Commit Graph

3 Commits

Author SHA1 Message Date
Nelson Elhage 0a2476b20e Restore the 0.2 TLS verification behavior.
Namely, don't check the DNS names in TLS certificates when connecting to
other servers.

As of golang 1.3, crypto/tls no longer natively supports doing partial
verification (verifying the cert issuer but not the hostname), so we
have to disable verification entirely and then do the issuer
verification ourselves. Fortunately, crypto/x509 makes this relatively
straightforward.

If the "server_name" configuration option is passed, we preserve the
existing behavior of checking that server name everywhere.

No option is provided to retain the current behavior of checking the
remote certificate against the local node name, since that behavior
seems clearly buggy and unintentional, and I have difficulty imagining
it is actually being used anywhere. It would be relatively
straightforward to restore if desired, however.
2014-06-28 13:32:42 -07:00
Nelson Elhage 7d4824ade7 Allow multiple PEM-encoded certificates in the ca_file.
fixes #167
2014-05-26 10:58:57 -07:00
Armon Dadgar f91fe6c407 consul: Adding configuration tests 2014-04-07 15:07:00 -07:00