config: enforce safe use of TLS
This commit is contained in:
parent
5be7e710c7
commit
4d0537d4c3
@ -1176,9 +1176,10 @@ func ValidateConfig(cfg Config, usageMessage string) (*Config, error) {
|
||||
|
||||
// For each of the RPC listeners (REST+gRPC), we'll ensure that users
|
||||
// have specified a safe combo for authentication. If not, we'll bail
|
||||
// out with an error.
|
||||
// out with an error. Since we don't allow disabling TLS for gRPC
|
||||
// connections we pass in tlsActive=true.
|
||||
err = lncfg.EnforceSafeAuthentication(
|
||||
cfg.RPCListeners, !cfg.NoMacaroons,
|
||||
cfg.RPCListeners, !cfg.NoMacaroons, true,
|
||||
)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
@ -1189,7 +1190,7 @@ func ValidateConfig(cfg Config, usageMessage string) (*Config, error) {
|
||||
cfg.RESTListeners = nil
|
||||
} else {
|
||||
err = lncfg.EnforceSafeAuthentication(
|
||||
cfg.RESTListeners, !cfg.NoMacaroons,
|
||||
cfg.RESTListeners, !cfg.NoMacaroons, !cfg.DisableRestTLS,
|
||||
)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
@ -48,11 +48,13 @@ func NormalizeAddresses(addrs []string, defaultPort string,
|
||||
}
|
||||
|
||||
// EnforceSafeAuthentication enforces "safe" authentication taking into account
|
||||
// the interfaces that the RPC servers are listening on, and if macaroons are
|
||||
// activated or not. To protect users from using dangerous config combinations,
|
||||
// we'll prevent disabling authentication if the server is listening on a public
|
||||
// interface.
|
||||
func EnforceSafeAuthentication(addrs []net.Addr, macaroonsActive bool) error {
|
||||
// the interfaces that the RPC servers are listening on, and if macaroons and
|
||||
// TLS is activated or not. To protect users from using dangerous config
|
||||
// combinations, we'll prevent disabling authentication if the server is
|
||||
// listening on a public interface.
|
||||
func EnforceSafeAuthentication(addrs []net.Addr, macaroonsActive,
|
||||
tlsActive bool) error {
|
||||
|
||||
// We'll now examine all addresses that this RPC server is listening
|
||||
// on. If it's a localhost address or a private address, we'll skip it,
|
||||
// otherwise, we'll return an error if macaroons are inactive.
|
||||
@ -62,10 +64,17 @@ func EnforceSafeAuthentication(addrs []net.Addr, macaroonsActive bool) error {
|
||||
}
|
||||
|
||||
if !macaroonsActive {
|
||||
return fmt.Errorf("Detected RPC server listening on "+
|
||||
return fmt.Errorf("detected RPC server listening on "+
|
||||
"publicly reachable interface %v with "+
|
||||
"authentication disabled! Refusing to start "+
|
||||
"with --no-macaroons specified.", addr)
|
||||
"with --no-macaroons specified", addr)
|
||||
}
|
||||
|
||||
if !tlsActive {
|
||||
return fmt.Errorf("detected RPC server listening on "+
|
||||
"publicly reachable interface %v with "+
|
||||
"encryption disabled! Refusing to start "+
|
||||
"with --notls specified", addr)
|
||||
}
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user