Move to a single cert-key pair for nodes

2 years ago · ba39227c93
parent 50d70b547e
commit ba39227c93
8 changed files with 60 additions and 41 deletions
--- a/cluster/service_mux_test.go
+++ b/cluster/service_mux_test.go
@ -106,7 +106,7 @@ func mustNewTLSMux() (net.Listener, *tcp.Mux) {
 	key := x509.KeyFile("")
 	defer os.Remove(key)

-	mux, err := tcp.NewTLSMux(ln, nil, cert, key, "", "", "", true)
+	mux, err := tcp.NewTLSMux(ln, nil, cert, key, "", true)
 	if err != nil {
 		panic(fmt.Sprintf("failed to create TLS mux: %s", err))
 	}
--- a/cmd/rqlited/flags.go
+++ b/cmd/rqlited/flags.go
@ -382,7 +382,7 @@ func ParseFlags(name, desc string, build *BuildInfo) (*Config, error) {
 	flag.StringVar(&config.X509CertClient, "http-cert-client", "", "Path to client X.509 certificate for this node when joining a cluster")
 	flag.StringVar(&config.X509KeyClient, "http-key-client", "", "Path to client X.509 private key for this node when joining a cluster")
 	flag.BoolVar(&config.NoHTTPVerify, "http-no-verify", false, "Skip verification of remote HTTPS cert when joining cluster, or receiving client certificates")
-	flag.BoolVar(&config.NodeEncrypt, "node-encrypt", false, "Enable node-to-node encryption")
+	flag.BoolVar(&config.NodeEncrypt, "node-encrypt", false, "Ignored, controlled node-to-node encryption via node cert and key")
 	flag.StringVar(&config.NodeX509CACert, "node-ca-cert", "", "Path to X.509 CA certificate for node-to-node encryption")
 	flag.StringVar(&config.NodeX509Cert, "node-cert", "cert.pem", "Path to server X.509 certificate for internode communication")
 	flag.StringVar(&config.NodeX509Key, "node-key", "key.pem", "Path to server X.509 private key for internode communication")
--- a/cmd/rqlited/main.go
+++ b/cmd/rqlited/main.go
@ -111,7 +111,7 @@ func main() {
 	// systems can see that it's running. We still have to open the Store though, so the node won't
 	// be able to do much until that happens however.
 	var dialerTLSConfig *tls.Config
-	if cfg.NodeEncrypt {
+	if cfg.NodeX509CertClient != "" {
 		dialerTLSConfig, err = rtls.CreateClientConfig(cfg.NodeX509CertClient, cfg.NodeX509KeyClient,
 			cfg.NodeX509CACert, cfg.NoNodeVerify, cfg.TLS1011)
 		if err != nil {
@ -304,10 +304,10 @@ func startNodeMux(cfg *Config, ln net.Listener) (*tcp.Mux, error) {
 	}

 	var mux *tcp.Mux
-	if cfg.NodeEncrypt {
+	if cfg.NodeX509Cert != "" {
 		log.Printf("enabling node-to-node encryption with cert: %s, key: %s", cfg.NodeX509Cert, cfg.NodeX509Key)
 		mux, err = tcp.NewTLSMux(ln, adv, cfg.NodeX509Cert, cfg.NodeX509Key,
-			cfg.NodeX509CertClient, cfg.NodeX509KeyClient, cfg.NodeX509CACert, cfg.NoNodeVerify)
+			cfg.NodeX509CertClient, cfg.NoNodeVerify)
 	} else {
 		mux, err = tcp.NewMux(ln, adv)
 	}
--- a/rtls/config.go
+++ b/rtls/config.go
@ -9,6 +9,41 @@ import (
 	"io/ioutil"
 )

