luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity

tlsutil: fix default server name for health checks 

Don't use the agent node name or agent server name when EnableAgentTLSForChecks=false.
This commit is contained in:
Daniel Nephin 2021-06-24 13:36:58 -04:00
parent 2bfdd8ceed
commit 6de514fbd1
3 changed files with 34 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.changelog/10490.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:bug
checks: fixes the default ServerName used with TLS health checks.
```

7
tlsutil/config.go
View File

@ -720,10 +720,6 @@ func (c *Configurator) IncomingHTTPSConfig() *tls.Config {
func (c *Configurator) OutgoingTLSConfigForCheck(skipVerify bool, serverName string) *tls.Config { func (c *Configurator) OutgoingTLSConfigForCheck(skipVerify bool, serverName string) *tls.Config {
c.log("OutgoingTLSConfigForCheck") c.log("OutgoingTLSConfigForCheck")
if serverName == "" {
serverName = c.serverNameOrNodeName()
}
if !c.enableAgentTLSForChecks() { if !c.enableAgentTLSForChecks() {
return &tls.Config{ return &tls.Config{
InsecureSkipVerify: skipVerify, InsecureSkipVerify: skipVerify,
@ -731,6 +727,9 @@ func (c *Configurator) OutgoingTLSConfigForCheck(skipVerify bool, serverName str
} }
} }
if serverName == "" {
serverName = c.serverNameOrNodeName()
}
config := c.commonTLSConfig(false) config := c.commonTLSConfig(false)
config.InsecureSkipVerify = skipVerify config.InsecureSkipVerify = skipVerify
config.ServerName = serverName config.ServerName = serverName

28
tlsutil/config_test.go
View File

@ -948,6 +948,34 @@ func TestConfigurator_OutgoingTLSConfigForCheck(t *testing.T) {
skipVerify: true, skipVerify: true,
expected: &tls.Config{InsecureSkipVerify: true}, expected: &tls.Config{InsecureSkipVerify: true},
}, },
{
name: "default tls, skip verify, default server name",
conf: func() (*Configurator, error) {
return NewConfigurator(Config{
TLSMinVersion: "tls12",
EnableAgentTLSForChecks: false,
ServerName: "servername",
}, nil)
},
skipVerify: true,
expected: &tls.Config{InsecureSkipVerify: true},
},
{
name: "default tls, skip verify, check server name",
conf: func() (*Configurator, error) {
return NewConfigurator(Config{
TLSMinVersion: "tls12",
EnableAgentTLSForChecks: false,
ServerName: "servername",
}, nil)
},
skipVerify: true,
serverName: "check-server-name",
expected: &tls.Config{
InsecureSkipVerify: true,
ServerName: "check-server-name",
},
},
{ {
name: "agent tls, skip verify, default server name", name: "agent tls, skip verify, default server name",
conf: func() (*Configurator, error) { conf: func() (*Configurator, error) {