Merge pull request #1853 from hashicorp/f-rpc-http-tls

TLS support for http and RPC

api/api.go

@@ -3,6 +3,7 @@ package api
 import (
 	"bytes"
 	"compress/gzip"
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -14,6 +15,7 @@ import (
 	"time"
 
 	"github.com/hashicorp/go-cleanhttp"
+	rootcerts "github.com/hashicorp/go-rootcerts"
 )
 
 // QueryOptions are used to parameterize a query
@@ -102,6 +104,35 @@ type Config struct {
 	// WaitTime limits how long a Watch will block. If not provided,
 	// the agent default values will be used.
 	WaitTime time.Duration
+
+	// TLSConfig provides the various TLS related configurations for the http
+	// client
+	TLSConfig *TLSConfig
+}
+
+// TLSConfig contains the parameters needed to configure TLS on the HTTP client
+// used to communicate with Nomad.
+type TLSConfig struct {
+	// CACert is the path to a PEM-encoded CA cert file to use to verify the
+	// Nomad server SSL certificate.
+	CACert string
+
+	// CAPath is the path to a directory of PEM-encoded CA cert files to verify
+	// the Nomad server SSL certificate.
+	CAPath string
+
+	// ClientCert is the path to the certificate for Nomad communication
+	ClientCert string
+
+	// ClientKey is the path to the private key for Nomad communication
+	ClientKey string
+
+	// TLSServerName, if set, is used to set the SNI host when connecting via
+	// TLS.
+	TLSServerName string
+
+	// Insecure enables or disables SSL verification
+	Insecure bool
 }
 
 // DefaultConfig returns a default configuration for the client
@@ -109,7 +140,15 @@ func DefaultConfig() *Config {
 	config := &Config{
 		Address:    "http://127.0.0.1:4646",
 		HttpClient: cleanhttp.DefaultClient(),
+		TLSConfig:  &TLSConfig{},
 	}
+	config.HttpClient.Timeout = time.Second * 60
+	transport := config.HttpClient.Transport.(*http.Transport)
+	transport.TLSHandshakeTimeout = 10 * time.Second
+	transport.TLSClientConfig = &tls.Config{
+		MinVersion: tls.VersionTLS12,
+	}
+
 	if addr := os.Getenv("NOMAD_ADDR"); addr != "" {
 		config.Address = addr
 	}
@@ -128,9 +167,71 @@ func DefaultConfig() *Config {
 			Password: password,
 		}
 	}
+
+	// Read TLS specific env vars
+	if v := os.Getenv("NOMAD_CACERT"); v != "" {
+		config.TLSConfig.CACert = v
+	}
+	if v := os.Getenv("NOMAD_CAPATH"); v != "" {
+		config.TLSConfig.CAPath = v
+	}
+	if v := os.Getenv("NOMAD_CLIENT_CERT"); v != "" {
+		config.TLSConfig.ClientCert = v
+	}
+	if v := os.Getenv("NOMAD_CLIENT_KEY"); v != "" {
+		config.TLSConfig.ClientKey = v
+	}
+	if v := os.Getenv("NOMAD_SKIP_VERIFY"); v != "" {
+		if insecure, err := strconv.ParseBool(v); err == nil {
+			config.TLSConfig.Insecure = insecure
+		}
+	}
+
 	return config
 }
 
+// ConfigureTLS applies a set of TLS configurations to the the HTTP client.
+func (c *Config) ConfigureTLS() error {
+	if c.HttpClient == nil {
+		return fmt.Errorf("config HTTP Client must be set")
+	}
+
+	var clientCert tls.Certificate
+	foundClientCert := false
+	if c.TLSConfig.ClientCert != "" || c.TLSConfig.ClientKey != "" {
+		if c.TLSConfig.ClientCert != "" && c.TLSConfig.ClientKey != "" {
+			var err error
+			clientCert, err = tls.LoadX509KeyPair(c.TLSConfig.ClientCert, c.TLSConfig.ClientKey)
+			if err != nil {
+				return err
+			}
+			foundClientCert = true
+		} else if c.TLSConfig.ClientCert != "" || c.TLSConfig.ClientKey != "" {
+			return fmt.Errorf("Both client cert and client key must be provided")
+		}
+	}
+
+	clientTLSConfig := c.HttpClient.Transport.(*http.Transport).TLSClientConfig
+	rootConfig := &rootcerts.Config{
+		CAFile: c.TLSConfig.CACert,
+		CAPath: c.TLSConfig.CAPath,
+	}
+	if err := rootcerts.ConfigureTLS(clientTLSConfig, rootConfig); err != nil {
+		return err
+	}
+
+	clientTLSConfig.InsecureSkipVerify = c.TLSConfig.Insecure
+
+	if foundClientCert {
+		clientTLSConfig.Certificates = []tls.Certificate{clientCert}
+	}
+	if c.TLSConfig.TLSServerName != "" {
+		clientTLSConfig.ServerName = c.TLSConfig.TLSServerName
+	}
+
+	return nil
+}
+
 // Client provides a client to the Nomad API
 type Client struct {
 	config Config
@@ -151,6 +252,11 @@ func NewClient(config *Config) (*Client, error) {
 		config.HttpClient = defConfig.HttpClient
 	}
 
+	// Configure the TLS cofigurations
+	if err := config.ConfigureTLS(); err != nil {
+		return nil, err
+	}
+
 	client := &Client{
 		config: *config,
 	}

client/client.go

@@ -27,6 +27,7 @@ import (
 	"github.com/hashicorp/nomad/client/stats"
 	"github.com/hashicorp/nomad/client/vaultclient"
 	"github.com/hashicorp/nomad/command/agent/consul"
+	"github.com/hashicorp/nomad/helper/tlsutil"
 	"github.com/hashicorp/nomad/nomad"
 	"github.com/hashicorp/nomad/nomad/structs"
 	vaultapi "github.com/hashicorp/vault/api"
@@ -164,12 +165,22 @@ var (
 
 // NewClient is used to create a new client from the given configuration
 func NewClient(cfg *config.Config, consulSyncer *consul.Syncer, logger *log.Logger) (*Client, error) {
+	// Create the tls wrapper
+	var tlsWrap tlsutil.Wrapper
+	if cfg.TLSConfig.EnableRPC {
+		tw, err := cfg.TLSConfiguration().OutgoingTLSWrapper()
+		if err != nil {
+			return nil, err
+		}
+		tlsWrap = tw
+	}
+
 	// Create the client
 	c := &Client{
 		config:              cfg,
 		consulSyncer:        consulSyncer,
 		start:               time.Now(),
-		connPool:            nomad.NewPool(cfg.LogOutput, clientRPCCache, clientMaxStreams, nil),
+		connPool:            nomad.NewPool(cfg.LogOutput, clientRPCCache, clientMaxStreams, tlsWrap),
 		logger:              logger,
 		hostStatsCollector:  stats.NewHostStatsCollector(),
 		allocs:              make(map[string]*AllocRunner),

client/config/config.go

@@ -8,6 +8,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/hashicorp/nomad/helper/tlsutil"
 	"github.com/hashicorp/nomad/nomad/structs"
 	"github.com/hashicorp/nomad/nomad/structs/config"
 )
@@ -132,6 +133,9 @@ type Config struct {
 	// PublishAllocationMetrics determines whether nomad is going to publish
 	// allocation metrics to remote Telemetry sinks
 	PublishAllocationMetrics bool
+
+	// TLSConfig holds various TLS related configurations
+	TLSConfig *config.TLSConfig
 }
 
 func (c *Config) Copy() *Config {
@@ -226,3 +230,17 @@ func (c *Config) ReadStringListToMapDefault(key, defaultValue string) map[string
 	}
 	return list
 }
+
+// TLSConfig returns a TLSUtil Config based on the client configuration
+func (c *Config) TLSConfiguration() *tlsutil.Config {
+	tlsConf := &tlsutil.Config{
+		VerifyIncoming:       true,
+		VerifyOutgoing:       true,
+		VerifyServerHostname: c.TLSConfig.VerifyServerHostname,
+		CAFile:               c.TLSConfig.CAFile,
+		CertFile:             c.TLSConfig.CertFile,
+		KeyFile:              c.TLSConfig.KeyFile,
+		ServerName:           c.Node.Name,
+	}
+	return tlsConf
+}

command/agent/agent.go

@@ -244,6 +244,9 @@ func (a *Agent) serverConfig() (*nomad.Config, error) {
 	conf.ConsulConfig = a.config.Consul
 	conf.VaultConfig = a.config.Vault
 
+	// Set the TLS config
+	conf.TLSConfig = a.config.TLSConfig
+
 	return conf, nil
 }
 
@@ -357,6 +360,10 @@ func (a *Agent) clientConfig() (*clientconfig.Config, error) {
 	conf.StatsCollectionInterval = a.config.Telemetry.collectionInterval
 	conf.PublishNodeMetrics = a.config.Telemetry.PublishNodeMetrics
 	conf.PublishAllocationMetrics = a.config.Telemetry.PublishAllocationMetrics
+
+	// Set the TLS related configs
+	conf.TLSConfig = a.config.TLSConfig
+
 	return conf, nil
 }
 

command/agent/config-test-fixtures/basic.hcl

@@ -121,3 +121,11 @@ vault {
     tls_server_name = "foobar"
     tls_skip_verify = true
 }
+tls {
+    http = true
+    rpc = true
+    verify_server_hostname = true
+    ca_file = "foo"
+    cert_file = "bar"
+    key_file = "pipe"
+}

command/agent/config.go

@@ -112,6 +112,10 @@ type Config struct {
 	// List of config files that have been loaded (in order)
 	Files []string `mapstructure:"-"`
 
+	// TLSConfig provides TLS related configuration for the Nomad server and
+	// client
+	TLSConfig *config.TLSConfig `mapstructure:"tls"`
+
 	// HTTPAPIResponseHeaders allows users to configure the Nomad http agent to
 	// set arbritrary headers on API responses
 	HTTPAPIResponseHeaders map[string]string `mapstructure:"http_api_response_headers"`
@@ -486,6 +490,7 @@ func DefaultConfig() *Config {
 			CollectionInterval: "1s",
 			collectionInterval: 1 * time.Second,
 		},
+		TLSConfig: &config.TLSConfig{},
 	}
 }
 
