Adding server_name configuration for TLS

2014-06-13 11:10:27 -07:00 · 2014-06-13 11:10:27 -07:00 · 91373968a8
parent 355a62496c
commit 91373968a8
4 changed files with 27 additions and 3 deletions
--- a/command/agent/config.go
+++ b/command/agent/config.go
@ -151,6 +151,10 @@ type Config struct {
 	// Must be provided to serve TLS connections.
 	KeyFile string `mapstructure:"key_file"`

+	// ServerName is used with the TLS certificates to ensure the name we
+	// provid ematches the certificate
+	ServerName string `mapstructure:"server_name"`
+
 	// StartJoin is a list of addresses to attempt to join when the
 	// agent starts. If Serf is unable to communicate with any of these
 	// addresses, then the agent will error and exit.
@ -505,6 +509,9 @@ func MergeConfig(a, b *Config) *Config {
 	if b.KeyFile != "" {
 		result.KeyFile = b.KeyFile
 	}
+	if b.ServerName != "" {
+		result.ServerName = b.ServerName
+	}
 	if b.Checks != nil {
 		result.Checks = append(result.Checks, b.Checks...)
 	}
--- a/command/agent/config_test.go
+++ b/command/agent/config_test.go
@ -214,7 +214,7 @@ func TestDecodeConfig(t *testing.T) {
 	}

 	// TLS keys
-	input = `{"ca_file": "my/ca/file", "cert_file": "my.cert", "key_file": "key.pem"}`
+	input = `{"ca_file": "my/ca/file", "cert_file": "my.cert", "key_file": "key.pem", "server_name": "example.com"}`
 	config, err = DecodeConfig(bytes.NewReader([]byte(input)))
 	if err != nil {
 		t.Fatalf("err: %s", err)
@ -229,6 +229,9 @@ func TestDecodeConfig(t *testing.T) {
 	if config.KeyFile != "key.pem" {
 		t.Fatalf("bad: %#v", config)
 	}
+	if config.ServerName != "example.com" {
+		t.Fatalf("bad: %#v", config)
+	}

 	// Start join
 	input = `{"start_join": ["1.1.1.1", "2.2.2.2"]}`
--- a/consul/config.go
+++ b/consul/config.go
@ -109,6 +109,10 @@ type Config struct {
 	// Must be provided to serve TLS connections.
 	KeyFile string

+	// ServerName is used with the TLS certificate to ensure the name we
+	// provide matches the certificate
+	ServerName string
+
 	// RejoinAfterLeave controls our interaction with Serf.
 	// When set to false (default), a leave causes a Consul to not rejoin
 	// the cluster until an explicit join is received. If this is set to
@ -172,10 +176,13 @@ func (c *Config) KeyPair() (*tls.Certificate, error) {
 func (c *Config) OutgoingTLSConfig() (*tls.Config, error) {
 	// Create the tlsConfig
 	tlsConfig := &tls.Config{
-		ServerName:         c.NodeName,
+		ServerName:         c.ServerName,
 		RootCAs:            x509.NewCertPool(),
 		InsecureSkipVerify: !c.VerifyOutgoing,
 	}
+	if tlsConfig.ServerName == "" {
+		tlsConfig.ServerName = c.NodeName
+	}

 	// Ensure we have a CA if VerifyOutgoing is set
 	if c.VerifyOutgoing && c.CAFile == "" {
@ -203,10 +210,13 @@ func (c *Config) OutgoingTLSConfig() (*tls.Config, error) {
 func (c *Config) IncomingTLSConfig() (*tls.Config, error) {
 	// Create the tlsConfig
 	tlsConfig := &tls.Config{
-		ServerName: c.NodeName,
+		ServerName: c.ServerName,
 		ClientCAs:  x509.NewCertPool(),
 		ClientAuth: tls.NoClientCert,
 	}
+	if tlsConfig.ServerName == "" {
+		tlsConfig.ServerName = c.NodeName
+	}

 	// Parse the CA cert if any
 	err := c.AppendCA(tlsConfig.ClientCAs)
--- a/website/source/docs/agent/options.html.markdown
+++ b/website/source/docs/agent/options.html.markdown
@ -254,6 +254,10 @@ definitions support being updated during a reload.
 * `start_join` - An array of strings specifying addresses of nodes to
  join upon startup.

+* `server_name` - When give, this overrides the `node_name` for the TLS certificate.
+  It can be used to ensure that the certificate name matches the hostname we
+  declare.
+
 * `statsite_addr` - This provides the address of a statsite instance. If provided
  Consul will stream various telemetry information to that instance for aggregation.
  This can be used to capture various runtime information.