diff --git a/command/agent/config.go b/command/agent/config.go index 98b5f3544..ce6511107 100644 --- a/command/agent/config.go +++ b/command/agent/config.go @@ -188,6 +188,14 @@ type Config struct { // certificate authority. This is used to verify authenticity of server nodes. VerifyOutgoing bool `mapstructure:"verify_outgoing"` + // VerifyServerHostname is used to enable hostname verification of servers. This + // ensures that the certificate presented is valid for server... + // This prevents a compromised client from being restarted as a server, and then + // intercepting request traffic as well as being added as a raft peer. This should be + // enabled by default with VerifyOutgoing, but for legacy reasons we cannot break + // existing clients. + VerifyServerHostname bool `mapstructure:"verify_server_hostname"` + // CAFile is a path to a certificate authority file. This is used with VerifyIncoming // or VerifyOutgoing to verify the TLS connection. CAFile string `mapstructure:"ca_file"` @@ -838,6 +846,9 @@ func MergeConfig(a, b *Config) *Config { if b.VerifyOutgoing { result.VerifyOutgoing = true } + if b.VerifyServerHostname { + result.VerifyServerHostname = true + } if b.CAFile != "" { result.CAFile = b.CAFile } diff --git a/command/agent/config_test.go b/command/agent/config_test.go index c8ec77796..ac22af300 100644 --- a/command/agent/config_test.go +++ b/command/agent/config_test.go @@ -245,7 +245,7 @@ func TestDecodeConfig(t *testing.T) { } // TLS - input = `{"verify_incoming": true, "verify_outgoing": true}` + input = `{"verify_incoming": true, "verify_outgoing": true, "verify_server_hostname": true}` config, err = DecodeConfig(bytes.NewReader([]byte(input))) if err != nil { t.Fatalf("err: %s", err) @@ -259,6 +259,10 @@ func TestDecodeConfig(t *testing.T) { t.Fatalf("bad: %#v", config) } + if config.VerifyServerHostname != true { + t.Fatalf("bad: %#v", config) + } + // TLS keys input = `{"ca_file": "my/ca/file", "cert_file": "my.cert", "key_file": "key.pem", "server_name": "example.com"}` config, err = DecodeConfig(bytes.NewReader([]byte(input)))