From ec4196bc2df72b60179be1facaa1545391c54a78 Mon Sep 17 00:00:00 2001 From: Martin Weindel Date: Tue, 5 Mar 2019 14:23:41 +0100 Subject: [PATCH] etcdserver: Added configuration flag --peer-skip-client-verify=true --- etcdmain/config.go | 1 + pkg/transport/listener.go | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/etcdmain/config.go b/etcdmain/config.go index e06d642c7e6e..c8b54ff6602b 100644 --- a/etcdmain/config.go +++ b/etcdmain/config.go @@ -210,6 +210,7 @@ func newConfig() *config { fs.StringVar(&cfg.ec.PeerTLSInfo.CRLFile, "peer-crl-file", "", "Path to the peer certificate revocation list file.") fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedCN, "peer-cert-allowed-cn", "", "Allowed CN for inter peer authentication.") fs.Var(flags.NewStringsValue(""), "cipher-suites", "Comma-separated list of supported TLS cipher suites between client/server and peers (empty will be auto-populated by Go).") + fs.BoolVar(&cfg.ec.PeerTLSInfo.SkipClientVerify, "peer-skip-client-verify", false, "Skip client IP verification for peer connections.") fs.Var( flags.NewUniqueURLsWithExceptions("*", "*"), diff --git a/pkg/transport/listener.go b/pkg/transport/listener.go index 0c593e8e2bf8..32c8870bfb66 100644 --- a/pkg/transport/listener.go +++ b/pkg/transport/listener.go @@ -56,6 +56,9 @@ func wrapTLS(scheme string, tlsinfo *TLSInfo, l net.Listener) (net.Listener, err if scheme != "https" && scheme != "unixs" { return l, nil } + if tlsinfo != nil && tlsinfo.SkipClientVerify { + return NewTLSListener(l, tlsinfo) + } return newTLSListener(l, tlsinfo, checkSAN) } @@ -66,6 +69,7 @@ type TLSInfo struct { ClientCertAuth bool CRLFile string InsecureSkipVerify bool + SkipClientVerify bool // ServerName ensures the cert matches the given host in case of discovery / virtual hosting ServerName string