Allow setting verify_incoming* when using auto_encrypt or auto_config (#8394)

Ensure that enabling AutoConfig sets the tls configurator properly

This also refactors the TLS configurator a bit so the naming doesn’t imply only AutoEncrypt as the source of the automatically setup TLS cert info.
This commit is contained in:
Matt Keeler 2020-07-30 10:15:12 -04:00 committed by GitHub
parent d1e0f4b886
commit 76add4f24c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 118 additions and 78 deletions

View File

@ -149,7 +149,7 @@ func (m *CertMonitor) Update(certs *structs.SignedResponse) error {
// that the recipient of the response who also has access to the private key will
// have filled it in. The Cache definitely does this but auto-encrypt/auto-config
// will need to ensure the original response is setup this way too.
err := m.tlsConfigurator.UpdateAutoEncrypt(
err := m.tlsConfigurator.UpdateAutoTLS(
certs.ManualCARoots,
connectCAPems,
certs.IssuedCert.CertPEM,
@ -311,7 +311,7 @@ func (m *CertMonitor) handleCacheEvent(u cache.UpdateEvent) error {
pems = append(pems, root.RootCert)
}
if err := m.tlsConfigurator.UpdateAutoEncryptCA(pems); err != nil {
if err := m.tlsConfigurator.UpdateAutoTLSCA(pems); err != nil {
return fmt.Errorf("failed to update Connect CA certificates: %w", err)
}
case leafWatchID:
@ -324,7 +324,7 @@ func (m *CertMonitor) handleCacheEvent(u cache.UpdateEvent) error {
if !ok {
return fmt.Errorf("invalid type for agent leaf cert watch response: %T", u.Result)
}
if err := m.tlsConfigurator.UpdateAutoEncryptCert(leaf.CertPEM, leaf.PrivateKeyPEM); err != nil {
if err := m.tlsConfigurator.UpdateAutoTLSCert(leaf.CertPEM, leaf.PrivateKeyPEM); err != nil {
return fmt.Errorf("failed to update the agent leaf cert: %w", err)
}
}

View File

@ -118,7 +118,7 @@ func waitForChans(timeout time.Duration, chans ...<-chan struct{}) bool {
func testTLSConfigurator(t *testing.T) *tlsutil.Configurator {
t.Helper()
logger := testutil.Logger(t)
cfg, err := tlsutil.NewConfigurator(tlsutil.Config{AutoEncryptTLS: true}, logger)
cfg, err := tlsutil.NewConfigurator(tlsutil.Config{AutoTLS: true}, logger)
require.NoError(t, err)
return cfg
}

View File

@ -1799,7 +1799,7 @@ func (c *RuntimeConfig) ToTLSUtilConfig() tlsutil.Config {
CipherSuites: c.TLSCipherSuites,
PreferServerCipherSuites: c.TLSPreferServerCipherSuites,
EnableAgentTLSForChecks: c.EnableAgentTLSForChecks,
AutoEncryptTLS: c.AutoEncryptTLS,
AutoTLS: c.AutoEncryptTLS || c.AutoConfig.Enabled,
}
}

View File

@ -7357,7 +7357,47 @@ func TestRuntime_ToTLSUtilConfig(t *testing.T) {
require.True(t, r.VerifyIncomingHTTPS)
require.True(t, r.VerifyOutgoing)
require.True(t, r.EnableAgentTLSForChecks)
require.True(t, r.AutoEncryptTLS)
require.True(t, r.AutoTLS)
require.True(t, r.VerifyServerHostname)
require.True(t, r.PreferServerCipherSuites)
require.Equal(t, "a", r.CAFile)
require.Equal(t, "b", r.CAPath)
require.Equal(t, "c", r.CertFile)
require.Equal(t, "d", r.KeyFile)
require.Equal(t, "e", r.NodeName)
require.Equal(t, "f", r.ServerName)
require.Equal(t, "g", r.Domain)
require.Equal(t, "tls12", r.TLSMinVersion)
require.Equal(t, []uint16{tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA}, r.CipherSuites)
}
func TestRuntime_ToTLSUtilConfig_AutoConfig(t *testing.T) {
c := &RuntimeConfig{
VerifyIncoming: true,
VerifyIncomingRPC: true,
VerifyIncomingHTTPS: true,
VerifyOutgoing: true,
VerifyServerHostname: true,
CAFile: "a",
CAPath: "b",
CertFile: "c",
KeyFile: "d",
NodeName: "e",
ServerName: "f",
DNSDomain: "g",
TLSMinVersion: "tls12",
TLSCipherSuites: []uint16{tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
TLSPreferServerCipherSuites: true,
EnableAgentTLSForChecks: true,
AutoConfig: AutoConfig{Enabled: true},
}
r := c.ToTLSUtilConfig()
require.True(t, r.VerifyIncoming)
require.True(t, r.VerifyIncomingRPC)
require.True(t, r.VerifyIncomingHTTPS)
require.True(t, r.VerifyOutgoing)
require.True(t, r.EnableAgentTLSForChecks)
require.True(t, r.AutoTLS)
require.True(t, r.VerifyServerHostname)
require.True(t, r.PreferServerCipherSuites)
require.Equal(t, "a", r.CAFile)

