From 673fd8cade4a9d38ed29a4606345a8729ff7d37a Mon Sep 17 00:00:00 2001
From: Philip O'Toole <philip.otoole@yahoo.com>
Date: Mon, 6 Mar 2023 18:12:06 -0500
Subject: [PATCH] More use of central TLS config

---
 cluster/service_mux_test.go | 3 +--
 cmd/rqlited/main.go         | 3 +--
 system_test/helpers.go      | 3 +--
 tcp/mux.go                  | 7 ++++---
 4 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/cluster/service_mux_test.go b/cluster/service_mux_test.go
index e2c0f4c7..c835bee8 100644
--- a/cluster/service_mux_test.go
+++ b/cluster/service_mux_test.go
@@ -104,11 +104,10 @@ func mustNewTLSMux() (net.Listener, *tcp.Mux) {
 	key := x509.KeyFile("")
 	defer os.Remove(key)
 
-	mux, err := tcp.NewTLSMux(ln, nil, cert, key, "")
+	mux, err := tcp.NewTLSMux(ln, nil, cert, key, "", true)
 	if err != nil {
 		panic(fmt.Sprintf("failed to create TLS mux: %s", err))
 	}
-	mux.InsecureSkipVerify = true
 
 	return ln, mux
 }
diff --git a/cmd/rqlited/main.go b/cmd/rqlited/main.go
index 41cc3277..027928df 100644
--- a/cmd/rqlited/main.go
+++ b/cmd/rqlited/main.go
@@ -293,14 +293,13 @@ func startNodeMux(cfg *Config, ln net.Listener) (*tcp.Mux, error) {
 	var mux *tcp.Mux
 	if cfg.NodeEncrypt {
 		log.Printf("enabling node-to-node encryption with cert: %s, key: %s", cfg.NodeX509Cert, cfg.NodeX509Key)
-		mux, err = tcp.NewTLSMux(ln, adv, cfg.NodeX509Cert, cfg.NodeX509Key, cfg.NodeX509CACert)
+		mux, err = tcp.NewTLSMux(ln, adv, cfg.NodeX509Cert, cfg.NodeX509Key, cfg.NodeX509CACert, cfg.NoNodeVerify)
 	} else {
 		mux, err = tcp.NewMux(ln, adv)
 	}
 	if err != nil {
 		return nil, fmt.Errorf("failed to create node-to-node mux: %s", err.Error())
 	}
-	mux.InsecureSkipVerify = cfg.NoNodeVerify
 	go mux.Serve()
 
 	return mux, nil
diff --git a/system_test/helpers.go b/system_test/helpers.go
index 3b104418..848c45e6 100644
--- a/system_test/helpers.go
+++ b/system_test/helpers.go
@@ -694,11 +694,10 @@ func mustNewOpenTLSMux(certFile, keyPath, addr string) *tcp.Mux {
 	}
 
 	var mux *tcp.Mux
-	mux, err = tcp.NewTLSMux(ln, nil, certFile, keyPath, "")
+	mux, err = tcp.NewTLSMux(ln, nil, certFile, keyPath, "", true)
 	if err != nil {
 		panic(fmt.Sprintf("failed to create node-to-node mux: %s", err.Error()))
 	}
-	mux.InsecureSkipVerify = true
 
 	go mux.Serve()
 	return mux
diff --git a/tcp/mux.go b/tcp/mux.go
index 35d5da99..38cfd958 100644
--- a/tcp/mux.go
+++ b/tcp/mux.go
@@ -91,7 +91,7 @@ type Mux struct {
 	x509Key string
 
 	// Whether to skip verification of other nodes' certificates.
-	InsecureSkipVerify bool
+	insecureSkipVerify bool
 
 	tlsConfig *tls.Config
 }
@@ -131,6 +131,7 @@ func NewTLSMux(ln net.Listener, adv net.Addr, cert, key, caCert string, insecure
 	mux.x509CACert = caCert
 	mux.x509Cert = cert
 	mux.x509Key = key
+	mux.insecureSkipVerify = insecure
 
 	return mux, nil
 }
@@ -180,7 +181,7 @@ func (mux *Mux) Stats() (interface{}, error) {
 		s["certificate"] = mux.x509Cert
 		s["key"] = mux.x509Key
 		s["ca_certificate"] = mux.x509CACert
-		s["skip_verify"] = strconv.FormatBool(mux.InsecureSkipVerify)
+		s["skip_verify"] = strconv.FormatBool(mux.insecureSkipVerify)
 	}
 
 	return s, nil
@@ -246,7 +247,7 @@ func (mux *Mux) Listen(header byte) *Layer {
 		nodeX509CACert: mux.x509CACert,
 		tlsConfig:      mux.tlsConfig,
 	}
-	layer.dialer = NewDialer(header, mux.remoteEncrypted, mux.InsecureSkipVerify)
+	layer.dialer = NewDialer(header, mux.remoteEncrypted, mux.insecureSkipVerify)
 
 	return layer
 }