From 6de514fbd12e15e3f6906616f496ef1bdcd00410 Mon Sep 17 00:00:00 2001
From: Daniel Nephin <dnephin@hashicorp.com>
Date: Thu, 24 Jun 2021 13:36:58 -0400
Subject: [PATCH] tlsutil: fix default server name for health checks

Don't use the agent node name or agent server name when EnableAgentTLSForChecks=false.
---
 .changelog/10490.txt   |  3 +++
 tlsutil/config.go      |  7 +++----
 tlsutil/config_test.go | 28 ++++++++++++++++++++++++++++
 3 files changed, 34 insertions(+), 4 deletions(-)
 create mode 100644 .changelog/10490.txt

diff --git a/.changelog/10490.txt b/.changelog/10490.txt
new file mode 100644
index 000000000..ec84cd951
--- /dev/null
+++ b/.changelog/10490.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+checks: fixes the default ServerName used with TLS health checks.
+```
diff --git a/tlsutil/config.go b/tlsutil/config.go
index 70d987f11..69b358fed 100644
--- a/tlsutil/config.go
+++ b/tlsutil/config.go
@@ -720,10 +720,6 @@ func (c *Configurator) IncomingHTTPSConfig() *tls.Config {
 func (c *Configurator) OutgoingTLSConfigForCheck(skipVerify bool, serverName string) *tls.Config {
 	c.log("OutgoingTLSConfigForCheck")
 
-	if serverName == "" {
-		serverName = c.serverNameOrNodeName()
-	}
-
 	if !c.enableAgentTLSForChecks() {
 		return &tls.Config{
 			InsecureSkipVerify: skipVerify,
@@ -731,6 +727,9 @@ func (c *Configurator) OutgoingTLSConfigForCheck(skipVerify bool, serverName str
 		}
 	}
 
+	if serverName == "" {
+		serverName = c.serverNameOrNodeName()
+	}
 	config := c.commonTLSConfig(false)
 	config.InsecureSkipVerify = skipVerify
 	config.ServerName = serverName
diff --git a/tlsutil/config_test.go b/tlsutil/config_test.go
index 91d4f1aae..f63a02d05 100644
--- a/tlsutil/config_test.go
+++ b/tlsutil/config_test.go
@@ -948,6 +948,34 @@ func TestConfigurator_OutgoingTLSConfigForCheck(t *testing.T) {
 			skipVerify: true,
 			expected:   &tls.Config{InsecureSkipVerify: true},
 		},
+		{
+			name: "default tls, skip verify, default server name",
+			conf: func() (*Configurator, error) {
+				return NewConfigurator(Config{
+					TLSMinVersion:           "tls12",
+					EnableAgentTLSForChecks: false,
+					ServerName:              "servername",
+				}, nil)
+			},
+			skipVerify: true,
+			expected:   &tls.Config{InsecureSkipVerify: true},
+		},
+		{
+			name: "default tls, skip verify, check server name",
+			conf: func() (*Configurator, error) {
+				return NewConfigurator(Config{
+					TLSMinVersion:           "tls12",
+					EnableAgentTLSForChecks: false,
+					ServerName:              "servername",
+				}, nil)
+			},
+			skipVerify: true,
+			serverName: "check-server-name",
+			expected: &tls.Config{
+				InsecureSkipVerify: true,
+				ServerName:         "check-server-name",
+			},
+		},
 		{
 			name: "agent tls, skip verify, default server name",
 			conf: func() (*Configurator, error) {