-
Notifications
You must be signed in to change notification settings - Fork 157
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Controller returns information even if client cert is not valid #1329
Comments
It is not a bug, it is by design. There are a couple of endpoints that return things like version numbers for the sake of operations. When a new client is coming up, it needs the version information so that it can match it, and may not be able to attach until it does. Understanding that it is a small window of opportunity for malicious actors, it is, in fact, well defended by other means, and the overall security of the network is not significantly reduced, particularly when compared with the ability to operate. |
Thanks for the explanation! I don't have knowledge of what specifically goes on during client bootstrap - I just assumed that any of that information would only be useful on the application-level after a proper mTLS negotiation anyway. |
i'm gonna close this issue now. reoopen as needed. thanks |
Also make buffer sizes adaptive to help perf Fix potential panic in servicepoll if there are no controllers connected
Ensure buffers are big enough for UDP datagrams. Fixes #1329
When I curl the controller on its advertised edge port with an invalid (or no) client cert I get some information, such as the ziti version number:
I don't know if this is a bug or not, but it's probably not a good idea to advertise version numbers of either the runtime or the fabric to unauthenticated users.
The text was updated successfully, but these errors were encountered: