Thread it through

9 months ago · 6dc05a99df
parent 54ec6c3d60
commit 6dc05a99df
10 changed files with 17 additions and 16 deletions
--- a/cluster/service_mux_test.go
+++ b/cluster/service_mux_test.go
@ -106,7 +106,7 @@ func mustNewTLSMux() (net.Listener, *tcp.Mux) {
 	key := x509.KeyFile("")
 	defer os.Remove(key)

-	mux, err := tcp.NewTLSMux(ln, nil, cert, key, "", true, false)
+	mux, err := tcp.NewTLSMux(ln, nil, cert, key, "", "", true, false)
 	if err != nil {
 		panic(fmt.Sprintf("failed to create TLS mux: %s", err))
 	}
@ -118,7 +118,7 @@ func mustNewDialer(header byte, remoteEncrypted, skipVerify bool) *tcp.Dialer {
 	var tlsConfig *tls.Config
 	var err error
 	if remoteEncrypted {
-		tlsConfig, err = rtls.CreateClientConfig("", "", "", skipVerify)
+		tlsConfig, err = rtls.CreateClientConfig("", "", "", "", skipVerify)
 		if err != nil {
 			panic(fmt.Sprintf("failed to create client TLS config: %s", err))
 		}
--- a/cmd/rqlite/main.go
+++ b/cmd/rqlite/main.go
@ -42,6 +42,7 @@ type argT struct {
 	Prefix       string        `cli:"P,prefix" usage:"rqlited HTTP URL prefix" dft:"/"`
 	Insecure     bool          `cli:"i,insecure" usage:"do not verify rqlited HTTPS certificate" dft:"false"`
 	CACert       string        `cli:"c,ca-cert" usage:"path to trusted X.509 root CA certificate"`
+	ServerName   string        `cli:"n,verify-name" usage:"used to verify the hostname on the returned certificates"`
 	ClientCert   string        `cli:"d,client-cert" usage:"path to client X.509 certificate for mTLS"`
 	ClientKey    string        `cli:"k,client-key" usage:"path to client X.509 key for mTLS"`
 	Credentials  string        `cli:"u,user" usage:"set basic auth credentials in form username:password"`
@ -393,7 +394,7 @@ func getNodes(client *http.Client, argv *argT) (Nodes, error) {
 }

 func getHTTPClient(argv *argT) (*http.Client, error) {
-	tlsConfig, err := rtls.CreateClientConfig(argv.ClientCert, argv.ClientKey, argv.CACert, argv.Insecure)
+	tlsConfig, err := rtls.CreateClientConfig(argv.ClientCert, argv.ClientKey, argv.CACert, argv.ServerName, argv.Insecure)
 	if err != nil {
 		return nil, err
 	}
@ -449,7 +450,7 @@ func getVersionWithClient(client *http.Client, argv *argT) (string, error) {

 func sendRequest(ctx *cli.Context, makeNewRequest func(string) (*http.Request, error), urlStr string, argv *argT) (*[]byte, error) {
 	url := urlStr
-	tlsConfig, err := rtls.CreateClientConfig(argv.ClientCert, argv.ClientKey, argv.CACert, argv.Insecure)
+	tlsConfig, err := rtls.CreateClientConfig(argv.ClientCert, argv.ClientKey, argv.CACert, argv.ServerName, argv.Insecure)
 	if err != nil {
 		return nil, err
 	}
--- a/cmd/rqlited/main.go
+++ b/cmd/rqlited/main.go
@ -405,7 +405,7 @@ func startNodeMux(cfg *Config, ln net.Listener) (*tcp.Mux, error) {
 		}
 		log.Println(b.String())
 		mux, err = tcp.NewTLSMux(ln, adv, cfg.NodeX509Cert, cfg.NodeX509Key, cfg.NodeX509CACert,
-			cfg.NoNodeVerify, cfg.NodeVerifyClient)
+			cfg.NodeVerifyClientName, cfg.NoNodeVerify, cfg.NodeVerifyClient)
 	} else {
 		mux, err = tcp.NewMux(ln, adv)
 	}
@ -439,7 +439,7 @@ func createClusterClient(cfg *Config, clstr *cluster.Service) (*cluster.Client,
 	var err error
 	if cfg.NodeX509Cert != "" || cfg.NodeX509CACert != "" {
 		dialerTLSConfig, err = rtls.CreateClientConfig(cfg.NodeX509Cert, cfg.NodeX509Key,
-			cfg.NodeX509CACert, cfg.NoNodeVerify)
+			cfg.NodeVerifyClientName, cfg.NodeX509CACert, cfg.NoNodeVerify)
 		if err != nil {
 			return nil, fmt.Errorf("failed to create TLS config for cluster dialer: %s", err.Error())
 		}
--- a/http/preflight_test.go
+++ b/http/preflight_test.go
@ -101,7 +101,7 @@ func Test_IsServingHTTP_OpenPortTLS(t *testing.T) {
 	}
 	certFile := mustWriteTempFile(t, cert)
 	keyFile := mustWriteTempFile(t, key)
-	tlsConfig, err := rtls.CreateServerConfig(certFile, keyFile, "", false)
+	tlsConfig, err := rtls.CreateServerConfig(certFile, keyFile, "", "", false)
 	if err != nil {
 		t.Fatalf("failed to create TLS config: %s", err)
 	}
--- a/http/service.go
+++ b/http/service.go
@ -370,7 +370,7 @@ func (s *Service) Start() error {
 			return err
 		}
 	} else {
-		s.tlsConfig, err = rtls.CreateServerConfig(s.CertFile, s.KeyFile, s.CACertFile, !s.ClientVerify)
+		s.tlsConfig, err = rtls.CreateServerConfig(s.CertFile, s.KeyFile, s.CACertFile, "", !s.ClientVerify)
 		if err != nil {
 			return err
 		}
--- a/system_test/helpers.go
+++ b/system_test/helpers.go
@ -775,7 +775,7 @@ func mustNewOpenTLSMux(certFile, keyPath, addr string) *tcp.Mux {
 	}