@@ -566,6 +571,14 @@ func (c *Config) Merge(b *Config) *Config {
 		result.Telemetry = result.Telemetry.Merge(b.Telemetry)
 	}
 
+	// Apply the TLS Config
+	if result.TLSConfig == nil && b.TLSConfig != nil {
+		tlsConfig := *b.TLSConfig
+		result.TLSConfig = &tlsConfig
+	} else if b.TLSConfig != nil {
+		result.TLSConfig = result.TLSConfig.Merge(b.TLSConfig)
+	}
+
 	// Apply the client config
 	if result.Client == nil && b.Client != nil {
 		client := *b.Client

command/agent/config_parse.go

@@ -94,6 +94,7 @@ func parseConfig(result *Config, list *ast.ObjectList) error {
 		"atlas",
 		"consul",
 		"vault",
+		"tls",
 		"http_api_response_headers",
 	}
 	if err := checkHCLKeys(list, valid); err != nil {
@@ -115,6 +116,7 @@ func parseConfig(result *Config, list *ast.ObjectList) error {
 	delete(m, "atlas")
 	delete(m, "consul")
 	delete(m, "vault")
+	delete(m, "tls")
 	delete(m, "http_api_response_headers")
 
 	// Decode the rest
@@ -185,6 +187,13 @@ func parseConfig(result *Config, list *ast.ObjectList) error {
 		}
 	}
 
+	// Parse the TLS config
+	if o := list.Filter("tls"); len(o.Items) > 0 {
+		if err := parseTLSConfig(&result.TLSConfig, o); err != nil {
+			return multierror.Prefix(err, "tls ->")
+		}
+	}
+
 	// Parse out http_api_response_headers fields. These are in HCL as a list so
 	// we need to iterate over them and merge them.
 	if headersO := list.Filter("http_api_response_headers"); len(headersO.Items) > 0 {
@@ -643,6 +652,41 @@ func parseConsulConfig(result **config.ConsulConfig, list *ast.ObjectList) error
 	return nil
 }
 
+func parseTLSConfig(result **config.TLSConfig, list *ast.ObjectList) error {
+	list = list.Elem()
+	if len(list.Items) > 1 {
+		return fmt.Errorf("only one 'tls' block allowed")
+	}
+
+	// Get the TLS object
+	listVal := list.Items[0].Val
+
+	valid := []string{
+		"http",
+		"rpc",
+		"verify_server_hostname",
+		"ca_file",
+		"cert_file",
+		"key_file",
+	}
+
+	if err := checkHCLKeys(listVal, valid); err != nil {
+		return err
+	}
+
+	var m map[string]interface{}
+	if err := hcl.DecodeObject(&m, listVal); err != nil {
+		return err
+	}
+
+	var tlsConfig config.TLSConfig
+	if err := mapstructure.WeakDecode(m, &tlsConfig); err != nil {
+		return err
+	}
+	*result = &tlsConfig
+	return nil
+}
+
 func parseVaultConfig(result **config.VaultConfig, list *ast.ObjectList) error {
 	list = list.Elem()
 	if len(list.Items) > 1 {

command/agent/config_parse_test.go

@@ -136,6 +136,14 @@ func TestConfig_Parse(t *testing.T) {
 					TaskTokenTTL:         "1s",
 					Token:                "12345",
 				},
+				TLSConfig: &TLSConfig{
+					EnableHTTP:           true,
+					EnableRPC:            true,
+					VerifyServerHostname: true,
+					CAFile:               "foo",
+					CertFile:             "bar",
+					KeyFile:              "pipe",
+				},
 				HTTPAPIResponseHeaders: map[string]string{
 					"Access-Control-Allow-Origin": "*",
 				},

command/agent/http.go

@@ -2,6 +2,7 @@ package agent
 
 import (
 	"bytes"
+	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -13,6 +14,7 @@ import (
 	"time"
 
 	"github.com/NYTimes/gziphandler"
+	"github.com/hashicorp/nomad/helper/tlsutil"
 	"github.com/hashicorp/nomad/nomad/structs"
 	"github.com/ugorji/go/codec"
 )
@@ -52,6 +54,24 @@ func NewHTTPServer(agent *Agent, config *Config, logOutput io.Writer) (*HTTPServ
 		return nil, fmt.Errorf("failed to start HTTP listener: %v", err)
 	}
 
+	// If TLS is enabled, wrap the listener with a TLS listener
+	if config.TLSConfig.EnableHTTP {
+		tlsConf := &tlsutil.Config{
+			VerifyIncoming:       false,
+			VerifyOutgoing:       true,
+			VerifyServerHostname: config.TLSConfig.VerifyServerHostname,
+			CAFile:               config.TLSConfig.CAFile,
+			CertFile:             config.TLSConfig.CertFile,
+			KeyFile:              config.TLSConfig.KeyFile,
+			ServerName:           config.NodeName,
+		}
+		tlsConfig, err := tlsConf.IncomingTLSConfig()
+		if err != nil {
+			return nil, err
+		}
+		ln = tls.NewListener(tcpKeepAliveListener{ln.(*net.TCPListener)}, tlsConfig)
+	}
+
 	// Create the mux
 	mux := http.NewServeMux()
 
@@ -91,6 +111,23 @@ func newScadaHttp(agent *Agent, list net.Listener) *HTTPServer {
 	return srv
 }
 
+// tcpKeepAliveListener sets TCP keep-alive timeouts on accepted
+// connections. It's used by NewHttpServer so
+// dead TCP connections eventually go away.
+type tcpKeepAliveListener struct {
+	*net.TCPListener
+}
+
+func (ln tcpKeepAliveListener) Accept() (c net.Conn, err error) {
+	tc, err := ln.AcceptTCP()
+	if err != nil {
+		return
+	}
+	tc.SetKeepAlive(true)
+	tc.SetKeepAlivePeriod(30 * time.Second)
+	return tc, nil
+}
+
 // Shutdown is used to shutdown the HTTP server
 func (s *HTTPServer) Shutdown() {
 	if s != nil {

command/meta.go

@@ -46,6 +46,12 @@ type Meta struct {
 
 	// The region to send API requests
 	region string
+
+	caCert     string
+	caPath     string
+	clientCert string
+	clientKey  string
+	insecure   bool
 }
 
 // FlagSet returns a FlagSet with the common flags that every
@@ -61,6 +67,13 @@ func (m *Meta) FlagSet(n string, fs FlagSetFlags) *flag.FlagSet {
 		f.StringVar(&m.flagAddress, "address", "", "")
 		f.StringVar(&m.region, "region", "", "")
 		f.BoolVar(&m.noColor, "no-color", false, "")
+		f.StringVar(&m.caCert, "ca-cert", "", "")
+		f.StringVar(&m.caPath, "ca-path", "", "")
+		f.StringVar(&m.clientCert, "client-cert", "", "")
+		f.StringVar(&m.clientKey, "client-key", "", "")
+		f.BoolVar(&m.insecure, "insecure", false, "")
+		f.BoolVar(&m.insecure, "tls-skip-verify", false, "")
+
 	}
 
 	// Create an io.Writer that writes to our UI properly for errors.
@@ -95,6 +108,18 @@ func (m *Meta) Client() (*api.Client, error) {
 	if m.region != "" {
 		config.Region = m.region
 	}
+	// If we need custom TLS configuration, then set it
+	if m.caCert != "" || m.caPath != "" || m.clientCert != "" || m.clientKey != "" || m.insecure {
+		t := &api.TLSConfig{
+			CACert:     m.caCert,
+			CAPath:     m.caPath,
+			ClientCert: m.clientCert,
+			ClientKey:  m.clientKey,
+			Insecure:   m.insecure,
+		}
+		config.TLSConfig = t
+	}
+
 	return api.NewClient(config)
 }
 
@@ -121,6 +146,31 @@ func generalOptionsUsage() string {
   
   -no-color
     Disables colored command output.
+
+  -ca-cert=<path>           
+    Path to a PEM encoded CA cert file to use to verify the 
+    Nomad server SSL certificate.  Overrides the NOMAD_CACERT 
+    environment variable if set.
+
+  -ca-path=<path>           
+    Path to a directory of PEM encoded CA cert files to verify 
+    the Nomad server SSL certificate. If both -ca-cert and 
+    -ca-path are specified, -ca-cert is used. Overrides the 
+    NOMAD_CAPATH environment variable if set.
+
+  -client-cert=<path>       
+    Path to a PEM encoded client certificate for TLS authentication 
+    to the Nomad server. Must also specify -client-key. Overrides 
+    the NOMAD_CLIENT_CERT environment variable if set.
+
+  -client-key=<path>        
+    Path to an unencrypted PEM encoded private key matching the 
+    client certificate from -client-cert. Overrides the 
+    NOMAD_CLIENT_KEY environment variable if set.
+
+  -tls-skip-verify        
+    Do not verify TLS certificate. This is highly not recommended. Verification
+    will also be skipped if NOMAD_SKIP_VERIFY is set.
 `
 	return strings.TrimSpace(helpText)
 }

helper/tlsutil/config.go

@@ -0,0 +1,237 @@
+package tlsutil
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"io/ioutil"
+	"net"
+	"time"
+)
+
+// Wrapper wraps a connection and enables TLS on it.
+type Wrapper func(conn net.Conn) (net.Conn, error)
+
+// Config used to create tls.Config
+type Config struct {
+	// VerifyIncoming is used to verify the authenticity of incoming connections.
+	// This means that TCP requests are forbidden, only allowing for TLS. TLS connections
+	// must match a provided certificate authority. This can be used to force client auth.
+	VerifyIncoming bool
+
+	// VerifyOutgoing is used to verify the authenticity of outgoing connections.
+	// This means that TLS requests are used, and TCP requests are not made. TLS connections
+	// must match a provided certificate authority. This is used to verify authenticity of
+	// server nodes.
+	VerifyOutgoing bool
+
+	// VerifyServerHostname is used to enable hostname verification of servers. This
+	// ensures that the certificate presented is valid for server.<datacenter>.<domain>.
+	// This prevents a compromised client from being restarted as a server, and then
+	// intercepting request traffic as well as being added as a raft peer. This should be
+	// enabled by default with VerifyOutgoing, but for legacy reasons we cannot break
+	// existing clients.
+	VerifyServerHostname bool
+
+	// CAFile is a path to a certificate authority file. This is used with VerifyIncoming
+	// or VerifyOutgoing to verify the TLS connection.
+	CAFile string
+
+	// CertFile is used to provide a TLS certificate that is used for serving TLS connections.
+	// Must be provided to serve TLS connections.
+	CertFile string
+
+	// KeyFile is used to provide a TLS key that is used for serving TLS connections.
+	// Must be provided to serve TLS connections.
+	KeyFile string
+
+	// ServerName is used with the TLS certificate to ensure the name we
+	// provide matches the certificate
+	ServerName string
+}
+
+// AppendCA opens and parses the CA file and adds the certificates to
+// the provided CertPool.
+func (c *Config) AppendCA(pool *x509.CertPool) error {
+	if c.CAFile == "" {
+		return nil
+	}
+
+	// Read the file
+	data, err := ioutil.ReadFile(c.CAFile)
+	if err != nil {
+		return fmt.Errorf("Failed to read CA file: %v", err)
+	}
+
+	if !pool.AppendCertsFromPEM(data) {
+		return fmt.Errorf("Failed to parse any CA certificates")
+	}
+
+	return nil
+}
+
+// KeyPair is used to open and parse a certificate and key file
+func (c *Config) KeyPair() (*tls.Certificate, error) {
+	if c.CertFile == "" || c.KeyFile == "" {
+		return nil, nil
+	}
+	cert, err := tls.LoadX509KeyPair(c.CertFile, c.KeyFile)
+	if err != nil {
+		return nil, fmt.Errorf("Failed to load cert/key pair: %v", err)
+	}
+	return &cert, err
+}
+
+// OutgoingTLSConfig generates a TLS configuration for outgoing
+// requests. It will return a nil config if this configuration should
+// not use TLS for outgoing connections.
+func (c *Config) OutgoingTLSConfig() (*tls.Config, error) {
+	// If VerifyServerHostname is true, that implies VerifyOutgoing
+	if c.VerifyServerHostname {
+		c.VerifyOutgoing = true
+	}
+	if !c.VerifyOutgoing {
+		return nil, nil
+	}
+	// Create the tlsConfig
+	tlsConfig := &tls.Config{
+		RootCAs:            x509.NewCertPool(),
+		InsecureSkipVerify: true,
+	}
+	if c.ServerName != "" {
+		tlsConfig.ServerName = c.ServerName
+		tlsConfig.InsecureSkipVerify = false
+	}
+
+	// Ensure we have a CA if VerifyOutgoing is set
+	if c.VerifyOutgoing && c.CAFile == "" {
+		return nil, fmt.Errorf("VerifyOutgoing set, and no CA certificate provided!")
+	}
+
+	// Parse the CA cert if any
+	err := c.AppendCA(tlsConfig.RootCAs)
+	if err != nil {
+		return nil, err
+	}
+
+	// Add cert/key
+	cert, err := c.KeyPair()
+	if err != nil {
+		return nil, err
+	} else if cert != nil {
+		tlsConfig.Certificates = []tls.Certificate{*cert}
+	}
+
+	return tlsConfig, nil
+}
+
+// OutgoingTLSWrapper returns a a Wrapper based on the OutgoingTLS
+// configuration. If hostname verification is on, the wrapper
+// will properly generate the dynamic server name for verification.
+func (c *Config) OutgoingTLSWrapper() (Wrapper, error) {
+	// Get the TLS config
+	tlsConfig, err := c.OutgoingTLSConfig()
+	if err != nil {
+		return nil, err
+	}
+
+	// Check if TLS is not enabled
+	if tlsConfig == nil {
+		return nil, nil
+	}
+
+	wrapper := func(conn net.Conn) (net.Conn, error) {
+		return WrapTLSClient(conn, tlsConfig)
+	}
+	return wrapper, nil
+}
+
+// Wrap a net.Conn into a client tls connection, performing any
+// additional verification as needed.
+//
+// As of go 1.3, crypto/tls only supports either doing no certificate
+// verification, or doing full verification including of the peer's
+// DNS name. For consul, we want to validate that the certificate is
+// signed by a known CA, but because consul doesn't use DNS names for
+// node names, we don't verify the certificate DNS names. Since go 1.3
+// no longer supports this mode of operation, we have to do it
+// manually.
+func WrapTLSClient(conn net.Conn, tlsConfig *tls.Config) (net.Conn, error) {
+	var err error
+	var tlsConn *tls.Conn
+
+	tlsConn = tls.Client(conn, tlsConfig)
+
+	// If crypto/tls is doing verification, there's no need to do
+	// our own.
+	if tlsConfig.InsecureSkipVerify == false {
+		return tlsConn, nil
+	}
+
+	if err = tlsConn.Handshake(); err != nil {
+		tlsConn.Close()
+		return nil, err
+	}
+
+	// The following is lightly-modified from the doFullHandshake
+	// method in crypto/tls's handshake_client.go.
+	opts := x509.VerifyOptions{
+		Roots:         tlsConfig.RootCAs,
+		CurrentTime:   time.Now(),
+		DNSName:       "",
+		Intermediates: x509.NewCertPool(),
+	}
+
+	certs := tlsConn.ConnectionState().PeerCertificates
+	for i, cert := range certs {
+		if i == 0 {
+			continue
+		}
+		opts.Intermediates.AddCert(cert)
+	}
+
+	_, err = certs[0].Verify(opts)
+	if err != nil {
+		tlsConn.Close()
+		return nil, err
+	}
+
+	return tlsConn, err
+}
+
+// IncomingTLSConfig generates a TLS configuration for incoming requests
+func (c *Config) IncomingTLSConfig() (*tls.Config, error) {
+	// Create the tlsConfig
+	tlsConfig := &tls.Config{
+		ServerName: c.ServerName,
+		ClientCAs:  x509.NewCertPool(),
+		ClientAuth: tls.NoClientCert,
+	}
+
+	// Parse the CA cert if any
+	err := c.AppendCA(tlsConfig.ClientCAs)
+	if err != nil {
+		return nil, err
+	}
+
+	// Add cert/key
+	cert, err := c.KeyPair()
+	if err != nil {
+		return nil, err
+	} else if cert != nil {
+		tlsConfig.Certificates = []tls.Certificate{*cert}
+	}
+
+	// Check if we require verification
+	if c.VerifyIncoming {
+		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+		if c.CAFile == "" {
+			return nil, fmt.Errorf("VerifyIncoming set, and no CA certificate provided!")
+		}
+		if cert == nil {
+			return nil, fmt.Errorf("VerifyIncoming set, and no Cert/Key pair provided!")
+		}
+	}
+
+	return tlsConfig, nil
+}

