config: enforce safe use of TLS
This commit is contained in:
parent
5be7e710c7
commit
4d0537d4c3
@ -1176,9 +1176,10 @@ func ValidateConfig(cfg Config, usageMessage string) (*Config, error) {
|
|||||||
|
|
||||||
// For each of the RPC listeners (REST+gRPC), we'll ensure that users
|
// For each of the RPC listeners (REST+gRPC), we'll ensure that users
|
||||||
// have specified a safe combo for authentication. If not, we'll bail
|
// have specified a safe combo for authentication. If not, we'll bail
|
||||||
// out with an error.
|
// out with an error. Since we don't allow disabling TLS for gRPC
|
||||||
|
// connections we pass in tlsActive=true.
|
||||||
err = lncfg.EnforceSafeAuthentication(
|
err = lncfg.EnforceSafeAuthentication(
|
||||||
cfg.RPCListeners, !cfg.NoMacaroons,
|
cfg.RPCListeners, !cfg.NoMacaroons, true,
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
@ -1189,7 +1190,7 @@ func ValidateConfig(cfg Config, usageMessage string) (*Config, error) {
|
|||||||
cfg.RESTListeners = nil
|
cfg.RESTListeners = nil
|
||||||
} else {
|
} else {
|
||||||
err = lncfg.EnforceSafeAuthentication(
|
err = lncfg.EnforceSafeAuthentication(
|
||||||
cfg.RESTListeners, !cfg.NoMacaroons,
|
cfg.RESTListeners, !cfg.NoMacaroons, !cfg.DisableRestTLS,
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
@ -48,11 +48,13 @@ func NormalizeAddresses(addrs []string, defaultPort string,
|
|||||||
}
|
}
|
||||||
|
|
||||||
// EnforceSafeAuthentication enforces "safe" authentication taking into account
|
// EnforceSafeAuthentication enforces "safe" authentication taking into account
|
||||||
// the interfaces that the RPC servers are listening on, and if macaroons are
|
// the interfaces that the RPC servers are listening on, and if macaroons and
|
||||||
// activated or not. To protect users from using dangerous config combinations,
|
// TLS is activated or not. To protect users from using dangerous config
|
||||||
// we'll prevent disabling authentication if the server is listening on a public
|
// combinations, we'll prevent disabling authentication if the server is
|
||||||
// interface.
|
// listening on a public interface.
|
||||||
func EnforceSafeAuthentication(addrs []net.Addr, macaroonsActive bool) error {
|
func EnforceSafeAuthentication(addrs []net.Addr, macaroonsActive,
|
||||||
|
tlsActive bool) error {
|
||||||
|
|
||||||
// We'll now examine all addresses that this RPC server is listening
|
// We'll now examine all addresses that this RPC server is listening
|
||||||
// on. If it's a localhost address or a private address, we'll skip it,
|
// on. If it's a localhost address or a private address, we'll skip it,
|
||||||
// otherwise, we'll return an error if macaroons are inactive.
|
// otherwise, we'll return an error if macaroons are inactive.
|
||||||
@ -62,10 +64,17 @@ func EnforceSafeAuthentication(addrs []net.Addr, macaroonsActive bool) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if !macaroonsActive {
|
if !macaroonsActive {
|
||||||
return fmt.Errorf("Detected RPC server listening on "+
|
return fmt.Errorf("detected RPC server listening on "+
|
||||||
"publicly reachable interface %v with "+
|
"publicly reachable interface %v with "+
|
||||||
"authentication disabled! Refusing to start "+
|
"authentication disabled! Refusing to start "+
|
||||||
"with --no-macaroons specified.", addr)
|
"with --no-macaroons specified", addr)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !tlsActive {
|
||||||
|
return fmt.Errorf("detected RPC server listening on "+
|
||||||
|
"publicly reachable interface %v with "+
|
||||||
|
"encryption disabled! Refusing to start "+
|
||||||
|
"with --notls specified", addr)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user