From 5df129ff2079d82d8da5cb4fa34f7f7d768af56a Mon Sep 17 00:00:00 2001 From: Philip O'Toole Date: Thu, 13 Jul 2023 10:32:10 -0400 Subject: [PATCH] Remove no-longer supported command-line options --- cluster/bootstrap_test.go | 2 +- cluster/join_test.go | 2 +- cluster/service_mux_test.go | 2 +- cmd/rqlited/flags.go | 13 ------------- cmd/rqlited/main.go | 5 ++--- http/service.go | 3 +-- rtls/config.go | 21 ++++++++------------- rtls/config_test.go | 14 +++++++------- system_test/cluster_test.go | 2 +- system_test/request_forwarding_test.go | 2 +- tcp/dialer_test.go | 4 ++-- tcp/mux.go | 2 +- 12 files changed, 26 insertions(+), 46 deletions(-) diff --git a/cluster/bootstrap_test.go b/cluster/bootstrap_test.go index 3d0a5c10..79d25832 100644 --- a/cluster/bootstrap_test.go +++ b/cluster/bootstrap_test.go @@ -190,7 +190,7 @@ func Test_BootstrapperBootSingleNotifyHTTPS(t *testing.T) { return n == 5 } - tlsConfig, err := rtls.CreateClientConfig("", "", "", true, false) + tlsConfig, err := rtls.CreateClientConfig("", "", "", true) if err != nil { t.Fatalf("failed to create TLS config: %s", err) } diff --git a/cluster/join_test.go b/cluster/join_test.go index cdb46c18..6441c8e7 100644 --- a/cluster/join_test.go +++ b/cluster/join_test.go @@ -109,7 +109,7 @@ func Test_SingleJoinHTTPSOK(t *testing.T) { ts.TLS = &tls.Config{NextProtos: []string{"h2", "http/1.1"}} ts.StartTLS() - tlsConfig, err := rtls.CreateClientConfig("", "", "", true, false) + tlsConfig, err := rtls.CreateClientConfig("", "", "", true) if err != nil { t.Fatalf("failed to create TLS config: %s", err.Error()) } diff --git a/cluster/service_mux_test.go b/cluster/service_mux_test.go index 7b68562d..443e126f 100644 --- a/cluster/service_mux_test.go +++ b/cluster/service_mux_test.go @@ -118,7 +118,7 @@ func mustNewDialer(header byte, remoteEncrypted, skipVerify bool) *tcp.Dialer { var tlsConfig *tls.Config var err error if remoteEncrypted { - tlsConfig, err = rtls.CreateClientConfig("", "", "", skipVerify, false) + tlsConfig, err = rtls.CreateClientConfig("", "", "", skipVerify) if err != nil { panic(fmt.Sprintf("failed to create client TLS config: %s", err)) } diff --git a/cmd/rqlited/flags.go b/cmd/rqlited/flags.go index ae0dd00a..90a80e06 100644 --- a/cmd/rqlited/flags.go +++ b/cmd/rqlited/flags.go @@ -47,10 +47,6 @@ type Config struct { // HTTPAdv is the advertised HTTP server network. HTTPAdv string - // TLS1011 indicates whether the node should support deprecated - // encryption standards. - TLS1011 bool - // AuthFile is the path to the authentication file. May not be set. AuthFile string `filepath:"true"` @@ -76,9 +72,6 @@ type Config struct { // HTTPVerifyClient indicates whether the HTTP server should verify client certificates. HTTPVerifyClient bool - // NodeEncrypt indicates whether node encryption should be enabled. - NodeEncrypt bool - // NodeX509CACert is the path to the CA certficate file for when this node verifies // other certificates for any inter-node communications. May not be set. NodeX509CACert string `filepath:"true"` @@ -150,9 +143,6 @@ type Config struct { // OnDiskPath sets the path to the SQLite file. May not be set. OnDiskPath string - // OnDiskStartup disables the in-memory on-disk startup optimization. - OnDiskStartup bool - // FKConstraints enables SQLite foreign key constraints. FKConstraints bool @@ -445,13 +435,11 @@ func ParseFlags(name, desc string, build *BuildInfo) (*Config, error) { flag.StringVar(&config.NodeID, "node-id", "", "Unique ID for node. If not set, set to advertised Raft address") flag.StringVar(&config.HTTPAddr, HTTPAddrFlag, "localhost:4001", "HTTP server bind address. To enable HTTPS, set X.509 certificate and key") flag.StringVar(&config.HTTPAdv, HTTPAdvAddrFlag, "", "Advertised HTTP address. If not set, same as HTTP server bind address") - flag.BoolVar(&config.TLS1011, "tls1011", false, "Support