View File

@ -89,7 +89,7 @@ func TestAutoEncryptSign(t *testing.T) {
}
cfg := test.Config
cfg.AutoEncryptTLS = true
cfg.AutoTLS = true
cfg.Domain = "consul"
codec, err := insecureRPCClient(s, cfg)
if test.ConnError {

View File

@ -647,7 +647,7 @@ func (s *Server) connectCARootsMonitor(ctx context.Context) {
for _, ca := range cas {
caPems = append(caPems, ca.RootCert)
}
if err := s.tlsConfigurator.UpdateAutoEncryptCA(caPems); err != nil {
if err := s.tlsConfigurator.UpdateAutoTLSCA(caPems); err != nil {
s.logger.Error("Failed to update AutoEncrypt CAPems", "error", err)
}

View File

@ -127,9 +127,9 @@ type Config struct {
// and key).
EnableAgentTLSForChecks bool
// AutoEncryptTLS opts the agent into provisioning agent
// AutoTLS opts the agent into provisioning agent
// TLS certificates.
AutoEncryptTLS bool
AutoTLS bool
}
func tlsVersions() []string {
@ -159,14 +159,14 @@ func SpecificDC(dc string, tlsWrap DCWrapper) Wrapper {
}
}
type autoEncrypt struct {
type autoTLS struct {
manualCAPems []string
connectCAPems []string
cert *tls.Certificate
verifyServerHostname bool
}
func (a *autoEncrypt) caPems() []string {
func (a *autoTLS) caPems() []string {
return append(a.manualCAPems, a.connectCAPems...)
}
@ -180,7 +180,7 @@ type manual struct {
type Configurator struct {
sync.RWMutex
base *Config
autoEncrypt *autoEncrypt
autoTLS *autoTLS
manual *manual
peerDatacenterUseTLS map[string]bool
@ -201,7 +201,7 @@ func NewConfigurator(config Config, logger hclog.Logger) (*Configurator, error)
c := &Configurator{
logger: logger.Named(logging.TLSUtil),
manual: &manual{},
autoEncrypt: &autoEncrypt{},
autoTLS: &autoTLS{},
peerDatacenterUseTLS: map[string]bool{},
}
err := c.Update(config)
@ -215,7 +215,7 @@ func NewConfigurator(config Config, logger hclog.Logger) (*Configurator, error)
func (c *Configurator) CAPems() []string {
c.RLock()
defer c.RUnlock()
return append(c.manual.caPems, c.autoEncrypt.caPems()...)
return append(c.manual.caPems, c.autoTLS.caPems()...)
}
// ManualCAPems returns the currently loaded CAs in PEM format.
@ -242,7 +242,7 @@ func (c *Configurator) Update(config Config) error {
if err != nil {
return err
}
pool, err := pool(append(pems, c.autoEncrypt.caPems()...))
pool, err := pool(append(pems, c.autoTLS.caPems()...))
if err != nil {
return err
}
@ -257,17 +257,17 @@ func (c *Configurator) Update(config Config) error {
return nil
}
// UpdateAutoEncryptCA updates the autoEncrypt.caPems. This is supposed to be called
// UpdateAutoTLSCA updates the autoEncrypt.caPems. This is supposed to be called
// from the server in order to be able to accept TLS connections with TLS
// certificates.
// Or it is being called on the client side when CA changes are detected.
func (c *Configurator) UpdateAutoEncryptCA(connectCAPems []string) error {
func (c *Configurator) UpdateAutoTLSCA(connectCAPems []string) error {
c.Lock()
// order of defers matters because log acquires a RLock()
defer c.log("UpdateAutoEncryptCA")
defer c.Unlock()
