personal_interest_mirrors/nebula
1
0
Fork 0
mirror of https://github.com/slackhq/nebula.git synced 2025-11-23 00:44:25 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

we accept mismatched handshakes now, no need to kill now-mismatched tunnels (this is fine as long as we don't let you change your set of vpnNetworks on reload)

Browse Source
This commit is contained in:
JackDoan
2025-10-02 10:54:30 -05:00
parent 26a00a5647
commit 32649de665
1 changed files with 7 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
connection_manager.go
View File

@@ -478,19 +478,19 @@ func (cm *connectionManager) swapPrimary(current, primary *HostInfo) {
cm.hostMap.Unlock() cm.hostMap.Unlock()
} }
// isInvalidCertificate will check if we should destroy a tunnel if pki.disconnect_invalid is true and // isInvalidCertificate decides if we should destroy a tunnel.
// the certificate is no longer valid, or if we no longer have a certificate of the same version as the remote. // returns true if pki.disconnect_invalid is true and the certificate is no longer valid.
// Blocklisted certificates will skip the pki.disconnect_invalid check and return true. // Blocklisted certificates will skip the pki.disconnect_invalid check and return true.
func (cm *connectionManager) isInvalidCertificate(now time.Time, hostinfo *HostInfo) bool { func (cm *connectionManager) isInvalidCertificate(now time.Time, hostinfo *HostInfo) bool {
remoteCert := hostinfo.GetCert() remoteCert := hostinfo.GetCert()
if remoteCert == nil { if remoteCert == nil {
return false return false //don't tear down tunnels for handshakes in progress
} }
caPool := cm.intf.pki.GetCAPool() caPool := cm.intf.pki.GetCAPool()
err := caPool.VerifyCachedCertificate(now, remoteCert) err := caPool.VerifyCachedCertificate(now, remoteCert)
if err == nil { if err == nil {
return false return false //cert is still valid! yay!
} else if err == cert.ErrBlockListed { //avoiding errors.Is for speed } else if err == cert.ErrBlockListed { //avoiding errors.Is for speed
// Block listed certificates should always be disconnected // Block listed certificates should always be disconnected
hostinfo.logger(cm.l).WithError(err). hostinfo.logger(cm.l).WithError(err).
@@ -502,27 +502,10 @@ func (cm *connectionManager) isInvalidCertificate(now time.Time, hostinfo *HostI
WithField("fingerprint", remoteCert.Fingerprint). WithField("fingerprint", remoteCert.Fingerprint).
Info("Remote certificate is no longer valid, tearing down the tunnel") Info("Remote certificate is no longer valid, tearing down the tunnel")
return true return true
} else {
//if we reach here, the cert is no longer valid, but we're configured to keep tunnels from now-invalid certs open
return false
} }
//check that we still have a cert version in common with this connection. If we do not, disconnect.
remoteVersion := remoteCert.Certificate.Version()
cs := cm.intf.pki.getCertState()
out := false
switch remoteVersion {
case cert.Version1:
out = cs.v1Cert == nil
case cert.Version2:
out = cs.v2Cert == nil
default:
out = true
}
if out {
hostinfo.logger(cm.l).WithField("fingerprint", remoteCert.Fingerprint).
WithField("version", remoteVersion).
Info("We no longer have a certificate in common with remote, tearing down the tunnel")
}
return out
} }
func (cm *connectionManager) sendPunch(hostinfo *HostInfo) { func (cm *connectionManager) sendPunch(hostinfo *HostInfo) {