fix tls client by passing ca

iris-mpc-upgrade/src/bin/docker-compose.yaml

@@ -57,7 +57,7 @@ services:
       - SERVICES=kms
       - DEFAULT_REGION=us-east-1
   reshare-server-2:
-    image: ghcr.io/worldcoin/iris-mpc:146c2cae43dbeb586144d9d37d152a6b2bfacdd4
+    image: ghcr.io/worldcoin/iris-mpc:0e20fb5bd297cbb9e5d5bacdcd33cbd90025e4f9
     platform: linux/x86_64
     entrypoint: reshare-server
     command: "--party-id 2 --sender1-party-id 0 --sender2-party-id 1 --bind-addr 0.0.0.0:7000 --environment testing --db-url postgres://postgres:postgres@new-db-4:5432 --batch-size 100 --healthcheck-port 3000"

iris-mpc-upgrade/src/bin/ping-pong-client.rs

@@ -2,7 +2,7 @@ use clap::Parser;
 use iris_mpc_upgrade::{
     config::PingClientConfig,
     proto::iris_mpc_reshare::{ping_pong_client::PingPongClient, Ping},
-    utils::install_tracing,
+    utils::{extract_domain, install_tracing},
 };
 use tonic::transport::{Certificate, Channel, ClientTlsConfig};
 
@@ -18,9 +18,19 @@ async fn main() -> eyre::Result<()> {
     let pem = tokio::fs::read(config.client_tls_cert_path)
         .await
         .expect("oh no, the cert file wasn't loaded");
+
     let cert = Certificate::from_pem(pem.clone());
 
-    let tls = ClientTlsConfig::new().ca_certificate(cert);
+    let domain = extract_domain(&config.server_url.clone(), true)?;
+
+    println!(
+        "TLS connecting to address {} using domain {}",
+        config.server_url.clone(),
+        domain
+    );
+    let tls = ClientTlsConfig::new()
+        .domain_name(domain)
+        .ca_certificate(cert);
 
     // build a tonic transport channel ourselves, since we want to add a tls config
     let channel = Channel::from_shared(config.server_url.clone())?

iris-mpc-upgrade/src/bin/reshare-client.rs

@@ -15,7 +15,7 @@ use iris_mpc_upgrade::{
         },
     },
     reshare::IrisCodeReshareSenderHelper,
-    utils::install_tracing,
+    utils::{extract_domain, install_tracing},
 };
 use sha2::Sha256;
 use tonic::transport::{Certificate, Channel, ClientTlsConfig};
@@ -82,7 +82,16 @@ async fn main() -> eyre::Result<()> {
         .expect("oh no, the cert file wasn't loaded");
     let cert = Certificate::from_pem(pem.clone());
 
-    let tls = ClientTlsConfig::new().ca_certificate(cert);
+    let domain = extract_domain(&config.server_url.clone(), true)?;
+    println!(
+        "TLS connecting to address {} using domain {},",
+        config.server_url.clone(),
+        domain
+    );
+
+    let tls = ClientTlsConfig::new()
+        .domain_name(domain)
+        .ca_certificate(cert);
 
     // build a tonic transport channel ourselves, since we want to add a tls config
     let channel = Channel::from_shared(config.server_url.clone())?

iris-mpc-upgrade/src/bin/tcp_ssl_upgrade_client.rs

@@ -9,17 +9,15 @@ use iris_mpc_upgrade::{
     },
     db::V1Db,
     packets::{MaskShareMessage, TwoToThreeIrisCodeMessage},
-    utils::{get_shares_from_masks, get_shares_from_shares, install_tracing, V1Database},
+    utils::{
+        extract_domain, get_shares_from_masks, get_shares_from_shares, install_tracing, V1Database,
+    },
     OldIrisShareSource,
 };
 use mpc_uniqueness_check::{bits::Bits, distance::EncodedBits};
 use rand::SeedableRng;
 use rand_chacha::ChaCha20Rng;
-use std::{
-    io::{Error as IoError, ErrorKind},
-    pin::Pin,
-    time::Duration,
-};
+use std::{pin::Pin, time::Duration};
 use tokio::{
     io::{AsyncReadExt, AsyncWriteExt},
     net::TcpStream,
@@ -28,18 +26,6 @@ use tokio::{
 use tokio_native_tls::{TlsConnector, TlsStream};
 use tracing::error;
 
-fn extract_domain(address: &str) -> Result<String, IoError> {
-    // Try to split the address into domain and port parts.
-    if let Some((domain, _port)) = address.rsplit_once(':') {
-        Ok(domain.to_string())
-    } else {
-        Err(IoError::new(
-            ErrorKind::InvalidInput,
-            "Invalid address format",
-        ))
-    }
-}
-
 async fn prepare_tls_stream_for_writing(address: &str) -> eyre::Result<TlsStream<TcpStream>> {
     // Create a TCP connection
     let stream = TcpStream::connect(address).await?;
@@ -48,7 +34,7 @@ async fn prepare_tls_stream_for_writing(address: &str) -> eyre::Result<TlsStream
     let native_tls_connector = tokio_native_tls::native_tls::TlsConnector::new()?;
     let tls_connector = TlsConnector::from(native_tls_connector);
 
-    let domain = extract_domain(address)?;
+    let domain = extract_domain(address, true)?;
     println!(
         "TLS connecting to address {} using domain {},",
         address, domain

iris-mpc-upgrade/src/utils.rs

@@ -11,7 +11,11 @@ use iris_mpc_common::galois_engine::degree4::{
 };
 use mpc_uniqueness_check::{bits::Bits, distance::EncodedBits};
 use rand_chacha::ChaCha20Rng;
-use std::{array, convert::TryFrom};
+use std::{
+    array,
+    convert::TryFrom,
+    io::{Error as IoError, ErrorKind},
+};
 
 pub fn install_tracing() {
     use tracing_subscriber::{fmt, prelude::*, EnvFilter};
@@ -145,3 +149,24 @@ pub async fn spawn_healthcheck_server(healthcheck_port: usize) -> eyre::Result<(
         .wrap_err("healthcheck listener server launch error")?;
     Ok(())
 }
+
+pub fn extract_domain(address: &str, remove_protocol: bool) -> Result<String, IoError> {
+    // Try to split the address into domain and port parts.
+    let mut address = address.trim().to_string();
+    if remove_protocol {
+        address = address
+            .strip_prefix("http://")
+            .or_else(|| address.strip_prefix("https://"))
+            .unwrap_or(&address)
+            .to_string();
+    }
+
+    if let Some((domain, _port)) = address.rsplit_once(':') {
+        Ok(domain.to_string())
+    } else {
+        Err(IoError::new(
+            ErrorKind::InvalidInput,
+            "Invalid address format",
+        ))
+    }
+}