+// CreateClientConfig creates a TLS configuration for use by a system that does both
+// client and server authentication using the same cert, key, and CA cert.
+func CreateConfig(certFile, keyFile, caCertFile string, noverify, tls1011 bool) (*tls.Config, error) {
+	var err error
+	config := createBaseTLSConfig(noverify, tls1011)
+
+	// load the certificate and key
+	if certFile != "" && keyFile != "" {
+		config.Certificates = make([]tls.Certificate, 1)
+		config.Certificates[0], err = tls.LoadX509KeyPair(certFile, keyFile)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	// load the CA certificate file, if provided, as the root CA and client CA
+	if caCertFile != "" {
+		asn1Data, err := ioutil.ReadFile(caCertFile)
+		if err != nil {
+			return nil, err
+		}
+		config.RootCAs = x509.NewCertPool()
+		ok := config.RootCAs.AppendCertsFromPEM(asn1Data)
+		if !ok {
+			return nil, fmt.Errorf("failed to load CA certificate(s) for server verification in %q", caCertFile)
+		}
+		config.ClientCAs = x509.NewCertPool()
+		ok = config.ClientCAs.AppendCertsFromPEM(asn1Data)
+		if !ok {
+			return nil, fmt.Errorf("failed to load CA certificate(s) for client verification in %q", caCertFile)
+		}
+	}
+	return config, nil
+}
+
 // CreateClientConfig creates a new tls.Config for use by a client. The certFile and keyFile
 // parameters are the paths to the client's certificate and key files, which will be used to
 // authenticate the client to the server. The caCertFile parameter is the path to the CA
--- a/system_test/helpers.go
+++ b/system_test/helpers.go
@ -694,7 +694,7 @@ func mustNewOpenTLSMux(certFile, keyPath, addr string) *tcp.Mux {
 	}

 	var mux *tcp.Mux
-	mux, err = tcp.NewTLSMux(ln, nil, certFile, keyPath, "", "", "", true)
+	mux, err = tcp.NewTLSMux(ln, nil, certFile, keyPath, "", true)
 	if err != nil {
 		panic(fmt.Sprintf("failed to create node-to-node mux: %s", err.Error()))
 	}
--- a/tcp/dialer.go
+++ b/tcp/dialer.go
@ -25,14 +25,15 @@ type Dialer struct {
 func (d *Dialer) Dial(addr string, timeout time.Duration) (conn net.Conn, retErr error) {
 	dialer := &net.Dialer{Timeout: timeout}

-	if d.tlsConfig != nil {
-		conn, retErr = tls.DialWithDialer(dialer, "tcp", addr, d.tlsConfig)
-	} else {
+	if d.tlsConfig == nil {
 		conn, retErr = dialer.Dial("tcp", addr)
+	} else {
+		conn, retErr = tls.DialWithDialer(dialer, "tcp", addr, d.tlsConfig)
 	}
 	if retErr != nil {
 		return nil, retErr
 	}
+
 	defer func() {
 		if retErr != nil {
 			conn.Close()
--- a/tcp/mux.go
+++ b/tcp/mux.go
@ -9,7 +9,6 @@ import (
 	"log"
 	"net"
 	"os"
-	"strconv"
 	"sync"
 	"time"

@ -39,13 +38,9 @@ func init() {
 // make connections to other nodes (client), and receive connections from other
 // nodes (server)
 type Layer struct {
-	ln   net.Listener
-	addr net.Addr
-
+	ln     net.Listener
+	addr   net.Addr
 	dialer *Dialer
-
-	tlsServerConfig *tls.Config
-	tlsClientConfig *tls.Config
 }

 // Dial creates a new network connection.
@ -72,16 +67,13 @@ type Mux struct {

 	wg sync.WaitGroup

-	remoteEncrypted bool
-
 	// The amount of time to wait for the first header byte.
 	Timeout time.Duration

 	// Out-of-band error logger
 	Logger *log.Logger

-	serverTLSConfig *tls.Config
-	clientTLSConfig *tls.Config
+	tlsConfig *tls.Config
 }

 // NewMux returns a new instance of Mux for ln. If adv is nil,
@ -103,24 +95,18 @@ func NewMux(ln net.Listener, adv net.Addr) (*Mux, error) {

