From f41fb5de9e6390ed089ab8a1f10ffa66975ac17d Mon Sep 17 00:00:00 2001 From: Philip O'Toole Date: Thu, 21 Dec 2023 07:57:42 -0500 Subject: [PATCH] Node client comms only --- cluster/service_mux_test.go | 2 +- cmd/rqlite/main.go | 5 ++--- cmd/rqlited/flags.go | 11 +++++------ 3 files changed, 8 insertions(+), 10 deletions(-) diff --git a/cluster/service_mux_test.go b/cluster/service_mux_test.go index 40173e6f..72c71d47 100644 --- a/cluster/service_mux_test.go +++ b/cluster/service_mux_test.go @@ -118,7 +118,7 @@ func mustNewDialer(header byte, remoteEncrypted, skipVerify bool) *tcp.Dialer { var tlsConfig *tls.Config var err error if remoteEncrypted { - tlsConfig, err = rtls.CreateClientConfig("", "", "", "", skipVerify) + tlsConfig, err = rtls.CreateClientConfig("", "", rtls.NoCACert, rtls.NoServerName, skipVerify) if err != nil { panic(fmt.Sprintf("failed to create client TLS config: %s", err)) } diff --git a/cmd/rqlite/main.go b/cmd/rqlite/main.go index ab52b232..fd259b94 100644 --- a/cmd/rqlite/main.go +++ b/cmd/rqlite/main.go @@ -42,7 +42,6 @@ type argT struct { Prefix string `cli:"P,prefix" usage:"rqlited HTTP URL prefix" dft:"/"` Insecure bool `cli:"i,insecure" usage:"do not verify rqlited HTTPS certificate" dft:"false"` CACert string `cli:"c,ca-cert" usage:"path to trusted X.509 root CA certificate"` - ServerName string `cli:"n,verify-name" usage:"used to verify the hostname on the returned certificates"` ClientCert string `cli:"d,client-cert" usage:"path to client X.509 certificate for mTLS"` ClientKey string `cli:"k,client-key" usage:"path to client X.509 key for mTLS"` Credentials string `cli:"u,user" usage:"set basic auth credentials in form username:password"` @@ -394,7 +393,7 @@ func getNodes(client *http.Client, argv *argT) (Nodes, error) { } func getHTTPClient(argv *argT) (*http.Client, error) { - tlsConfig, err := rtls.CreateClientConfig(argv.ClientCert, argv.ClientKey, argv.CACert, argv.ServerName, argv.Insecure) + tlsConfig, err := rtls.CreateClientConfig(argv.ClientCert, argv.ClientKey, argv.CACert, rtls.NoServerName, argv.Insecure) if err != nil { return nil, err } @@ -450,7 +449,7 @@ func getVersionWithClient(client *http.Client, argv *argT) (string, error) { func sendRequest(ctx *cli.Context, makeNewRequest func(string) (*http.Request, error), urlStr string, argv *argT) (*[]byte, error) { url := urlStr - tlsConfig, err := rtls.CreateClientConfig(argv.ClientCert, argv.ClientKey, argv.CACert, argv.ServerName, argv.Insecure) + tlsConfig, err := rtls.CreateClientConfig(argv.ClientCert, argv.ClientKey, argv.CACert, rtls.NoServerName, argv.Insecure) if err != nil { return nil, err } diff --git a/cmd/rqlited/flags.go b/cmd/rqlited/flags.go index c17fc77a..1226f1bb 100644 --- a/cmd/rqlited/flags.go +++ b/cmd/rqlited/flags.go @@ -88,13 +88,12 @@ type Config struct { // NoNodeVerify disables checking other nodes' Node X509 certs for validity. NoNodeVerify bool - // NodeVerifyClient indicates whether a node should verify client certificates from - // other nodes. + // NodeVerifyClient enable mutual TLS for node-to-node communication. NodeVerifyClient bool - // NodeVerifyClientName used to verify the hostname on the returned - // certificates unless NoNodeVerify is set - NodeVerifyClientName string + // NodeVerifyServerName is the hostname to verify on the certificates returned by nodes. + // If NoNodeVerify is true this field is ignored. + NodeVerifyServerName string // NodeID is the Raft ID for the node. NodeID string @@ -440,7 +439,7 @@ func ParseFlags(name, desc string, build *BuildInfo) (*Config, error) { flag.StringVar(&config.NodeX509Key, NodeX509KeyFlag, "", "Path to X.509 private key for node-to-node mutual authentication and encryption") flag.BoolVar(&config.NoNodeVerify, "node-no-verify", false, "Skip verification of any node-node certificate") flag.BoolVar(&config.NodeVerifyClient, "node-verify-client", false, "Enable mutual TLS for node-to-node communication") - flag.StringVar(&config.NodeVerifyClientName, "node-verify-server-name", "", "Name used to verify the hostname on the returned certificates") + flag.StringVar(&config.NodeVerifyServerName, "node-verify-server-name", "", "Hostname to verify on certificate returned by a node") flag.StringVar(&config.AuthFile, "auth", "", "Path to authentication and authorization file. If not set, not enabled") flag.StringVar(&config.AutoBackupFile, "auto-backup", "", "Path to automatic backup configuration file. If not set, not enabled") flag.StringVar(&config.AutoRestoreFile, "auto-restore", "", "Path to automatic restore configuration file. If not set, not enabled")