helper/tlsutil/config_test.go

@@ -0,0 +1,425 @@
+package tlsutil
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"io"
+	"io/ioutil"
+	"net"
+	"testing"
+
+	"github.com/hashicorp/yamux"
+)
+
+func TestConfig_AppendCA_None(t *testing.T) {
+	conf := &Config{}
+	pool := x509.NewCertPool()
+	err := conf.AppendCA(pool)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if len(pool.Subjects()) != 0 {
+		t.Fatalf("bad: %v", pool.Subjects())
+	}
+}
+
+func TestConfig_CACertificate_Valid(t *testing.T) {
+	conf := &Config{
+		CAFile: "./test/ca/root.cer",
+	}
+	pool := x509.NewCertPool()
+	err := conf.AppendCA(pool)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if len(pool.Subjects()) == 0 {
+		t.Fatalf("expected cert")
+	}
+}
+
+func TestConfig_KeyPair_None(t *testing.T) {
+	conf := &Config{}
+	cert, err := conf.KeyPair()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if cert != nil {
+		t.Fatalf("bad: %v", cert)
+	}
+}
+
+func TestConfig_KeyPair_Valid(t *testing.T) {
+	conf := &Config{
+		CertFile: "./test/key/ourdomain.cer",
+		KeyFile:  "./test/key/ourdomain.key",
+	}
+	cert, err := conf.KeyPair()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if cert == nil {
+		t.Fatalf("expected cert")
+	}
+}
+
+func TestConfig_OutgoingTLS_MissingCA(t *testing.T) {
+	conf := &Config{
+		VerifyOutgoing: true,
+	}
+	tls, err := conf.OutgoingTLSConfig()
+	if err == nil {
+		t.Fatalf("expected err")
+	}
+	if tls != nil {
+		t.Fatalf("bad: %v", tls)
+	}
+}
+
+func TestConfig_OutgoingTLS_OnlyCA(t *testing.T) {
+	conf := &Config{
+		CAFile: "./test/ca/root.cer",
+	}
+	tls, err := conf.OutgoingTLSConfig()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if tls != nil {
+		t.Fatalf("expected no config")
+	}
+}
+
+func TestConfig_OutgoingTLS_VerifyOutgoing(t *testing.T) {
+	conf := &Config{
+		VerifyOutgoing: true,
+		CAFile:         "./test/ca/root.cer",
+	}
+	tls, err := conf.OutgoingTLSConfig()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if tls == nil {
+		t.Fatalf("expected config")
+	}
+	if len(tls.RootCAs.Subjects()) != 1 {
+		t.Fatalf("expect root cert")
+	}
+	if tls.ServerName != "" {
+		t.Fatalf("expect no server name verification")
+	}
+	if !tls.InsecureSkipVerify {
+		t.Fatalf("should skip built-in verification")
+	}
+}
+
+func TestConfig_OutgoingTLS_ServerName(t *testing.T) {
+	conf := &Config{
+		VerifyOutgoing: true,
+		CAFile:         "./test/ca/root.cer",
+		ServerName:     "consul.example.com",
+	}
+	tls, err := conf.OutgoingTLSConfig()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if tls == nil {
+		t.Fatalf("expected config")
+	}
+	if len(tls.RootCAs.Subjects()) != 1 {
+		t.Fatalf("expect root cert")
+	}
+	if tls.ServerName != "consul.example.com" {
+		t.Fatalf("expect server name")
+	}
+	if tls.InsecureSkipVerify {
+		t.Fatalf("should not skip built-in verification")
+	}
+}
+
+func TestConfig_OutgoingTLS_VerifyHostname(t *testing.T) {
+	conf := &Config{
+		VerifyServerHostname: true,
+		CAFile:               "./test/ca/root.cer",
+		ServerName:           "foo",
+	}
+	tls, err := conf.OutgoingTLSConfig()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if tls == nil {
+		t.Fatalf("expected config")
+	}
+	if len(tls.RootCAs.Subjects()) != 1 {
+		t.Fatalf("expect root cert")
+	}
+	if tls.ServerName != "foo" {
+		t.Fatalf("expect server name")
+	}
+	if tls.InsecureSkipVerify {
+		t.Fatalf("should not skip built-in verification")
+	}
+}
+
+func TestConfig_OutgoingTLS_WithKeyPair(t *testing.T) {
+	conf := &Config{
+		VerifyOutgoing: true,
+		CAFile:         "./test/ca/root.cer",
+		CertFile:       "./test/key/ourdomain.cer",
+		KeyFile:        "./test/key/ourdomain.key",
+	}
+	tls, err := conf.OutgoingTLSConfig()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if tls == nil {
+		t.Fatalf("expected config")
+	}
+	if len(tls.RootCAs.Subjects()) != 1 {
+		t.Fatalf("expect root cert")
+	}
+	if !tls.InsecureSkipVerify {
+		t.Fatalf("should skip verification")
+	}
+	if len(tls.Certificates) != 1 {
+		t.Fatalf("expected client cert")
+	}
+}
+
+func startTLSServer(config *Config) (net.Conn, chan error) {
+	errc := make(chan error, 1)
+
+	tlsConfigServer, err := config.IncomingTLSConfig()
+	if err != nil {
+		errc <- err
+		return nil, errc
+	}
+
+	client, server := net.Pipe()
+
+	// Use yamux to buffer the reads, otherwise it's easy to deadlock
+	muxConf := yamux.DefaultConfig()
+	serverSession, _ := yamux.Server(server, muxConf)
+	clientSession, _ := yamux.Client(client, muxConf)
+	clientConn, _ := clientSession.Open()
+	serverConn, _ := serverSession.Accept()
+
+	go func() {
+		tlsServer := tls.Server(serverConn, tlsConfigServer)
+		if err := tlsServer.Handshake(); err != nil {
+			errc <- err
+		}
+		close(errc)
+		// Because net.Pipe() is unbuffered, if both sides
+		// Close() simultaneously, we will deadlock as they
+		// both send an alert and then block. So we make the
+		// server read any data from the client until error or
+		// EOF, which will allow the client to Close(), and
+		// *then* we Close() the server.
+		io.Copy(ioutil.Discard, tlsServer)
+		tlsServer.Close()
+	}()
+	return clientConn, errc
+}
+
+func TestConfig_outgoingWrapper_OK(t *testing.T) {
+	config := &Config{
+		CAFile:               "./test/hostname/CertAuth.crt",
+		CertFile:             "./test/hostname/Alice.crt",
+		KeyFile:              "./test/hostname/Alice.key",
+		VerifyServerHostname: true,
+		VerifyOutgoing:       true,
+		ServerName:           "server.dc1.consul",
+	}
+
+	client, errc := startTLSServer(config)
+	if client == nil {
+		t.Fatalf("startTLSServer err: %v", <-errc)
+	}
+
+	wrap, err := config.OutgoingTLSWrapper()
+	if err != nil {
+		t.Fatalf("OutgoingTLSWrapper err: %v", err)
+	}
+
+	tlsClient, err := wrap(client)
+	if err != nil {
+		t.Fatalf("wrapTLS err: %v", err)
+	}
+	defer tlsClient.Close()
+	if err := tlsClient.(*tls.Conn).Handshake(); err != nil {
+		t.Fatalf("write err: %v", err)
+	}
+
+	err = <-errc
+	if err != nil {
+		t.Fatalf("server: %v", err)
+	}
+}
+
+func TestConfig_outgoingWrapper_BadCert(t *testing.T) {
+	// TODO this test is currently hanging, need to investigate more.
+	t.SkipNow()
+	config := &Config{
+		CAFile:               "./test/ca/root.cer",
+		CertFile:             "./test/key/ourdomain.cer",
+		KeyFile:              "./test/key/ourdomain.key",
+		ServerName:           "foo",
+		VerifyServerHostname: true,
+		VerifyOutgoing:       true,
+	}
+
+	client, errc := startTLSServer(config)
+	if client == nil {
+		t.Fatalf("startTLSServer err: %v", <-errc)
+	}
+
+	wrap, err := config.OutgoingTLSWrapper()
+	if err != nil {
+		t.Fatalf("OutgoingTLSWrapper err: %v", err)
+	}
+
+	tlsClient, err := wrap(client)
+	if err != nil {
+		t.Fatalf("wrapTLS err: %v", err)
+	}
+	defer tlsClient.Close()
+	err = tlsClient.(*tls.Conn).Handshake()
+
+	if _, ok := err.(x509.HostnameError); !ok {
+		t.Fatalf("should get hostname err: %v", err)
+	}
+
+	<-errc
+}
+
+func TestConfig_wrapTLS_OK(t *testing.T) {
+	config := &Config{
+		CAFile:         "./test/ca/root.cer",
+		CertFile:       "./test/key/ourdomain.cer",
+		KeyFile:        "./test/key/ourdomain.key",
+		VerifyOutgoing: true,
+	}
+
+	client, errc := startTLSServer(config)
+	if client == nil {
+		t.Fatalf("startTLSServer err: %v", <-errc)
+	}
+
+	clientConfig, err := config.OutgoingTLSConfig()
+	if err != nil {
+		t.Fatalf("OutgoingTLSConfig err: %v", err)
+	}
+
+	tlsClient, err := WrapTLSClient(client, clientConfig)
+	if err != nil {
+		t.Fatalf("wrapTLS err: %v", err)
+	} else {
+		tlsClient.Close()
+	}
+	err = <-errc
+	if err != nil {
+		t.Fatalf("server: %v", err)
+	}
+}
+
+func TestConfig_wrapTLS_BadCert(t *testing.T) {
+	serverConfig := &Config{
+		CertFile: "./test/key/ssl-cert-snakeoil.pem",
+		KeyFile:  "./test/key/ssl-cert-snakeoil.key",
+	}
+
+	client, errc := startTLSServer(serverConfig)
+	if client == nil {
+		t.Fatalf("startTLSServer err: %v", <-errc)
+	}
+
+	clientConfig := &Config{
+		CAFile:         "./test/ca/root.cer",
+		VerifyOutgoing: true,
+	}
+
+	clientTLSConfig, err := clientConfig.OutgoingTLSConfig()
+	if err != nil {
+		t.Fatalf("OutgoingTLSConfig err: %v", err)
+	}
+
+	tlsClient, err := WrapTLSClient(client, clientTLSConfig)
+	if err == nil {
+		t.Fatalf("wrapTLS no err")
+	}
+	if tlsClient != nil {
+		t.Fatalf("returned a client")
+	}
+
+	err = <-errc
+	if err != nil {
+		t.Fatalf("server: %v", err)
+	}
+}
+
+func TestConfig_IncomingTLS(t *testing.T) {
+	conf := &Config{
+		VerifyIncoming: true,
+		CAFile:         "./test/ca/root.cer",
+		CertFile:       "./test/key/ourdomain.cer",
+		KeyFile:        "./test/key/ourdomain.key",
+	}
+	tlsC, err := conf.IncomingTLSConfig()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if tlsC == nil {
+		t.Fatalf("expected config")
+	}
+	if len(tlsC.ClientCAs.Subjects()) != 1 {
+		t.Fatalf("expect client cert")
+	}
+	if tlsC.ClientAuth != tls.RequireAndVerifyClientCert {
+		t.Fatalf("should not skip verification")
+	}
+	if len(tlsC.Certificates) != 1 {
+		t.Fatalf("expected client cert")
+	}
+}
+
+func TestConfig_IncomingTLS_MissingCA(t *testing.T) {
+	conf := &Config{
+		VerifyIncoming: true,
+		CertFile:       "./test/key/ourdomain.cer",
+		KeyFile:        "./test/key/ourdomain.key",
+	}
+	_, err := conf.IncomingTLSConfig()
+	if err == nil {
+		t.Fatalf("expected err")
+	}
+}
+
+func TestConfig_IncomingTLS_MissingKey(t *testing.T) {
+	conf := &Config{
+		VerifyIncoming: true,
+		CAFile:         "./test/ca/root.cer",
+	}
+	_, err := conf.IncomingTLSConfig()
+	if err == nil {
+		t.Fatalf("expected err")
+	}
+}
+
+func TestConfig_IncomingTLS_NoVerify(t *testing.T) {
+	conf := &Config{}
+	tlsC, err := conf.IncomingTLSConfig()
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if tlsC == nil {
+		t.Fatalf("expected config")
+	}
+	if len(tlsC.ClientCAs.Subjects()) != 0 {
+		t.Fatalf("do not expect client cert")
+	}
+	if tlsC.ClientAuth != tls.NoClientCert {
+		t.Fatalf("should skip verification")
+	}
+	if len(tlsC.Certificates) != 0 {
+		t.Fatalf("unexpected client cert")
+	}
+}

helper/tlsutil/test/ca/certindex

@@ -0,0 +1,5 @@
+V	150407190456Z		0A	unknown	/CN=testco.internal/ST=California/C=US/emailAddress=test@testco.com/O=TestCo/OU=Beta
+V	150407194146Z		0B	unknown	/CN=testco.internal/ST=California/C=US/emailAddress=test@testco.com/O=TestCo/OU=Beta
+V	150526223338Z		0C	unknown	/CN=*.testco.internal/ST=California/C=US/emailAddress=test@testco.com/O=TestCo/OU=Beta
+V	160526220537Z		0D	unknown	/CN=test.internal/ST=CA/C=US/emailAddress=test@internal.com/O=HashiCorp Test Cert/OU=Dev
+V	170604185910Z		0E	unknown	/CN=testco.internal/ST=California/C=US/emailAddress=test@testco.com/O=Hashicorp Test Cert/OU=Beta

helper/tlsutil/test/ca/myca.conf

@@ -0,0 +1,34 @@
+[ ca ]
+default_ca = myca
+
+[ crl_ext ]
+# issuerAltName=issuer:copy  #this would copy the issuer name to altname
+authorityKeyIdentifier=keyid:always
+
+[ myca ]
+new_certs_dir = /tmp
+unique_subject = no
+certificate = root.cer
+database = certindex
+private_key = privkey.pem
+serial = serialfile
+default_days = 365
+default_md = sha1
+policy = myca_policy
+x509_extensions = myca_extensions
+
+[ myca_policy ]
+commonName = supplied
+stateOrProvinceName = supplied
+countryName = supplied
+emailAddress = optional
+organizationName = supplied
+organizationalUnitName = optional
+
+[ myca_extensions ]
+basicConstraints = CA:false
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always
+keyUsage = digitalSignature,keyEncipherment
+extendedKeyUsage = serverAuth,clientAuth
+crlDistributionPoints = URI:http://path.to.crl/myca.crl

helper/tlsutil/test/ca/privkey.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAxrs6JK4NpiOItxrpNR/1ppUUmH7p2BgLCBZ6eHdclle9J56i
+68adt8J85zaqphCfz6VDP58DsFx+N50PZyjQaDsUd0HejRqfHRMtg2O+UQkv4Z66
++Vo+gc6uGuANi2xMtSYDVTAqqzF48OOPQDgYkzcGxcFZzTRFFZt2vPnyHj8cHcaF
+o/NMNVh7C3yTXevRGNm9u2mrbxCEeiHzFC2WUnvgU2jQuC7Fhnl33Zd3B6d3mQH6
+O23ncmwxTcPUJe6xZaIRrDuzwUcyhLj5Z3faag/fpFIIcHSiHRfoqHLGsGg+3swI
+d/zVJSSDHr7pJUu7Cre+vZa63FqDaooqvnisrQIDAQABAoIBABreo6zj76p/8XM4
+a0GokZE1ZPR9bGawUYWFbIevM9CMCmI5+7M/RoHbBQJKDOapJsJviNkoSdpllxcz
+4CpFhXAiVNEPEeUoLU1EE4pJSSkxwcySppsiTYNFi5rMomgwe2qeuiKhgZNl/AEt
+82dubjwxW3QPgXHSWGjkfTht3wOhrczA8xyEjc9Bsad2ooA9IQk+VXYlPZXyXjs1
+WwLYHmcSfveauLliLXeVU2Ux5PPwyreKMhyAfSHVQCycxK008u8WPy8nkAlpxKMC
+UwCN+JKl69WCCA3CxXgM83zz4pXvB4EyMr8aTiqmOID8RIIrPcjCmVJki6KbJ9WG
+S2CQVG0CgYEA5kVACrnjLtov426ZNifF2zUXu9x//7D6GkbJxzZLwXP/BJFcEOdQ
+Fnjcs3s7wYh/wdTnEcQVWSJSAqnRt98c9yAXVnG5z1M0DYpAsY8xrdhEitxOf2oB
+2cbvi4+cvUuUxk1hgva18UCT23aLP+iY2+t/ydBXAZ9kq1zz5CcpEBMCgYEA3O/R
+g1Y9O36XxBmSYnkoCF5yGrPunnKKNBJc/WA7pTkQFYHr64Y/h5EKubzHD/VEd1Li
+nDuGYxVMewf+5pHUhqSdpZtTxv25hjOsqLf5o5wm18JThGifs2zEVCTJOPti5n2M
+RHakxuq1I625/QHidLBTQYuEBS/vywhapfaSaD8CgYEAhd1OPK4R30PiQRIjqXL3
+t9ampISsOKXWz33FgbUT1zOq1in23rDKQzYh/4ktlPXYZ4NwjUhzrKyiBoBYtc7T
+1OpoBs34Wgmhohl0QIThOZIXTq6CR9oFl2fqDDUBxp3wsFN905e+77A+BIBmtVFv
+w7GlSVp/qibSbDiOZF1LptcCgYB8sJBi+jnmqOSIVRJLpysTxhHJxkDmhahACRkY
+Gsau0cylBsUaEJMsNIyEFOmXtQml+k5QdDu9EdkvGm0evbDfKGqce1RF2w5okiNg
+uSwXzVoSrOartMxk2/7VqkkycpX3lWWjgf4vEWmXsEVmaDjhOF5UgKPKtao0wQs/
+3S/1ywKBgAIGgOuvL/GBcGqLikHLC+cputMvBAuE/tJnFHPxFoobskocVsMKbDTy
+NYF7uPlzSGGClZsjE6DQyyGf5E9/U+EdwDKZwHYGCkzVjplUBo0BT3EN0vcc9jB/
+ML9Ta4ETPyf66BhSVcD+eeNipPFAul0Q7uZhErH1zr1evTy8XXyI
+-----END RSA PRIVATE KEY-----

helper/tlsutil/test/ca/root.cer

@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEtzCCA5+gAwIBAgIJAIewRMI8OnvTMA0GCSqGSIb3DQEBBQUAMIGYMQswCQYD
+VQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28xHDAa
+BgNVBAoTE0hhc2hpQ29ycCBUZXN0IENlcnQxDDAKBgNVBAsTA0RldjEWMBQGA1UE
+AxMNdGVzdC5pbnRlcm5hbDEgMB4GCSqGSIb3DQEJARYRdGVzdEBpbnRlcm5hbC5j
+b20wHhcNMTQwNDA3MTkwMTA4WhcNMjQwNDA0MTkwMTA4WjCBmDELMAkGA1UEBhMC
+VVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRwwGgYDVQQK
+ExNIYXNoaUNvcnAgVGVzdCBDZXJ0MQwwCgYDVQQLEwNEZXYxFjAUBgNVBAMTDXRl
+c3QuaW50ZXJuYWwxIDAeBgkqhkiG9w0BCQEWEXRlc3RAaW50ZXJuYWwuY29tMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxrs6JK4NpiOItxrpNR/1ppUU
+mH7p2BgLCBZ6eHdclle9J56i68adt8J85zaqphCfz6VDP58DsFx+N50PZyjQaDsU
+d0HejRqfHRMtg2O+UQkv4Z66+Vo+gc6uGuANi2xMtSYDVTAqqzF48OOPQDgYkzcG
+xcFZzTRFFZt2vPnyHj8cHcaFo/NMNVh7C3yTXevRGNm9u2mrbxCEeiHzFC2WUnvg
+U2jQuC7Fhnl33Zd3B6d3mQH6O23ncmwxTcPUJe6xZaIRrDuzwUcyhLj5Z3faag/f
+pFIIcHSiHRfoqHLGsGg+3swId/zVJSSDHr7pJUu7Cre+vZa63FqDaooqvnisrQID
+AQABo4IBADCB/TAdBgNVHQ4EFgQUo/nrOfqvbee2VklVKIFlyQEbuJUwgc0GA1Ud
+IwSBxTCBwoAUo/nrOfqvbee2VklVKIFlyQEbuJWhgZ6kgZswgZgxCzAJBgNVBAYT
+AlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEcMBoGA1UE
+ChMTSGFzaGlDb3JwIFRlc3QgQ2VydDEMMAoGA1UECxMDRGV2MRYwFAYDVQQDEw10
+ZXN0LmludGVybmFsMSAwHgYJKoZIhvcNAQkBFhF0ZXN0QGludGVybmFsLmNvbYIJ
+AIewRMI8OnvTMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBADa9fV9h
+gjapBlkNmu64WX0Ufub5dsJrdHS8672P30S7ILB7Mk0W8sL65IezRsZnG898yHf9
+2uzmz5OvNTM9K380g7xFlyobSVq+6yqmmSAlA/ptAcIIZT727P5jig/DB7fzJM3g
+jctDlEGOmEe50GQXc25VKpcpjAsNQi5ER5gowQ0v3IXNZs+yU+LvxLHc0rUJ/XSp
+lFCAMOqd5uRoMOejnT51G6krvLNzPaQ3N9jQfNVY4Q0zfs0M+6dRWvqfqB9Vyq8/
+POLMld+HyAZEBk9zK3ZVIXx6XS4dkDnSNR91njLq7eouf6M7+7s/oMQZZRtAfQ6r
+wlW975rYa1ZqEdA=
+-----END CERTIFICATE-----

helper/tlsutil/test/ca/serialfile

@@ -0,0 +1 @@
+0F

helper/tlsutil/test/hostname/Alice.crt

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEOzCCAiWgAwIBAgIRAOpEyvnjEG/Z15f0PrOT7iowCwYJKoZIhvcNAQELMBMx
+ETAPBgNVBAMTCENlcnRBdXRoMB4XDTE1MDUxMTIyNTMxN1oXDTE3MDUxMTIyNTMx
+OFowEDEOMAwGA1UEAxMFQWxpY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCyxmMV9V0Cdp2mAXxL6h64cWLQlKsumsQfhZNImea8jLYT7+yyLpeHIF4G
+7JiushloTnERyTi1wbq9BlU3BVYdX6tqvPXFFwFUXyOkDaSGS3vMCZUYd9PZg0TI
+pyQK0/6+jSU7x7jDGVUMhJyvmXB9CgKxG0S8WiR6uGB9oWrTeDnXAzN1T4wNE4M+
+a3P1ToT2k2IDklZ1t5gg6u9EiOAzK7QfpKXrO2MsGyGHhm+tQqNP6LuZv0u2nGW3
+up+i3beQOvLQV0aeiy7zfR3KkIUCvDnmiPnkm35o6wmqFOXTNIU6VoT/l4WtU85F
+Ikdtk1gkDLO1iyKiMRbj/hlRqKGxAgMBAAGjgZAwgY0wDgYDVR0PAQH/BAQDAgC4
+MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUgt2Os881
+V/je/BOaLavjeorhbi4wHwYDVR0jBBgwFoAUB2s4Gdz7ornOiti84HF+W+nwAj8w
+HAYDVR0RBBUwE4IRc2VydmVyLmRjMS5jb25zdWwwCwYJKoZIhvcNAQELA4ICAQCX
+Thsbgo1Z5maIyvBJOKX5vQifaSF8kRtX9fZvipvzHCjYxvOHfaTvgtWyxHXCc3tK
+DyBswsc2MeHiZ5g0KG113lwLrhcSwEsg5yo0eB7tOTQp1rmCiF6DQYs1XyOqD7P8
+S6clMgJWgpM8Ltw5mYALqDpShv1ND3AOJqENj/0tvdP7Y7cilG+s76HFXRcwKTRw
+4rVP+Wr+t4WdXeS8cGxboQqGc40L3HNd5cxsbIM1kucfdrPBljWmyM9aiO1Nipm2
+8dyyir8AFnvoGQ6DPi58jVCCbqosL/GXtVk+IgJ+8eE5T8jvhxBovzxArSSVYIaj
+ZxYi85ixfLr1DC5mg5CWWB8ZzmjaUwfyQAcL/F3Q11CkqHw1VDoDzvTBWbguBu6X
+xXexlgOQx4/lr8X1pjbbAZktNTOYDt4dTuhrKPU35zW35wTnSBoPrQ3cpGlRcszE
+IksZSHi41IQd0zUOGCNZYpPFq8mTwu5ECGHfNvWDH7zEuSkO54tS5Dukxqd8VIQl
+h9GB2Uyel8tFm4s/Dx9+glKyvsXDJQz3JmFaB2wPyAPZ1KL4GFI5R0LjUVSFJapP
+TO3Ia24naOu3qYXWQK6jGwaCbTT6tdhgNy8EI0aDmv2AgqOXycutMJXF5UqkDmwY
+ZqpVdf/TrmBy42pk/C0vpqiy6E4N7WllxhiY2AekkA==
+-----END CERTIFICATE-----