 	var mux *tcp.Mux
-	mux, err = tcp.NewTLSMux(ln, nil, certFile, keyPath, "", true, false)
+	mux, err = tcp.NewTLSMux(ln, nil, certFile, keyPath, "", "", true, false)
 	if err != nil {
 		panic(fmt.Sprintf("failed to create node-to-node mux: %s", err.Error()))
 	}
--- a/system_test/request_forwarding_test.go
+++ b/system_test/request_forwarding_test.go
@ -381,7 +381,7 @@ func mustNewDialer(header byte, remoteEncrypted, skipVerify bool) *tcp.Dialer {
 	var tlsConfig *tls.Config
 	var err error
 	if remoteEncrypted {
-		tlsConfig, err = rtls.CreateClientConfig("", "", "", skipVerify)
+		tlsConfig, err = rtls.CreateClientConfig("", "", "", "", skipVerify)
 		if err != nil {
 			panic(fmt.Sprintf("failed to create client TLS config: %s", err))
 		}
--- a/tcp/dialer_test.go
+++ b/tcp/dialer_test.go
@ -57,7 +57,7 @@ func Test_DialerHeaderTLS(t *testing.T) {
 	defer os.Remove(key)
 	go s.Start(t)

-	tlsConfig, err := rtls.CreateClientConfig("", "", "", true)
+	tlsConfig, err := rtls.CreateClientConfig("", "", "", "", true)
 	if err != nil {
 		t.Fatalf("failed to create TLS config: %s", err.Error())
 	}
@ -154,7 +154,7 @@ func mustNewEchoServerTLS() (*echoServer, string, string) {
 	cert := x509.CertFile("")
 	key := x509.KeyFile("")

-	tlsConfig, err := rtls.CreateServerConfig(cert, key, "", true)
+	tlsConfig, err := rtls.CreateServerConfig(cert, key, "", "", true)
 	if err != nil {
 		panic("failed to create TLS config")
 	}
--- a/tcp/mux.go
+++ b/tcp/mux.go
@ -97,13 +97,13 @@ func NewMux(ln net.Listener, adv net.Addr) (*Mux, error) {
 // using TLS. If adv is nil, then the addr of ln is used. If insecure is true,
 // then the server will not verify the client's certificate. If mutual is true,
 // then the server will require the client to present a trusted certificate.
-func NewTLSMux(ln net.Listener, adv net.Addr, cert, key, caCert string, insecure, mutual bool) (*Mux, error) {
+func NewTLSMux(ln net.Listener, adv net.Addr, cert, key, caCert, serverName string, insecure, mutual bool) (*Mux, error) {
 	mux, err := NewMux(ln, adv)
 	if err != nil {
 		return nil, err
 	}

-	mux.tlsConfig, err = rtls.CreateConfig(cert, key, caCert, insecure, mutual)
+	mux.tlsConfig, err = rtls.CreateConfig(cert, key, caCert, serverName, insecure, mutual)
 	if err != nil {
 		return nil, fmt.Errorf("cannot create TLS config: %s", err)
 	}
--- a/tcp/mux_test.go
+++ b/tcp/mux_test.go
@ -176,7 +176,7 @@ func TestTLSMux(t *testing.T) {
 	key := x509.KeyFile("")
 	defer os.Remove(key)

-	mux, err := NewTLSMux(tcpListener, nil, cert, key, "", true, false)
+	mux, err := NewTLSMux(tcpListener, nil, cert, key, "", "", true, false)
 	if err != nil {
 		t.Fatalf("failed to create mux: %s", err.Error())
 	}
@ -199,7 +199,7 @@ func TestTLSMux(t *testing.T) {
 func TestTLSMux_Fail(t *testing.T) {
 	tcpListener := mustTCPListener("127.0.0.1:0")
 	defer tcpListener.Close()
-	_, err := NewTLSMux(tcpListener, nil, "xxxx", "yyyy", "", true, false)
+	_, err := NewTLSMux(tcpListener, nil, "xxxx", "yyyy", "", "", true, false)
 	if err == nil {
 		t.Fatalf("created mux unexpectedly with bad resources")
 	}