diff --git a/etcdmain/config.go b/etcdmain/config.go index 99f01536500..3ccd24e3e3c 100644 --- a/etcdmain/config.go +++ b/etcdmain/config.go @@ -189,6 +189,7 @@ func newConfig() *config { fs.BoolVar(&cfg.ec.PeerAutoTLS, "peer-auto-tls", false, "Peer TLS using generated certificates") fs.StringVar(&cfg.ec.PeerTLSInfo.CRLFile, "peer-crl-file", "", "Path to the peer certificate revocation list file.") fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedCN, "peer-cert-allowed-cn", "", "Allowed CN for inter peer authentication.") + fs.BoolVar(&cfg.ec.PeerTLSInfo.SkipClientSANVerify, "experimental-peer-skip-client-san-verification", false, "Skip verification of SAN field in client certificate for peer connections.") fs.Var(flags.NewStringsValueV2(""), "cipher-suites", "Comma-separated list of supported TLS cipher suites between client/server and peers (empty will be auto-populated by Go).") diff --git a/pkg/transport/listener.go b/pkg/transport/listener.go index 48655063f6f..7371947ef76 100644 --- a/pkg/transport/listener.go +++ b/pkg/transport/listener.go @@ -53,6 +53,9 @@ func wrapTLS(addr, scheme string, tlsinfo *TLSInfo, l net.Listener) (net.Listene if scheme != "https" && scheme != "unixs" { return l, nil } + if tlsinfo != nil && tlsinfo.SkipClientSANVerify { + return NewTLSListener(l, tlsinfo) + } return newTLSListener(l, tlsinfo, checkSAN) } @@ -65,6 +68,8 @@ type TLSInfo struct { CRLFile string InsecureSkipVerify bool + SkipClientSANVerify bool + // ServerName ensures the cert matches the given host in case of discovery / virtual hosting ServerName string