Commit Graph

15 Commits

Author SHA1 Message Date
Sebastiaan van Stijn 04347f793d
context: Endpoint.ClientOpts(): use client.WithVersionFromEnv()
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-30 17:42:23 +02:00
Sebastiaan van Stijn 08a1ccc60a
Remove support for encrypted TLS private keys
> Legacy PEM encryption as specified in RFC 1423 is insecure by design. Since
> it does not authenticate the ciphertext, it is vulnerable to padding oracle
> attacks that can let an attacker recover the plaintext

From https://go-review.googlesource.com/c/go/+/264159

> It's unfortunate that we don't implement PKCS#8 encryption so we can't
> recommend an alternative but PEM encryption is so broken that it's worth
> deprecating outright.

This feature allowed using an encrypted private key with a supplied password,
but did not provide additional security as the encryption is known to be broken,
and the key is sitting next to the password in the filesystem. Users are recommended
to decrypt the private key, and store it un-encrypted to continue using it.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-27 14:26:32 +01:00
Sebastiaan van Stijn 15535d4594
context: deprecate support for encrypted TLS private keys
> Legacy PEM encryption as specified in RFC 1423 is insecure by design. Since
> it does not authenticate the ciphertext, it is vulnerable to padding oracle
> attacks that can let an attacker recover the plaintext

From https://go-review.googlesource.com/c/go/+/264159

> It's unfortunate that we don't implement PKCS#8 encryption so we can't
> recommend an alternative but PEM encryption is so broken that it's worth
> deprecating outright.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-28 14:42:45 +02:00
Sebastiaan van Stijn 2688f25eb7
cli/context: ignore linting warnings about RFC 1423 encryption
From https://go-review.googlesource.com/c/go/+/264159

> It's unfortunate that we don't implement PKCS#8 encryption so we can't
> recommend an alternative but PEM encryption is so broken that it's worth
> deprecating outright.

When linting on Go 1.16:

    cli/context/docker/load.go:69:6: SA1019: x509.IsEncryptedPEMBlock is deprecated: Legacy PEM encryption as specified in RFC 1423 is insecure by design. Since it does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext.  (staticcheck)
            if x509.IsEncryptedPEMBlock(pemBlock) {
               ^
    cli/context/docker/load.go:70:20: SA1019: x509.DecryptPEMBlock is deprecated: Legacy PEM encryption as specified in RFC 1423 is insecure by design. Since it does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext.  (staticcheck)
                keyBytes, err = x509.DecryptPEMBlock(pemBlock, []byte(c.TLSPassword))
                                ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-26 18:00:01 +02:00
Nicolas De Loof e25e077a20
restore support for env variables to configure proxy
regression introduced by b34f34
close #39654

Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
2019-08-22 16:39:21 +02:00
Ian Campbell 33a9a63927 Revert "add a 10s timeout to the client object."
This reverts commit 59defcb34d which caused #1892
since the timeout applied not only to the dial phase but to everything, so it
would kill `docker logs -f ...` if the container was not chatty enough.

Signed-off-by: Ian Campbell <ijc@docker.com>
2019-05-17 10:35:01 +01:00
Tibor Vass c52e1f2487
context: ClientOpts() now includes WithAPIVersionNegotiation if version is missing
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-05-13 17:36:06 -07:00
Ian Campbell 59defcb34d add a 10s timeout to the client object.
This partially mitigates #1739 ("Docker commands take 1 minute to timeout if
context endpoint is unreachable") and is a simpler alternative to #1747 (which
completely defers the client connection until an actual call is attempted).

Note that the previous 60s delay was the culmination of two separate 30s
timeouts since the ping is tried twice. This with this patch the overall
timeout is 20s. https://github.com/moby/moby/pull/39206 will remove the second
ping and once that propagates to this tree the timeout will be 10s.

Signed-off-by: Ian Campbell <ijc@docker.com>
2019-05-13 13:53:03 +01:00
Sebastiaan van Stijn d365225c32
Merge pull request #1838 from simonferquel/remove-context-in-function-names
Remove "context" from context store interfaces function names
2019-04-18 18:38:01 +02:00
Sebastiaan van Stijn 71570160c1
Merge pull request #1826 from thaJeztah/bump_engine2
bump docker/docker ed07e1152879a4d156dff2e86abca3c4c811e743
2019-04-18 17:48:44 +02:00
Simon Ferquel a3efd5d195 Cleanup context store interfaces
This remove the term "context" from context store interfaces, to make
them more concise

Signed-off-by: Simon Ferquel <simon.ferquel@docker.com>
2019-04-18 15:49:36 +02:00
Simon Ferquel 225c9b189a Split the context store interface
This is to make it easier to implement support for exporting contexts in
3rd party code, or to create mocks in tests.

2 exemples where it simplify things:
- docker-app desktop-specific context decorator (which rewrites parts of
the docker context to simplify UX when using on Docker Desktop contexts)
- ucp for including a context in the connection bundle

Signed-off-by: Simon Ferquel <simon.ferquel@docker.com>
2019-04-18 15:03:46 +02:00
Sebastiaan van Stijn f07e16d42c
bump docker/docker ed07e1152879a4d156dff2e86abca3c4c811e743
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-04-13 03:09:15 +02:00
Simon Ferquel 591385a1d0 Fast Context Switch: commands
Signed-off-by: Simon Ferquel <simon.ferquel@docker.com>
2019-01-10 22:25:43 +01:00
Simon Ferquel b34f340346 Introduce docker context store
This PR adds a store to the CLI, that can be leveraged to persist and
retrieve credentials for various API endpoints, as well as
context-specific settings (initially, default stack orchestrator, but we
could expand that).

This comes with the logic to persist and retrieve endpoints configs
for both Docker and Kubernetes APIs.

Signed-off-by: Simon Ferquel <simon.ferquel@docker.com>
2019-01-04 17:06:51 +01:00