helper/tlsutil/test/hostname/Alice.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAssZjFfVdAnadpgF8S+oeuHFi0JSrLprEH4WTSJnmvIy2E+/s
+si6XhyBeBuyYrrIZaE5xEck4tcG6vQZVNwVWHV+rarz1xRcBVF8jpA2khkt7zAmV
+GHfT2YNEyKckCtP+vo0lO8e4wxlVDIScr5lwfQoCsRtEvFokerhgfaFq03g51wMz
+dU+MDRODPmtz9U6E9pNiA5JWdbeYIOrvRIjgMyu0H6Sl6ztjLBshh4ZvrUKjT+i7
+mb9Ltpxlt7qfot23kDry0FdGnosu830dypCFArw55oj55Jt+aOsJqhTl0zSFOlaE
+/5eFrVPORSJHbZNYJAyztYsiojEW4/4ZUaihsQIDAQABAoIBAF3C9szZdwKHu38J
+YGtgSuRpc235yx4SRbJSmECHlyBknEowl2+MSCSysR3okNtuxSyTl3HAm2GYTZw9
+6guFXPji6EB/AldwDV5213Z/QT698Bu/GtdOYWm/EyA5qQmUzhKabGDCCwEoFBcQ
+piziyMCLs4W3y4ENtfw3H0REmIZ3s0XQRzuDdFCEMbr0Ij6EhP3hSD6es4PWTeHY
+LSwoXm0WAxyZudJLhWZaBRxvl+TDY7nVV1jRPQ+ojMJjXfyPo+c2hbbS6luj++qH
+6qO7fEpr8EXhO8/0/bPUi0ozE1LVy1kXtEwfszesU9r5XeBq7yTCIa7TTJ35Niwf
+T7Ar9NECgYEA0L77+B/3dtedhsMdyiHpcxV6A77OIHsezh8uJzE+nQEgqvJ88N1W
+BbF7YByYmaP1/dBrPI7ON52AnDOyo2lM7fVOwr7Ch12tpoa5HFb2WndKt6KokXi/
+Tk8+zoCCZICCv1mtfIaepRTmxAeyqaFthchAv1nc7ojS1BWeXMLa9usCgYEA2z6N
+YD8wV44d/qIMaSDVJlusyp8pi9l0ddB591KOYHhJ5RRF1qEd0pshj9sW6pcGGJqf
+XFHAkEr/ZIACJK65Y+AFcbgzhyqX8Vy9LLYzWtpFP4SpjH19pYDTHaXvWsIjBlNG
+poxtGYCQ8Uedm8IhtrbUorElQVjPlmRGU14B2tMCgYAPQCTAd/VoZVBI7DBc+CVK
+FyOW6nW8wcH6ZSTGED720YJFevnNzx3dxJ2y4+PyNZxfMr7i6bv/LC6dOtmuPp80
+M1vRtoYXxaxOIkGb5G6TJWv8BpIyLpQrcHayN4lPNmRW/oJCOsOUY/aIE9fltLl/
+sKWqVTJi6vQcMogjVskQiQKBgHcH7f+sLtXKTdSaLDzDW5X4vcZARXEs/YKdTiqN
+wsjzZcMej5AoZyWZnc4Zd8ajeebPw+d+Zxqv7RqmOQOrbPGhhbMo+6jN4jJjVD27
+KgSQbno+z0J8O0QovfXhyiKvNg7QFZKEuRLYb1jftd0DuAQYHTe7D2v8CLAw/tFy
+P3WLAoGABcEQEDUWqxfFFCed4mYSoOHvD44YMIzeMMOHXRnGGWug0WkULxzUV1L4
+fTFPCqo6xsn/F3i7xRFpIWXlOzjZKHvw16ZpeZBNcdPjyk7XifhafJYLuknRe1fZ
+lzLjhmvizTpd9GQIUS+39aGwGE9JI3H0NAdNA4pvEdKlPhJnG5U=
+-----END RSA PRIVATE KEY-----

helper/tlsutil/test/hostname/CertAuth.crt

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIFADCCAuqgAwIBAgIBATALBgkqhkiG9w0BAQswEzERMA8GA1UEAxMIQ2VydEF1
+dGgwHhcNMTUwNTExMjI0NjQzWhcNMjUwNTExMjI0NjU0WjATMREwDwYDVQQDEwhD
+ZXJ0QXV0aDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALcMByyynHsA
++K4PJwo5+XHygaEZAhPGvHiKQK2Cbc9NDm0ZTzx0rA/dRTZlvouhDyzcJHm+6R1F
+j6zQv7iaSC3qQtJiPnPsfZ+/0XhFZ3fQWMnfDiGbZpF1kJF01ofB6vnsuocFC0zG
+aGC+SZiLAzs+QMP3Bebw1elCBIeoN+8NWnRYmLsYIaYGJGBSbNo/lCpLTuinofUn
+L3ehWEGv1INwpHnSVeN0Ml2GFe23d7PUlj/wNIHgUdpUR+KEJxIP3klwtsI3QpSH
+c4VjWdf4aIcka6K3IFuw+K0PUh3xAAPnMpAQOtCZk0AhF5rlvUbevC6jADxpKxLp
+OONmvCTer4LtyNURAoBH52vbK0r/DNcTpPEFV0IP66nXUFgkk0mRKsu8HTb4IOkC
+X3K4mp18EiWUUtrHZAnNct0iIniDBqKK0yhSNhztG6VakVt/1WdQY9Ey3mNtxN1O
+thqWFKdpKUzPKYC3P6PfVpiE7+VbWTLLXba+8BPe8BxWPsVkjJqGSGnCte4COusz
+M8/7bbTgifwJfsepwFtZG53tvwjWlO46Exl30VoDNTaIGvs1fO0GqJlh2A7FN5F2
+S1rS5VYHtPK8QdmUSvyq+7JDBc1HNT5I2zsIQbNcLwDTZ5EsbU6QR7NHDJKxjv/w
+bs3eTXJSSNcFD74wRU10pXjgE5wOFu9TAgMBAAGjYzBhMA4GA1UdDwEB/wQEAwIA
+BjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQHazgZ3Puiuc6K2LzgcX5b6fAC
+PzAfBgNVHSMEGDAWgBQHazgZ3Puiuc6K2LzgcX5b6fACPzALBgkqhkiG9w0BAQsD
+ggIBAEmeNrSUhpHg1I8dtfqu9hCU/6IZThjtcFA+QcPkkMa+Z1k0SOtsgW8MdlcA
+gCf5g5yQZ0DdpWM9nDB6xDIhQdccm91idHgf8wmpEHUj0an4uyn2ESCt8eqrAWf7
+AClYORCASTYfguJCxcfvwtI1uqaOeCxSOdmFay79UVitVsWeonbCRGsVgBDifJxw
+G2oCQqoYAmXPM4J6syk5GHhB1O9MMq+g1+hOx9s+XHyTui9FL4V+IUO1ygVqEQB5
+PSiRBvcIsajSGVao+vK0gf2XfcXzqr3y3NhBky9rFMp1g+ykb2yWekV4WiROJlCj
+TsWwWZDRyjiGahDbho/XW8JciouHZhJdjhmO31rqW3HdFviCTdXMiGk3GQIzz/Jg
+P+enOaHXoY9lcxzDvY9z1BysWBgNvNrMnVge/fLP9o+a0a0PRIIVl8T0Ef3zeg1O
+CLCSy/1Vae5Tx63ZTFvGFdOSusYkG9rlAUHXZE364JRCKzM9Bz0bM+t+LaO0MaEb
+YoxcXEPU+gB2IvmARpInN3oHexR6ekuYHVTRGdWrdmuHFzc7eFwygRqTFdoCCU+G
+QZEkd+lOEyv0zvQqYg+Jp0AEGz2B2zB53uBVECtn0EqrSdPtRzUBSByXVs6QhSXn
+eVmy+z3U3MecP63X6oSPXekqSyZFuegXpNNuHkjNoL4ep2ix
+-----END CERTIFICATE-----