 // NewTLSMux returns a new instance of Mux for ln, and encrypts all traffic
 // using TLS. If adv is nil, then the addr of ln is used.
-func NewTLSMux(ln net.Listener, adv net.Addr, cert, key, clientCert, clientKey, caCert string, insecure bool) (*Mux, error) {
+func NewTLSMux(ln net.Listener, adv net.Addr, cert, key, caCert string, insecure bool) (*Mux, error) {
 	mux, err := NewMux(ln, adv)
 	if err != nil {
 		return nil, err
 	}

-	mux.serverTLSConfig, err = rtls.CreateServerConfig(cert, key, caCert, insecure, false)
-	if err != nil {
-		return nil, fmt.Errorf("cannot create Server TLS config: %s", err)
-	}
-
-	mux.clientTLSConfig, err = rtls.CreateClientConfig(clientCert, clientKey, caCert, insecure, false)
+	mux.tlsConfig, err = rtls.CreateConfig(cert, key, caCert, insecure, false)
 	if err != nil {
-		return nil, fmt.Errorf("cannot create Client TLS config: %s", err)
+		return nil, fmt.Errorf("cannot create TLS config: %s", err)
 	}

-	mux.ln = tls.NewListener(ln, mux.serverTLSConfig)
-	mux.remoteEncrypted = true
+	mux.ln = tls.NewListener(ln, mux.tlsConfig)

 	return mux, nil
 }
@ -128,7 +114,7 @@ func NewTLSMux(ln net.Listener, adv net.Addr, cert, key, clientCert, clientKey,
 // Serve handles connections from ln and multiplexes then across registered listener.
 func (mux *Mux) Serve() error {
 	tlsStr := ""
-	if mux.serverTLSConfig != nil {
+	if mux.tlsConfig != nil {
 		tlsStr = "TLS "
 	}
 	mux.Logger.Printf("%smux serving on %s, advertising %s", tlsStr, mux.ln.Addr().String(), mux.addr)
@ -161,9 +147,8 @@ func (mux *Mux) Serve() error {
 // Stats returns status of the mux.
 func (mux *Mux) Stats() (interface{}, error) {
 	s := map[string]string{
-		"addr":      mux.addr.String(),
-		"timeout":   mux.Timeout.String(),
-		"encrypted": strconv.FormatBool(mux.remoteEncrypted),
+		"addr":    mux.addr.String(),
+		"timeout": mux.Timeout.String(),
 	}

 	return s, nil
@ -224,12 +209,10 @@ func (mux *Mux) Listen(header byte) *Layer {
 	mux.m[header] = ln

 	layer := &Layer{
-		ln:              ln,
-		addr:            mux.addr,
-		tlsServerConfig: mux.serverTLSConfig,
-		tlsClientConfig: mux.clientTLSConfig,
+		ln:   ln,
+		addr: mux.addr,
 	}
-	layer.dialer = NewDialer(header, mux.clientTLSConfig)
+	layer.dialer = NewDialer(header, mux.tlsConfig)

 	return layer
 }
--- a/tcp/mux_test.go
+++ b/tcp/mux_test.go
@ -177,7 +177,7 @@ func TestTLSMux(t *testing.T) {
 	key := x509.KeyFile("")
 	defer os.Remove(key)

-	mux, err := NewTLSMux(tcpListener, nil, cert, key, "", "", "", true)
+	mux, err := NewTLSMux(tcpListener, nil, cert, key, "", true)
 	if err != nil {
 		t.Fatalf("failed to create mux: %s", err.Error())
 	}
@ -200,7 +200,7 @@ func TestTLSMux(t *testing.T) {
 func TestTLSMux_Fail(t *testing.T) {
 	tcpListener := mustTCPListener("127.0.0.1:0")
 	defer tcpListener.Close()
-	_, err := NewTLSMux(tcpListener, nil, "xxxx", "yyyy", "", "", "", true)
+	_, err := NewTLSMux(tcpListener, nil, "xxxx", "yyyy", "", true)
 	if err == nil {
 		t.Fatalf("created mux unexpectedly with bad resources")
 	}