Node client comms only

cluster/service_mux_test.go

@@ -118,7 +118,7 @@ func mustNewDialer(header byte, remoteEncrypted, skipVerify bool) *tcp.Dialer {
 	var tlsConfig *tls.Config
 	var err error
 	if remoteEncrypted {
-		tlsConfig, err = rtls.CreateClientConfig("", "", "", "", skipVerify)
+		tlsConfig, err = rtls.CreateClientConfig("", "", rtls.NoCACert, rtls.NoServerName, skipVerify)
 		if err != nil {
 			panic(fmt.Sprintf("failed to create client TLS config: %s", err))
 		}

cmd/rqlite/main.go

@@ -42,7 +42,6 @@ type argT struct {
 	Prefix       string        `cli:"P,prefix" usage:"rqlited HTTP URL prefix" dft:"/"`
 	Insecure     bool          `cli:"i,insecure" usage:"do not verify rqlited HTTPS certificate" dft:"false"`
 	CACert       string        `cli:"c,ca-cert" usage:"path to trusted X.509 root CA certificate"`
-	ServerName   string        `cli:"n,verify-name" usage:"used to verify the hostname on the returned certificates"`
 	ClientCert   string        `cli:"d,client-cert" usage:"path to client X.509 certificate for mTLS"`
 	ClientKey    string        `cli:"k,client-key" usage:"path to client X.509 key for mTLS"`
 	Credentials  string        `cli:"u,user" usage:"set basic auth credentials in form username:password"`
@@ -394,7 +393,7 @@ func getNodes(client *http.Client, argv *argT) (Nodes, error) {
 }
 
 func getHTTPClient(argv *argT) (*http.Client, error) {
-	tlsConfig, err := rtls.CreateClientConfig(argv.ClientCert, argv.ClientKey, argv.CACert, argv.ServerName, argv.Insecure)
+	tlsConfig, err := rtls.CreateClientConfig(argv.ClientCert, argv.ClientKey, argv.CACert, rtls.NoServerName, argv.Insecure)
 	if err != nil {
 		return nil, err
 	}
@@ -450,7 +449,7 @@ func getVersionWithClient(client *http.Client, argv *argT) (string, error) {
 
 func sendRequest(ctx *cli.Context, makeNewRequest func(string) (*http.Request, error), urlStr string, argv *argT) (*[]byte, error) {
 	url := urlStr
-	tlsConfig, err := rtls.CreateClientConfig(argv.ClientCert, argv.ClientKey, argv.CACert, argv.ServerName, argv.Insecure)
+	tlsConfig, err := rtls.CreateClientConfig(argv.ClientCert, argv.ClientKey, argv.CACert, rtls.NoServerName, argv.Insecure)
 	if err != nil {
 		return nil, err
 	}

cmd/rqlited/flags.go

@@ -88,13 +88,12 @@ type Config struct {
 	// NoNodeVerify disables checking other nodes' Node X509 certs for validity.
 	NoNodeVerify bool
 
-	// NodeVerifyClient indicates whether a node should verify client certificates from
-	// other nodes.
+	// NodeVerifyClient enable mutual TLS for node-to-node communication.
 	NodeVerifyClient bool
 
-	// NodeVerifyClientName used to verify the hostname on the returned
-	// certificates unless NoNodeVerify is set
-	NodeVerifyClientName string
+	// NodeVerifyServerName is the hostname to verify on the certificates returned by nodes.
+	// If NoNodeVerify is true this field is ignored.
+	NodeVerifyServerName string
 
 	// NodeID is the Raft ID for the node.
 	NodeID string
@@ -440,7 +439,7 @@ func ParseFlags(name, desc string, build *BuildInfo) (*Config, error) {
 	flag.StringVar(&config.NodeX509Key, NodeX509KeyFlag, "", "Path to X.509 private key for node-to-node mutual authentication and encryption")
 	flag.BoolVar(&config.NoNodeVerify, "node-no-verify", false, "Skip verification of any node-node certificate")
 	flag.BoolVar(&config.NodeVerifyClient, "node-verify-client", false, "Enable mutual TLS for node-to-node communication")
-	flag.StringVar(&config.NodeVerifyClientName, "node-verify-server-name", "", "Name used to verify the hostname on the returned certificates")
+	flag.StringVar(&config.NodeVerifyServerName, "node-verify-server-name", "", "Hostname to verify on certificate returned by a node")
 	flag.StringVar(&config.AuthFile, "auth", "", "Path to authentication and authorization file. If not set, not enabled")
 	flag.StringVar(&config.AutoBackupFile, "auto-backup", "", "Path to automatic backup configuration file. If not set, not enabled")
 	flag.StringVar(&config.AutoRestoreFile, "auto-restore", "", "Path to automatic restore configuration file. If not set, not enabled")