helper/tlsutil/test/key/ourdomain.cer

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwzCCAqugAwIBAgIBDjANBgkqhkiG9w0BAQUFADCBmDELMAkGA1UEBhMCVVMx
+CzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRwwGgYDVQQKExNI
+YXNoaUNvcnAgVGVzdCBDZXJ0MQwwCgYDVQQLEwNEZXYxFjAUBgNVBAMTDXRlc3Qu
+aW50ZXJuYWwxIDAeBgkqhkiG9w0BCQEWEXRlc3RAaW50ZXJuYWwuY29tMB4XDTE2
+MDYwNDE4NTkxMFoXDTE3MDYwNDE4NTkxMFowgYkxGDAWBgNVBAMTD3Rlc3Rjby5p
+bnRlcm5hbDETMBEGA1UECBMKQ2FsaWZvcm5pYTELMAkGA1UEBhMCVVMxHjAcBgkq
+hkiG9w0BCQEWD3Rlc3RAdGVzdGNvLmNvbTEcMBoGA1UEChMTSGFzaGljb3JwIFRl
+c3QgQ2VydDENMAsGA1UECxMEQmV0YTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
+gYEAzNCiwaIhJ26tqXzmwB+oJzstp41X8ygpsywCOzEuHgD+Dck2CLOhlJHmqO3b
+sHfv87g3HtdJaF1tO1PQqdHxpJS3vyogUuP8iy6rHgkGtExWgsRxILtbpfzyG1Rt
+TgO4pg7uOlCe1p5oDNnHj1YTgmhtRpB0x054DdSvjKVHY5UCAwEAAaOBqDCBpTAJ
+BgNVHRMEAjAAMB0GA1UdDgQWBBTHULSXbpeHHFM+lq/HYq8m38a00TAfBgNVHSME
+GDAWgBSj+es5+q9t57ZWSVUogWXJARu4lTALBgNVHQ8EBAMCBaAwHQYDVR0lBBYw
+FAYIKwYBBQUHAwEGCCsGAQUFBwMCMCwGA1UdHwQlMCMwIaAfoB2GG2h0dHA6Ly9w
+YXRoLnRvLmNybC9teWNhLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAjJKtWTVyFk7u
+WGQlXHRBgt0/qWjnHzVOXcVJxaL1uuddhY1mOsmHxuvbM5SqfvnyRf1Dbvmm4y+E
+8hNn9lESmQKRiq1XX2H0/K8AXfNIglqLCB+Fx5GgLJ8jboDsuJsq7SxYHVj4NIOY
+9gf83cwxpxAV9JuR9izBIs7afP75MvjjuveLgIpyNzbdCt9/71WQY3Wt0epYRWLD
+DGeP4zEBR6KMu3vILWX3kRlpvX1OcfqvcRpzpNRDmpzzMwOHQBtBp3/7lf43yGLg
+ZxWuUzWCN5RXZZHhsSNqlplXjcyCEyAPTxiE0hbAKhAJeWjadnUJ88SC41bGjDor
+FU3JVe6aqw==
+-----END CERTIFICATE-----

helper/tlsutil/test/key/ourdomain.csr

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIB4DCCAUkCAQAwgZ8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
+MRQwEgYDVQQHEwtMb3MgQW5nZWxlczEcMBoGA1UEChMTSGFzaGljb3JwIFRlc3Qg
+Q2VydDENMAsGA1UECxMEQmV0YTEYMBYGA1UEAxMPdGVzdGNvLmludGVybmFsMR4w
+HAYJKoZIhvcNAQkBFg90ZXN0QHRlc3Rjby5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
+gY0AMIGJAoGBAMzQosGiISdural85sAfqCc7LaeNV/MoKbMsAjsxLh4A/g3JNgiz
+oZSR5qjt27B37/O4Nx7XSWhdbTtT0KnR8aSUt78qIFLj/Isuqx4JBrRMVoLEcSC7
+W6X88htUbU4DuKYO7jpQntaeaAzZx49WE4JobUaQdMdOeA3Ur4ylR2OVAgMBAAGg
+ADANBgkqhkiG9w0BAQUFAAOBgQBvz0CFO6td/cc6MzyWXNgfiYqdvDvq9JoEvROS
+CG6ZsOAJc15ePw9px4wYK2fQZQVZkSWl0vpIZNnIWAdQboAKAQmfnE6CPHc+5ePJ
+LxFIL2vG/4UYnKdbR2dxSpNxyfF59tXwVDS6qeietaZz596F2D3cBwBflxJcK2nD
+JkTOOA==
+-----END CERTIFICATE REQUEST-----

helper/tlsutil/test/key/ourdomain.key

@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQDM0KLBoiEnbq2pfObAH6gnOy2njVfzKCmzLAI7MS4eAP4NyTYI
+s6GUkeao7duwd+/zuDce10loXW07U9Cp0fGklLe/KiBS4/yLLqseCQa0TFaCxHEg
+u1ul/PIbVG1OA7imDu46UJ7WnmgM2cePVhOCaG1GkHTHTngN1K+MpUdjlQIDAQAB
+AoGAJY4oGdtRuvpHa6mUYiwr2C24vF1lgBegNdNfAV2OOEA0VXDMsKHHggeSxO0A
+eIY1gHoJ2WTed/2RluxSeaEebpwNp1e2V+JpJRVAF+PNBGng1WMIlK81vC6zZspm
+AKe9O3XQZmIGKw1YyTOmYERAImjAarP0sKRAjkdfRTHEEcECQQD1W6ZtCJQvdDC/
+GKKEOUzIB8l/hUAQSHc0pEhctLWU1VnFGfhFFRnUr2FFrbnF5gvvz8GdQtEXXuzX
+9NSlnrblAkEA1bLQNwRz77ZQoMHme/E13ITDoBl+YUWZVN7+n0DkUgu6JdRsmYh6
+nAIcoAS0CjxyNoPssDshdjyLcMxuT27+8QJAYCYEN+IOv/HWUGyE8y/JKPH0Qmaj
+Tj43iIeAW+Ps7GAXB6g/pEK6lqALjFSh4i1eLCHMC6Ztba0jPxWQZz6lCQJBAJfD
+oQmhmPChyssQSa62FGlixEecM1vDgOx8XdodzMjT2URqgyHagjDvcwLVtEMcwIQk
+1uAlblM5FlJqbODu1BECQQC71WumyTo9/9Z9QR67WRd0yE1JHs3HUUvzw4JFNkRs
+n0Tu7GZHDdzLaSodtC47tPJfYkdJwxBr20+RSCzF3VZF
+-----END RSA PRIVATE KEY-----

helper/tlsutil/test/key/ssl-cert-snakeoil.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDYVw5skn/3Ka72
+32ZaCrKtRVoQzan3tghq41KpQe3yZxIZbKy7sbwfdXnXVSwTAbq/3BYi9rya2t/v
+W95yZh6JgfrLBvWl9Jo1EttZIxDhzCXGP+MPWm2KdNtHr84JznJbdxRpR0Jb4ykK
+2d9dXbLJvCw8eEDFgOVGrj60USMir46sZFRvGWlMi+yHSOE+WQXaU40Dr0ZJqNvd
+RNO9BtqpLaecZQaYTvlkyVdhjUE3+gQ0zEAQqpLcWi+zB5/IyR2+KwxDT3vAJumd
+G7rIaGatPE8k0Ahb+zMKFFGYCoQ3sjbAbrQmrVtH4SU6ggl+CxpVdxshrK1W05Ms
+WAiPw81/AgMBAAECggEAKjDIKlpjxGMHsTOeNV8yu2H0D6TcSefhOl885q9p5UU+
+nWC5Sx19b7EsYtdEcix7LCGS25y86YJX+8kx16OcvvpvW5ru2z+Zt1IHHxocl7yF
+fWVGNd9Pz5m8jf12NClj2fyeKW3xPhROE8Srr/yu+nLNObnF//6EOEWRCv9r176C
++dzYvYVNPP48Ug7NpjQB94CBprtJyqvuoXvBPtpARXazVniYEhnzG1Gaj1TiCII5
++emaMjKcWIEJ5stbBb3lUtqgm8bRNb/qcxoFfqTzHP+hbum9hbRz0KEIlAkm7uAv
+S0TlyLuaj+gPQ+LwNX8EhGKUdlK/VM5bj2kq/tg3AQKBgQD/+A8ruHNa5nKGKNzP
+dp+hXiL2sSzefMjDa2+sRJ0yftIMqYRfCJwzYumjfyycfCsu1LHainlQjSO6Kkgc
+c0xVxnahWyPCQiqZuo9lLx4EVXCdRqWRg+pbyQhTSz90hfWEKD7XWsI8uRkOEnW8
+36FiyovGDFxl0esaKrFNSFdmgQKBgQDYXcSIRJk41f7vL6FVmchpUnVYoD75k9YT
+FqEplNMw6gXcqbC2aNH5wj7EJlRboyVpjXV4N0d2Cz6AwREJpr/rYpq68AixXmVs
+kTKwevoHm/tln7CN+CyIEy6KXdLp4KoWLFfSG6tHWRwIGFxWEGrrIZS6Eznu4GPe
+V2yOnMkz/wKBgC6nXtSALP5PbGZJgl2J6HR3/PVru5rdsZX0ugjzBJfUh6JpL0hH
+AHlZOO5k2pO3CgPiHnyPqqbk4rMmy7frx+kGYE7ulqjseGlGmKY/nT/69qij3L+W
+BJwwGwVbfLhXRjWNRE7qKub4cbmf4bfIJtkjw7AYRqsERM6jI2fLnKqBAoGAUBzY
+CkSsHxlNXa7bI+DfDfBUNs6OwsZ0e3jjj4vlbrUYGo5SOhgxtzKvHt26Wnvb/Gs+
+VZbSROkA6ZeTAWnWogdOl20NKu9yynIwvJusPGkK+qPYMZj0lCXWE7GNyL9A+xjM
+I6XPE4nxESZD+jH2BL3YXdWEm+hF0iu4rE1tSm0CgYEAxssvvX7qcfTmxsp1YSHJ
+H5j9ifkakci5W2VbCbdMtdOlgIlCFr2JYguaL98jx7WIJ4iH54ue/fbOdlkPCOsz
+YGU4TceSRHeEJ7F6c67NOXm8j2TquAW2uYH87w07g2PIUwl/pp439qoDiThA6jEX
+2ztyXgNUi7poqehPUoQuvC0=
+-----END PRIVATE KEY-----