pool, err := pool(append(c.manual.caPems, append(c.autoEncrypt.manualCAPems, connectCAPems...)...))
pool, err := pool(append(c.manual.caPems, append(c.autoTLS.manualCAPems, connectCAPems...)...))
if err != nil {
c.RUnlock()
return err
@ -276,14 +276,14 @@ func (c *Configurator) UpdateAutoEncryptCA(connectCAPems []string) error {
c.RUnlock()
return err
}
c.autoEncrypt.connectCAPems = connectCAPems
c.autoTLS.connectCAPems = connectCAPems
c.caPool = pool
c.version++
return nil
}
// UpdateAutoEncryptCert
func (c *Configurator) UpdateAutoEncryptCert(pub, priv string) error {
// UpdateAutoTLSCert
func (c *Configurator) UpdateAutoTLSCert(pub, priv string) error {
// order of defers matters because log acquires a RLock()
defer c.log("UpdateAutoEncryptCert")
cert, err := tls.X509KeyPair([]byte(pub), []byte(priv))
@ -294,14 +294,14 @@ func (c *Configurator) UpdateAutoEncryptCert(pub, priv string) error {
c.Lock()
defer c.Unlock()
c.autoEncrypt.cert = &cert
c.autoTLS.cert = &cert
c.version++
return nil
}
// UpdateAutoEncrypt sets everything under autoEncrypt. This is being called on the
// client when it received its cert from AutoEncrypt endpoint.
func (c *Configurator) UpdateAutoEncrypt(manualCAPems, connectCAPems []string, pub, priv string, verifyServerHostname bool) error {
// UpdateAutoTLS sets everything under autoEncrypt. This is being called on the
// client when it received its cert from AutoEncrypt/AutoConfig endpoints.
func (c *Configurator) UpdateAutoTLS(manualCAPems, connectCAPems []string, pub, priv string, verifyServerHostname bool) error {
// order of defers matters because log acquires a RLock()
defer c.log("UpdateAutoEncrypt")
cert, err := tls.X509KeyPair([]byte(pub), []byte(priv))
@ -316,11 +316,11 @@ func (c *Configurator) UpdateAutoEncrypt(manualCAPems, connectCAPems []string, p
if err != nil {
return err
}
c.autoEncrypt.manualCAPems = manualCAPems
c.autoEncrypt.connectCAPems = connectCAPems
c.autoEncrypt.cert = &cert
c.autoTLS.manualCAPems = manualCAPems
c.autoTLS.connectCAPems = connectCAPems
c.autoTLS.cert = &cert
c.caPool = pool
c.autoEncrypt.verifyServerHostname = verifyServerHostname
c.autoTLS.verifyServerHostname = verifyServerHostname
c.version++
return nil
}
@ -375,20 +375,19 @@ func (c *Configurator) check(config Config, pool *x509.CertPool, cert *tls.Certi
// Ensure we have a CA and cert if VerifyIncoming is set
if config.anyVerifyIncoming() {
autoEncryptMsg := " AutoEncrypt only secures the connection between client and server and doesn't affect incoming connections on the client."
if pool == nil {
errMsg := "VerifyIncoming set, and no CA certificate provided!"
if config.AutoEncryptTLS {
errMsg += autoEncryptMsg
}
return fmt.Errorf(errMsg)
// both auto-config and auto-encrypt require verifying the connection from the client to the server for secure
// operation. In order to be able to verify the servers certificate we must have some CA certs already provided.
// Therefore, even though both of those features can push down extra CA certificates which could be used to