deprecated TLS versions 1.0 and 1.1") flag.StringVar(&config.HTTPx509CACert, "http-ca-cert", "", "Path to X.509 CA certificate for HTTPS") flag.StringVar(&config.HTTPx509Cert, HTTPx509CertFlag, "", "Path to HTTPS X.509 certificate") flag.StringVar(&config.HTTPx509Key, HTTPx509KeyFlag, "", "Path to HTTPS X.509 private key") flag.BoolVar(&config.NoHTTPVerify, "http-no-verify", false, "Skip verification of remote node's HTTPS certificate when joining a cluster") flag.BoolVar(&config.HTTPVerifyClient, "http-verify-client", false, "Enable mutual TLS for HTTPS") - flag.BoolVar(&config.NodeEncrypt, "node-encrypt", false, "Ignored, control node-to-node encryption by setting node certificate and key") flag.StringVar(&config.NodeX509CACert, "node-ca-cert", "", "Path to X.509 CA certificate for node-to-node encryption") flag.StringVar(&config.NodeX509Cert, NodeX509CertFlag, "", "Path to X.509 certificate for node-to-node mutual authentication and encryption") flag.StringVar(&config.NodeX509Key, NodeX509KeyFlag, "", "Path to X.509 private key for node-to-node mutual authentication and encryption") @@ -476,7 +464,6 @@ func ParseFlags(name, desc string, build *BuildInfo) (*Config, error) { flag.BoolVar(&config.PprofEnabled, "pprof", true, "Serve pprof data on HTTP server") flag.BoolVar(&config.OnDisk, "on-disk", false, "Use an on-disk SQLite database") flag.StringVar(&config.OnDiskPath, "on-disk-path", "", "Path for SQLite on-disk database file. If not set, use a file in data directory") - flag.BoolVar(&config.OnDiskStartup, "on-disk-startup", false, "Ignored, on-disk startup optimization control no longer necessary") flag.BoolVar(&config.FKConstraints, "fk", false, "Enable SQLite foreign key constraints") flag.BoolVar(&showVersion, "version", false, "Show version information and exit") flag.BoolVar(&config.RaftNonVoter, "raft-non-voter", false, "Configure as non-voting node") diff --git a/cmd/rqlited/main.go b/cmd/rqlited/main.go index b4def963..fef9d2f2 100644 --- a/cmd/rqlited/main.go +++ b/cmd/rqlited/main.go @@ -371,7 +371,6 @@ func startHTTPService(cfg *Config, str *store.Store, cltr *cluster.Client, credS s.CACertFile = cfg.HTTPx509CACert s.CertFile = cfg.HTTPx509Cert s.KeyFile = cfg.HTTPx509Key - s.TLS1011 = cfg.TLS1011 s.ClientVerify = cfg.HTTPVerifyClient s.Expvar = cfg.Expvar s.Pprof = cfg.PprofEnabled @@ -462,7 +461,7 @@ func createClusterClient(cfg *Config, clstr *cluster.Service) (*cluster.Client, var err error if cfg.NodeX509Cert != "" || cfg.NodeX509CACert != "" { dialerTLSConfig, err = rtls.CreateClientConfig(cfg.NodeX509Cert, cfg.NodeX509Key, - cfg.NodeX509CACert, cfg.NoNodeVerify, cfg.TLS1011) + cfg.NodeX509CACert, cfg.NoNodeVerify) if err != nil { return nil, fmt.Errorf("failed to create TLS config for cluster dialer: %s", err.Error()) } @@ -629,5 +628,5 @@ func createHTTPTLSConfig(cfg *Config) (*tls.Config, error) { return nil, nil } return rtls.CreateClientConfig(cfg.HTTPx509Cert, cfg.HTTPx509Key, cfg.HTTPx509CACert, - cfg.NoHTTPVerify, cfg.TLS1011) + cfg.NoHTTPVerify) } diff --git a/http/service.go b/http/service.go index 6ffa1b27..016fb1d6 100644 --- a/http/service.go +++ b/http/service.go @@ -303,7 +303,6 @@ type Service struct { CACertFile string // Path to x509 CA certificate used to verify certificates. CertFile string // Path to server's own x509 certificate. KeyFile string // Path to server's own x509 private key. - TLS1011 bool // Whether older, deprecated TLS should be supported. ClientVerify bool // Whether client certificates should verified. tlsConfig *tls.Config @@ -356,7 +355,7 @@ func (s *Service) Start() error { return err } } else { - s.tlsConfig, err = rtls.CreateServerConfig(s.CertFile, s.KeyFile, s.CACertFile, !s.ClientVerify, s.TLS1011) + s.tlsConfig, err = rtls.CreateServerConfig(s.CertFile, s.KeyFile, s.CACertFile, !s.ClientVerify) if