|
||||
return nil, nil, fmt.Errorf("credentials: cannot check peer: missing selected ALPN property")
|
||||
} else if logger.V(2) {
|
||||
logger.Info("Allowing TLS connection from client with ALPN disabled. TLS connections with ALPN disabled will be disallowed in future grpc-go releases")
|
||||
}
|
||||
}
|
||||
tlsInfo := TLSInfo{
|
||||
State: conn.ConnectionState(),
|
||||
State: cs,
|
||||
CommonAuthInfo: CommonAuthInfo{
|
||||
SecurityLevel: PrivacyAndIntegrity,
|
||||
},
|
||||
|
||||
Reference in New Issue
Block a user