// verify incoming connections, we still must consider it an error if none are provided in the initial configuration
// as those features cannot be successfully enabled without providing CA certificates to use those features.
return fmt.Errorf("VerifyIncoming set but no CA certificates were provided")
}
if cert == nil {
errMsg := "VerifyIncoming set, and no Cert/Key pair provided!"
if config.AutoEncryptTLS {
errMsg += autoEncryptMsg
}
return fmt.Errorf(errMsg)
// We will use the auto_encrypt/auto_config cert for TLS in the incoming APIs when available. Therefore the check
// here will ensure that either we enabled one of those two features or a certificate and key were provided manually
if cert == nil && !config.AutoTLS {
return fmt.Errorf("VerifyIncoming requires either a Cert and Key pair in the configuration file, or auto_encrypt/auto_config be enabled")
}
}
return nil
@ -500,7 +499,7 @@ func (c *Configurator) commonTLSConfig(verifyIncoming bool) *tls.Config {
// to a server requesting a certificate. Return the autoEncrypt certificate
// if possible, otherwise default to the manually provisioned one.
tlsConfig.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
cert := c.autoEncrypt.cert
cert := c.autoTLS.cert
if cert == nil {
cert = c.manual.cert
}
@ -536,7 +535,7 @@ func (c *Configurator) Cert() *tls.Certificate {
defer c.RUnlock()
cert := c.manual.cert
if cert == nil {
cert = c.autoEncrypt.cert
cert = c.autoTLS.cert
}
return cert
}
@ -554,7 +553,7 @@ func (c *Configurator) outgoingRPCTLSDisabled() bool {
defer c.RUnlock()
// if AutoEncrypt enabled, always use TLS
if c.base.AutoEncryptTLS {
if c.base.AutoTLS {
return false
}
@ -574,7 +573,7 @@ func (c *Configurator) MutualTLSCapable() bool {
func (c *Configurator) mutualTLSCapable() bool {
c.RLock()
defer c.RUnlock()
return c.caPool != nil && (c.autoEncrypt.cert != nil || c.manual.cert != nil)
return c.caPool != nil && (c.autoTLS.cert != nil || c.manual.cert != nil)
}
// This function acquires a read lock because it reads from the config.
@ -584,7 +583,7 @@ func (c *Configurator) verifyOutgoing() bool {
// If AutoEncryptTLS is enabled and there is a CA, then verify
// outgoing.
if c.base.AutoEncryptTLS && c.caPool != nil {
if c.base.AutoTLS && c.caPool != nil {
return true
}
@ -644,7 +643,7 @@ func (c *Configurator) serverNameOrNodeName() string {
func (c *Configurator) VerifyServerHostname() bool {
c.RLock()
defer c.RUnlock()
return c.base.VerifyServerHostname || c.autoEncrypt.verifyServerHostname
return c.base.VerifyServerHostname || c.autoTLS.verifyServerHostname
}
// IncomingGRPCConfig generates a *tls.Config for incoming GRPC connections.
@ -798,7 +797,7 @@ func (c *Configurator) OutgoingALPNRPCWrapper() ALPNWrapper {
func (c *Configurator) AutoEncryptCertNotAfter() time.Time {
c.RLock()
defer c.RUnlock()
tlsCert := c.autoEncrypt.cert
tlsCert := c.autoTLS.cert
if tlsCert == nil || tlsCert.Certificate == nil {
return time.Now().AddDate(0, 0, -1)
}

