Skip to content

Commit

Permalink
etcdserver: cherry-pick skip client san verification option for 3.3 v…
Browse files Browse the repository at this point in the history
…ersion.

Co-authored-by: Martin Weindel <[email protected]>
Co-authored-by: Jingyi Hu <[email protected]>
Co-authored-by: Liming Liu <[email protected]>
  • Loading branch information
3 people committed Oct 3, 2019
1 parent 943832a commit 86b1686
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 0 deletions.
1 change: 1 addition & 0 deletions etcdmain/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,7 @@ func newConfig() *config {
fs.BoolVar(&cfg.ec.PeerAutoTLS, "peer-auto-tls", false, "Peer TLS using generated certificates")
fs.StringVar(&cfg.ec.PeerTLSInfo.CRLFile, "peer-crl-file", "", "Path to the peer certificate revocation list file.")
fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedCN, "peer-cert-allowed-cn", "", "Allowed CN for inter peer authentication.")
fs.BoolVar(&cfg.ec.PeerTLSInfo.SkipClientSANVerify, "experimental-peer-skip-client-san-verification", false, "Skip verification of SAN field in client certificate for peer connections.")

fs.Var(flags.NewStringsValueV2(""), "cipher-suites", "Comma-separated list of supported TLS cipher suites between client/server and peers (empty will be auto-populated by Go).")

Expand Down
5 changes: 5 additions & 0 deletions pkg/transport/listener.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,9 @@ func wrapTLS(addr, scheme string, tlsinfo *TLSInfo, l net.Listener) (net.Listene
if scheme != "https" && scheme != "unixs" {
return l, nil
}
if tlsinfo != nil && tlsinfo.SkipClientSANVerify {
return NewTLSListener(l, tlsinfo)
}
return newTLSListener(l, tlsinfo, checkSAN)
}

Expand All @@ -65,6 +68,8 @@ type TLSInfo struct {
CRLFile string
InsecureSkipVerify bool

SkipClientSANVerify bool

// ServerName ensures the cert matches the given host in case of discovery / virtual hosting
ServerName string

Expand Down

0 comments on commit 86b1686

Please sign in to comment.