Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FAB-17220] Dynamically build TLS config in Raft client handshake #376

Merged
merged 1 commit into from
Dec 8, 2019
Merged

[FAB-17220] Dynamically build TLS config in Raft client handshake #376

merged 1 commit into from
Dec 8, 2019

Conversation

yacovm
Copy link
Contributor

@yacovm yacovm commented Dec 6, 2019
edited
Loading

When we expand the root TLS CA in the channel config, after
Raft membership has expanded with an OSN that is issed a certificate
by a new TLS CA, the TLS client handshake uses the old root CA pool
and as a result the added orderer cannot be reached by the existing ones,
because their dialers reject its certificate.

This change set builds a dynamic transport credentials that
re-computes the TLS config in every TLS client handshake.

Expanded an integration test to ensure this works.

Change-Id: I6578ba49f16e14b97eb4eef4feccdecbfe1b7015
Signed-off-by: yacovm yacovm@il.ibm.com

@hyperledger hyperledger deleted a comment from azure-pipelines bot Dec 6, 2019
@yacovm
Copy link
Contributor Author

yacovm commented Dec 6, 2019

/azp run

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

mastersingh24
mastersingh24 suggested changes Dec 7, 2019
View reviewed changes
core/comm/client.go Outdated Show resolved Hide resolved
core/comm/client.go Outdated Show resolved Hide resolved
@yacovm
[FAB-17220] Dynamically build TLS config in Raft client handshake
3cce10a 
When we expand the root TLS CA in the channel config, *after*
Raft membership has expanded with an OSN that is issed a certificate
by a new TLS CA, the TLS client handshake uses the old root CA pool
and as a result the added orderer cannot be reached by the existing ones,
because their dialers reject its certificate.

This change set builds a dynamic transport credentials that
re-computes the TLS config in every TLS client handshake.

Expanded an integration test to ensure this works.

Change-Id: I6578ba49f16e14b97eb4eef4feccdecbfe1b7015
Signed-off-by: yacovm <yacovm@il.ibm.com>
@yacovm yacovm requested a review from mastersingh24 December 7, 2019 15:11
@C0rWin C0rWin merged commit 4149c6d into hyperledger:master Dec 8, 2019
@yacovm yacovm deleted the tlsRotate branch December 8, 2019 11:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mastersingh24 mastersingh24 mastersingh24 approved these changes

@C0rWin C0rWin C0rWin approved these changes

@ale-linux ale-linux Awaiting requested review from ale-linux

@binhn binhn Awaiting requested review from binhn

@christo4ferris christo4ferris Awaiting requested review from christo4ferris

@denyeart denyeart Awaiting requested review from denyeart

@guoger guoger Awaiting requested review from guoger

@jyellick jyellick Awaiting requested review from jyellick

@kchristidis kchristidis Awaiting requested review from kchristidis

@manish-sethi manish-sethi Awaiting requested review from manish-sethi

@muralisrini muralisrini Awaiting requested review from muralisrini

@sykesm sykesm Awaiting requested review from sykesm

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@yacovm @C0rWin @mastersingh24