View File

@ -500,15 +500,16 @@ func TestConfigurator_ErrorPropagation(t *testing.T) {
{Config{VerifyIncoming: true, CAFile: "", CAPath: capath}, true, false}, // 18
{Config{VerifyIncoming: true, CAFile: "", CAPath: capath,
CertFile: certfile, KeyFile: keyfile}, false, false}, // 19
{Config{CertFile: "bogus", KeyFile: "bogus"}, true, true}, // 20
{Config{CAFile: "bogus"}, true, true}, // 21
{Config{CAPath: "bogus"}, true, true}, // 22
{Config{CertFile: "bogus", KeyFile: "bogus"}, true, true}, // 20
{Config{CAFile: "bogus"}, true, true}, // 21
{Config{CAPath: "bogus"}, true, true}, // 22
{Config{VerifyIncoming: true, CAFile: cafile, AutoTLS: true}, false, false}, // 22
}
for _, v := range tlsVersions() {
variants = append(variants, variant{Config{TLSMinVersion: v}, false, false})
}
c := Configurator{autoEncrypt: &autoEncrypt{}, manual: &manual{}}
c := Configurator{autoTLS: &autoTLS{}, manual: &manual{}}
for i, v := range variants {
info := fmt.Sprintf("case %d, config: %+v", i, v.config)
_, err1 := NewConfigurator(v.config, nil)
@ -661,10 +662,10 @@ func TestConfigurator_CommonTLSConfigGetClientCertificate(t *testing.T) {
c2, err := loadKeyPair("../test/key/ourdomain.cer", "../test/key/ourdomain.key")
require.NoError(t, err)
c.autoEncrypt.cert = c2
c.autoTLS.cert = c2
cert, err = c.commonTLSConfig(false).GetClientCertificate(nil)
require.NoError(t, err)
require.Equal(t, c.autoEncrypt.cert, cert)
require.Equal(t, c.autoTLS.cert, cert)
}
func TestConfigurator_CommonTLSConfigGetCertificate(t *testing.T) {
@ -678,10 +679,10 @@ func TestConfigurator_CommonTLSConfigGetCertificate(t *testing.T) {
// Setting a certificate as the auto-encrypt cert will return it as the regular server certificate
c1, err := loadKeyPair("../test/key/something_expired.cer", "../test/key/something_expired.key")
require.NoError(t, err)
c.autoEncrypt.cert = c1
c.autoTLS.cert = c1
cert, err = c.commonTLSConfig(false).GetCertificate(nil)
require.NoError(t, err)
require.Equal(t, c.autoEncrypt.cert, cert)
require.Equal(t, c.autoTLS.cert, cert)
// Setting a different certificate as a manual cert will override the auto-encrypt cert and instead return the manual cert
c2, err := loadKeyPair("../test/key/ourdomain.cer", "../test/key/ourdomain.key")
@ -718,7 +719,7 @@ func TestConfigurator_CommonTLSConfigTLSMinVersion(t *testing.T) {
}
func TestConfigurator_CommonTLSConfigVerifyIncoming(t *testing.T) {
c := Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}}
c := Configurator{base: &Config{}, autoTLS: &autoTLS{}}
type variant struct {
verify bool
expected tls.ClientAuthType
@ -733,7 +734,7 @@ func TestConfigurator_CommonTLSConfigVerifyIncoming(t *testing.T) {
}
func TestConfigurator_OutgoingRPCTLSDisabled(t *testing.T) {
c := Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}}
c := Configurator{base: &Config{}, autoTLS: &autoTLS{}}
type variant struct {
verify bool
autoEncryptTLS bool
@ -755,7 +756,7 @@ func TestConfigurator_OutgoingRPCTLSDisabled(t *testing.T) {
info := fmt.Sprintf("case %d", i)
c.caPool = v.pool
c.base.VerifyOutgoing = v.verify
c.base.AutoEncryptTLS = v.autoEncryptTLS
c.base.AutoTLS = v.autoEncryptTLS
require.Equal(t, v.expected, c.outgoingRPCTLSDisabled(), info)
}
}
@ -809,7 +810,7 @@ func TestConfigurator_MutualTLSCapable(t *testing.T) {
require.NoError(t, err)
caPEM := loadFile(t, "../test/hostname/CertAuth.crt")
require.NoError(t, c.UpdateAutoEncryptCA([]string{caPEM}))
require.NoError(t, c.UpdateAutoTLSCA([]string{caPEM}))
require.False(t, c.mutualTLSCapable())
})
@ -824,8 +825,8 @@ func TestConfigurator_MutualTLSCapable(t *testing.T) {
caPEM := loadFile(t, "../test/hostname/CertAuth.crt")
certPEM := loadFile(t, "../test/hostname/Bob.crt")
keyPEM := loadFile(t, "../test/hostname/Bob.key")
require.NoError(t, c.UpdateAutoEncryptCA([]string{caPEM}))
require.NoError(t, c.UpdateAutoEncryptCert(certPEM, keyPEM))
require.NoError(t, c.UpdateAutoTLSCA([]string{caPEM}))
require.NoError(t, c.UpdateAutoTLSCert(certPEM, keyPEM))
require.True(t, c.mutualTLSCapable())
})