err != nil { return err } diff --git a/rtls/config.go b/rtls/config.go index 2523d972..5243255d 100644 --- a/rtls/config.go +++ b/rtls/config.go @@ -14,9 +14,9 @@ import ( // is true, the client will not verify the server's certificate. If mutual is true, // the server will verify the client's certificate. If tls1011 is true, the client will // accept TLS 1.0 or 1.1. Otherwise, it will require TLS 1.2 or higher. -func CreateConfig(certFile, keyFile, caCertFile string, noverify, mutual, tls1011 bool) (*tls.Config, error) { +func CreateConfig(certFile, keyFile, caCertFile string, noverify, mutual bool) (*tls.Config, error) { var err error - config := createBaseTLSConfig(noverify, tls1011) + config := createBaseTLSConfig(noverify) // load the certificate and key if certFile != "" && keyFile != "" { @@ -57,10 +57,10 @@ func CreateConfig(certFile, keyFile, caCertFile string, noverify, mutual, tls101 // presented by the server. If noverify is true, the client will not verify the server's certificate. // If tls1011 is true, the client will accept TLS 1.0 or 1.1. Otherwise, it will require TLS 1.2 // or higher. -func CreateClientConfig(certFile, keyFile, caCertFile string, noverify, tls1011 bool) (*tls.Config, error) { +func CreateClientConfig(certFile, keyFile, caCertFile string, noverify bool) (*tls.Config, error) { var err error - config := createBaseTLSConfig(noverify, tls1011) + config := createBaseTLSConfig(noverify) if certFile != "" && keyFile != "" { config.Certificates = make([]tls.Certificate, 1) config.Certificates[0], err = tls.LoadX509KeyPair(certFile, keyFile) @@ -89,10 +89,10 @@ func CreateClientConfig(certFile, keyFile, caCertFile string, noverify, tls1011 // client. If noverify is true, the server will not verify the client's certificate. If // tls1011 is true, the server will accept TLS 1.0 or 1.1. Otherwise, it will require TLS 1.2 // or higher. -func CreateServerConfig(certFile, keyFile, caCertFile string, noverify, tls1011 bool) (*tls.Config, error) { +func CreateServerConfig(certFile, keyFile, caCertFile string, noverify bool) (*tls.Config, error) { var err error - config := createBaseTLSConfig(false, tls1011) + config := createBaseTLSConfig(false) config.Certificates = make([]tls.Certificate, 1) config.Certificates[0], err = tls.LoadX509KeyPair(certFile, keyFile) if err != nil { @@ -115,15 +115,10 @@ func CreateServerConfig(certFile, keyFile, caCertFile string, noverify, tls1011 return config, nil } -func createBaseTLSConfig(noverify, tls1011 bool) *tls.Config { - var minTLS = uint16(tls.VersionTLS12) - if tls1011 { - minTLS = tls.VersionTLS10 - } - +func createBaseTLSConfig(noverify bool) *tls.Config { return &tls.Config{ InsecureSkipVerify: noverify, NextProtos: []string{"h2", "http/1.1"}, - MinVersion: minTLS, + MinVersion: uint16(tls.VersionTLS12), } } diff --git a/rtls/config_test.go b/rtls/config_test.go index 5fa66305..13d314be 100644 --- a/rtls/config_test.go +++ b/rtls/config_test.go @@ -26,7 +26,7 @@ func Test_CreateConfig(t *testing.T) { caCertFile := mustWriteTempFile(t, caCertPEM) // create a config with no server or client verification - config, err := CreateConfig(certFile, keyFile, caCertFile, true, false, false) + config, err := CreateConfig(certFile, keyFile, caCertFile, true, false) if err != nil { t.Fatalf("failed to create config: %v", err) } @@ -69,7 +69,7 @@ func Test_CreateConfig(t *testing.T) { } // create a config with server cert verification only - config, err = CreateConfig(certFile, keyFile, caCertFile, false, false, false) + config, err = CreateConfig(certFile, keyFile, caCertFile, false, false) if err != nil { t.Fatalf("failed to create config: %v", err) } @@ -81,7 +81,7 @@ func Test_CreateConfig(t *testing.T) { } // create a config with both server and client verification - config, err = CreateConfig(certFile, keyFile, "", false, true, false) + config, err = CreateConfig(certFile, keyFile, "", false, true) if err != nil { t.Fatalf("failed to create config: %v", err) } @@ -103,7 +103,7 @@ func Test_CreateServerConfig(t *testing.T) { keyFile := mustWriteTempFile(t, keyPEM) // create a server config with no client verification - config, err := CreateServerConfig(certFile, keyFile, "", true, false) + config, err := CreateServerConfig(certFile, keyFile, "", true) if err != nil { t.Fatalf("failed to create server config: %v", err) } @@ -130,7 +130,7 @@ func Test_CreateServerConfig(t *testing.T) { } // create a server config with client verification - config, err = CreateServerConfig(certFile, keyFile, "", false, false) + config, err = CreateServerConfig(certFile, keyFile, "", false) if err != nil { t.Fatalf("failed to create server config: %v", err) } @@ -149,7 +149,7 @@ func Test_CreateClientConfig(t *testing.T) { keyFile := mustWriteTempFile(t, keyPEM) // create a client config with no server verification - config, err := CreateClientConfig(certFile, keyFile, "", true, false) + config, err := CreateClientConfig(certFile, keyFile, "", true) if err != nil { t.Fatalf("failed to create client config: %v", err) } @@ -176,7 +176,7 @@ func Test_CreateClientConfig(t *testing.T) { } // create a client config with server verification - config, err = CreateClientConfig(certFile, keyFile, "", false, false) + config, err = CreateClientConfig(certFile, keyFile, "", false) if err != nil { t.Fatalf("failed to create client config: %v", err) } diff --git a/system_test/cluster_test.go b/system_test/cluster_test.go index 55a7157c..b76df298 100644 --- a/system_test/cluster_test.go +++ b/system_test/cluster_test.go @@ -504,7 +504,7 @@ func Test_MultiNodeClusterBootstrapLaterJoinHTTPS(t *testing.T) { node3.Store.BootstrapExpect = 3 defer node3.Deprovision() - tlsConfig, err := rtls.CreateClientConfig("", "", "", true, false) + tlsConfig, err := rtls.CreateClientConfig("", "", "", true) if err != nil { t.Fatalf("failed to create TLS config: %s", err) } diff --git a/system_test/request_forwarding_test.go b/system_test/request_forwarding_test.go index 3b133390..4a5fb301 100644 --- a/system_test/request_forwarding_test.go +++ b/system_test/request_forwarding_test.go @@ -381,7 +381,7 @@ func mustNewDialer(header byte, remoteEncrypted, skipVerify bool) *tcp.Dialer { var tlsConfig *tls.Config var err error if remoteEncrypted { - tlsConfig, err = rtls.CreateClientConfig("", "", "", skipVerify, false) + tlsConfig, err = rtls.CreateClientConfig("", "", "", skipVerify) if err != nil { panic(fmt.Sprintf("failed to create client TLS config: %s", err)) } diff --git a/tcp/dialer_test.go b/tcp/dialer_test.go index bea9325a..8e6d1841 100644 --- a/tcp/dialer_test.go +++ b/tcp/dialer_test.go @@ -57,7 +57,7 @@ func Test_DialerHeaderTLS(t *testing.T) { defer os.Remove(key) go s.Start(t) - tlsConfig, err := rtls.CreateClientConfig("", "", "", true, false) + tlsConfig, err := rtls.CreateClientConfig("", "", "", true) if err != nil { t.Fatalf("failed to create TLS config: %s", err.Error()) } @@ -154,7 +154,7 @@ func mustNewEchoServerTLS() (*echoServer, string, string) { cert := x509.CertFile("") key := x509.KeyFile("") - tlsConfig, err := rtls.CreateServerConfig(cert, key, "", true, false) + tlsConfig, err := rtls.CreateServerConfig(cert, key, "", true) if err != nil { panic("failed to create TLS config") } diff --git a/tcp/mux.go b/tcp/mux.go index 1887e326..2c782935 100644 --- a/tcp/mux.go +++ b/tcp/mux.go @@ -103,7 +103,7 @@ func NewTLSMux(ln net.Listener, adv net.Addr, cert, key, caCert string, insecure return nil, err } - mux.tlsConfig, err = rtls.CreateConfig(cert, key, caCert, insecure, mutual, false) + mux.tlsConfig, err = rtls.CreateConfig(cert, key, caCert, insecure, mutual) if err != nil { return nil, fmt.Errorf("cannot create TLS config: %s", err) }