@ -900,7 +901,7 @@ func TestConfigurator_IncomingALPNRPCConfig(t *testing.T) {
}
func TestConfigurator_IncomingHTTPSConfig(t *testing.T) {
c := Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}}
c := Configurator{base: &Config{}, autoTLS: &autoTLS{}}
require.Equal(t, []string{"h2", "http/1.1"}, c.IncomingHTTPSConfig().NextProtos)
}
@ -908,7 +909,7 @@ func TestConfigurator_OutgoingTLSConfigForChecks(t *testing.T) {
c := Configurator{base: &Config{
TLSMinVersion: "tls12",
EnableAgentTLSForChecks: false,
}, autoEncrypt: &autoEncrypt{}}
}, autoTLS: &autoTLS{}}
tlsConf := c.OutgoingTLSConfigForCheck(true)
require.Equal(t, true, tlsConf.InsecureSkipVerify)
require.Equal(t, uint16(0), tlsConf.MinVersion)
@ -922,7 +923,7 @@ func TestConfigurator_OutgoingTLSConfigForChecks(t *testing.T) {
}
func TestConfigurator_OutgoingRPCConfig(t *testing.T) {
c := &Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}}
c := &Configurator{base: &Config{}, autoTLS: &autoTLS{}}
require.Nil(t, c.OutgoingRPCConfig())
c, err := NewConfigurator(Config{
@ -940,7 +941,7 @@ func TestConfigurator_OutgoingRPCConfig(t *testing.T) {
}
func TestConfigurator_OutgoingALPNRPCConfig(t *testing.T) {
c := &Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}}
c := &Configurator{base: &Config{}, autoTLS: &autoTLS{}}
require.Nil(t, c.OutgoingALPNRPCConfig())
c, err := NewConfigurator(Config{
@ -960,7 +961,7 @@ func TestConfigurator_OutgoingALPNRPCConfig(t *testing.T) {
}
func TestConfigurator_OutgoingRPCWrapper(t *testing.T) {
c := &Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}}
c := &Configurator{base: &Config{}, autoTLS: &autoTLS{}}
wrapper := c.OutgoingRPCWrapper()
require.NotNil(t, wrapper)
conn := &net.TCPConn{}
@ -982,7 +983,7 @@ func TestConfigurator_OutgoingRPCWrapper(t *testing.T) {
}
func TestConfigurator_OutgoingALPNRPCWrapper(t *testing.T) {
c := &Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}}
c := &Configurator{base: &Config{}, autoTLS: &autoTLS{}}
wrapper := c.OutgoingRPCWrapper()
require.NotNil(t, wrapper)
conn := &net.TCPConn{}
@ -1058,7 +1059,7 @@ func TestConfigurator_ServerNameOrNodeName(t *testing.T) {
}
func TestConfigurator_VerifyOutgoing(t *testing.T) {
c := Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}}
c := Configurator{base: &Config{}, autoTLS: &autoTLS{}}
type variant struct {
verify bool
autoEncryptTLS bool
@ -1080,7 +1081,7 @@ func TestConfigurator_VerifyOutgoing(t *testing.T) {
info := fmt.Sprintf("case %d", i)
c.caPool = v.pool
c.base.VerifyOutgoing = v.verify
c.base.AutoEncryptTLS = v.autoEncryptTLS
c.base.AutoTLS = v.autoEncryptTLS
require.Equal(t, v.expected, c.verifyOutgoing(), info)
}
}
@ -1091,34 +1092,34 @@ func TestConfigurator_Domain(t *testing.T) {
}
func TestConfigurator_VerifyServerHostname(t *testing.T) {
c := Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}}
c := Configurator{base: &Config{}, autoTLS: &autoTLS{}}
require.False(t, c.VerifyServerHostname())
c.base.VerifyServerHostname = true
c.autoEncrypt.verifyServerHostname = false
c.autoTLS.verifyServerHostname = false
require.True(t, c.VerifyServerHostname())
c.base.VerifyServerHostname = false
c.autoEncrypt.verifyServerHostname = true
c.autoTLS.verifyServerHostname = true
require.True(t, c.VerifyServerHostname())
c.base.VerifyServerHostname = true
c.autoEncrypt.verifyServerHostname = true
c.autoTLS.verifyServerHostname = true
require.True(t, c.VerifyServerHostname())
}
func TestConfigurator_AutoEncrytCertExpired(t *testing.T) {
c := Configurator{base: &Config{}, autoEncrypt: &autoEncrypt{}}
c := Configurator{base: &Config{}, autoTLS: &autoTLS{}}
require.True(t, c.AutoEncryptCertExpired())
cert, err := loadKeyPair("../test/key/something_expired.cer", "../test/key/something_expired.key")
require.NoError(t, err)
c.autoEncrypt.cert = cert
c.autoTLS.cert = cert
require.True(t, c.AutoEncryptCertExpired())
cert, err = loadKeyPair("../test/key/ourdomain.cer", "../test/key/ourdomain.key")
require.NoError(t, err)
c.autoEncrypt.cert = cert
c.autoTLS.cert = cert
require.False(t, c.AutoEncryptCertExpired())
}