helper/tlsutil/test/key/ssl-cert-snakeoil.pem

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICsjCCAZqgAwIBAgIJAMi7aUCplU3VMA0GCSqGSIb3DQEBBQUAMBExDzANBgNV
+BAMTBnVidW50dTAeFw0xMjEyMDIwNDQ3MzBaFw0yMjExMzAwNDQ3MzBaMBExDzAN
+BgNVBAMTBnVidW50dTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANhX
+DmySf/cprvbfZloKsq1FWhDNqfe2CGrjUqlB7fJnEhlsrLuxvB91eddVLBMBur/c
+FiL2vJra3+9b3nJmHomB+ssG9aX0mjUS21kjEOHMJcY/4w9abYp020evzgnOclt3
+FGlHQlvjKQrZ311dssm8LDx4QMWA5UauPrRRIyKvjqxkVG8ZaUyL7IdI4T5ZBdpT
+jQOvRkmo291E070G2qktp5xlBphO+WTJV2GNQTf6BDTMQBCqktxaL7MHn8jJHb4r
+DENPe8Am6Z0bushoZq08TyTQCFv7MwoUUZgKhDeyNsButCatW0fhJTqCCX4LGlV3
+GyGsrVbTkyxYCI/DzX8CAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQUF
+AAOCAQEAQaS5yAih5NBV2edX1wkIQfAUElqmzoXvxsozDYy+P+S5tJeFXDSqzTAy
+qkd/6qjkBdaARfKUJZeT/jRjqxoNtE9SR4PMOnD4zrqD26ujgZRVtPImbmVxCnMI
+1B9LwvhpDHZuPGN5bPp3o+iDYea8zkS3Y31Ic889KSwKBDb1LlNogOdved+2DGd1
+yCxEErImbl4B0+QPrRk2bWbDfKhDfJ2FV+9kWIoEuCQBpr2tj1E5zvTadOVm5P2M
+u7kjGl4w0GIAONiMC9l2TwMmPuG1jpM/WjQkG0sTKOCl7xQKgXBNJ78Wm2bfGtgb
+shr/PNbS/EyISlUa07+zJtiRnr/EiQ==
+-----END CERTIFICATE-----

helper/tlsutil/test/notes.txt

@@ -0,0 +1 @@
+Instructions from https://langui.sh/2009/01/18/openssl-self-signed-ca/

nomad/config.go

@@ -9,6 +9,7 @@ import (
 	"time"
 
 	"github.com/hashicorp/memberlist"
+	"github.com/hashicorp/nomad/helper/tlsutil"
 	"github.com/hashicorp/nomad/nomad/structs"
 	"github.com/hashicorp/nomad/nomad/structs/config"
 	"github.com/hashicorp/nomad/scheduler"
@@ -191,6 +192,9 @@ type Config struct {
 	// This period is meant to be long enough for a leader election to take
 	// place, and a small jitter is applied to avoid a thundering herd.
 	RPCHoldTimeout time.Duration
+
+	// TLSConfig holds various TLS related configurations
+	TLSConfig *config.TLSConfig
 }
 
 // CheckVersion is used to check if the ProtocolVersion is valid
@@ -263,3 +267,17 @@ func DefaultConfig() *Config {
 	c.RaftConfig.ShutdownOnRemove = false
 	return c
 }
+
+// tlsConfig returns a TLSUtil Config based on the server configuration
+func (c *Config) tlsConfig() *tlsutil.Config {
+	tlsConf := &tlsutil.Config{
+		VerifyIncoming:       true,
+		VerifyOutgoing:       true,
+		VerifyServerHostname: c.TLSConfig.VerifyServerHostname,
+		CAFile:               c.TLSConfig.CAFile,
+		CertFile:             c.TLSConfig.CertFile,
+		KeyFile:              c.TLSConfig.KeyFile,
+		ServerName:           c.NodeName,
+	}
+	return tlsConf
+}

nomad/pool.go

@@ -10,8 +10,8 @@ import (
 	"sync/atomic"
 	"time"
 
-	"github.com/hashicorp/consul/tlsutil"
 	"github.com/hashicorp/net-rpc-msgpackrpc"
+	"github.com/hashicorp/nomad/helper/tlsutil"
 	"github.com/hashicorp/yamux"
 )
 
@@ -129,7 +129,7 @@ type ConnPool struct {
 	limiter map[string]chan struct{}
 
 	// TLS wrapper
-	tlsWrap tlsutil.DCWrapper
+	tlsWrap tlsutil.Wrapper
 
 	// Used to indicate the pool is shutdown
 	shutdown   bool
@@ -141,7 +141,7 @@ type ConnPool struct {
 // Set maxTime to 0 to disable reaping. maxStreams is used to control
 // the number of idle streams allowed.
 // If TLS settings are provided outgoing connections use TLS.
-func NewPool(logOutput io.Writer, maxTime time.Duration, maxStreams int, tlsWrap tlsutil.DCWrapper) *ConnPool {
+func NewPool(logOutput io.Writer, maxTime time.Duration, maxStreams int, tlsWrap tlsutil.Wrapper) *ConnPool {
 	pool := &ConnPool{
 		logOutput:  logOutput,
 		maxTime:    maxTime,
@@ -261,7 +261,7 @@ func (p *ConnPool) getNewConn(region string, addr net.Addr, version int) (*Conn,
 		}
 
 		// Wrap the connection in a TLS client
-		tlsConn, err := p.tlsWrap(region, conn)
+		tlsConn, err := p.tlsWrap(conn)
 		if err != nil {
 			conn.Close()
 			return nil, err

nomad/raft_rpc.go

@@ -6,7 +6,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/hashicorp/consul/tlsutil"
+	"github.com/hashicorp/nomad/helper/tlsutil"
 )
 
 // RaftLayer implements the raft.StreamLayer interface,

nomad/server.go

@@ -18,9 +18,9 @@ import (
 
 	consulapi "github.com/hashicorp/consul/api"
 	"github.com/hashicorp/consul/lib"
-	"github.com/hashicorp/consul/tlsutil"
 	"github.com/hashicorp/go-multierror"
 	"github.com/hashicorp/nomad/command/agent/consul"
+	"github.com/hashicorp/nomad/helper/tlsutil"
 	"github.com/hashicorp/nomad/nomad/state"
 	"github.com/hashicorp/nomad/nomad/structs"
 	"github.com/hashicorp/raft"
@@ -187,11 +187,29 @@ func NewServer(config *Config, consulSyncer *consul.Syncer, logger *log.Logger)
 		return nil, err
 	}
 
+	// Configure TLS
+	var tlsWrap tlsutil.Wrapper
+	var incomingTLS *tls.Config
+	if config.TLSConfig.EnableRPC {
+		tlsConf := config.tlsConfig()
+		tw, err := tlsConf.OutgoingTLSWrapper()
+		if err != nil {
+			return nil, err
+		}
+		tlsWrap = tw
+
+		itls, err := tlsConf.IncomingTLSConfig()
+		if err != nil {
+			return nil, err
+		}
+		incomingTLS = itls
+	}
+
 	// Create the server
 	s := &Server{
 		config:       config,
 		consulSyncer: consulSyncer,
-		connPool:     NewPool(config.LogOutput, serverRPCCache, serverMaxStreams, nil),
+		connPool:     NewPool(config.LogOutput, serverRPCCache, serverMaxStreams, tlsWrap),
 		logger:       logger,
 		rpcServer:    rpc.NewServer(),
 		peers:        make(map[string][]*serverParts),
@@ -201,6 +219,7 @@ func NewServer(config *Config, consulSyncer *consul.Syncer, logger *log.Logger)
 		evalBroker:   evalBroker,
 		blockedEvals: blockedEvals,
 		planQueue:    planQueue,
+		rpcTLS:       incomingTLS,
 		shutdownCh:   make(chan struct{}),
 	}
 
@@ -215,8 +234,7 @@ func NewServer(config *Config, consulSyncer *consul.Syncer, logger *log.Logger)
 	}
 
 	// Initialize the RPC layer
-	// TODO: TLS...
+	if err := s.setupRPC(tlsWrap); err != nil {
-	if err := s.setupRPC(nil); err != nil {
 		s.Shutdown()
 		s.logger.Printf("[ERR] nomad: failed to start RPC layer: %s", err)
 		return nil, fmt.Errorf("Failed to start RPC layer: %v", err)
@@ -576,7 +594,7 @@ func (s *Server) setupVaultClient() error {
 }
 
 // setupRPC is used to setup the RPC listener
-func (s *Server) setupRPC(tlsWrap tlsutil.DCWrapper) error {
+func (s *Server) setupRPC(tlsWrap tlsutil.Wrapper) error {
 	// Create endpoints
 	s.endpoints.Status = &Status{s}
 	s.endpoints.Node = &Node{srv: s}
@@ -622,11 +640,7 @@ func (s *Server) setupRPC(tlsWrap tlsutil.DCWrapper) error {
 		return fmt.Errorf("RPC advertise address is not advertisable: %v", addr)
 	}
 
-	// Provide a DC specific wrapper. Raft replication is only
+	s.raftLayer = NewRaftLayer(s.rpcAdvertise, tlsWrap)
-	// ever done in the same datacenter, so we can provide it as a constant.
-	// wrapper := tlsutil.SpecificDC(s.config.Datacenter, tlsWrap)
-	// TODO: TLS...
-	s.raftLayer = NewRaftLayer(s.rpcAdvertise, nil)
 	return nil
 }
 

nomad/structs/config/tls.go

@@ -0,0 +1,57 @@
+package config
+
+// TLSConfig provides TLS related configuration
+type TLSConfig struct {
+
+	// EnableHTTP enabled TLS for http traffic to the Nomad server and clients
+	EnableHTTP bool `mapstructure:"http"`
+
+	// EnableRPC enables TLS for RPC and Raft traffic to the Nomad servers
+	EnableRPC bool `mapstructure:"rpc"`
+
+	// VerifyServerHostname is used to enable hostname verification of servers. This
+	// ensures that the certificate presented is valid for server.<datacenter>.<domain>.
+	// This prevents a compromised client from being restarted as a server, and then
+	// intercepting request traffic as well as being added as a raft peer. This should be
+	// enabled by default with VerifyOutgoing, but for legacy reasons we cannot break
+	// existing clients.
+	VerifyServerHostname bool `mapstructure:"verify_server_hostname"`
+
+	// CAFile is a path to a certificate authority file. This is used with VerifyIncoming
+	// or VerifyOutgoing to verify the TLS connection.
+	CAFile string `mapstructure:"ca_file"`
+
+	// CertFile is used to provide a TLS certificate that is used for serving TLS connections.
+	// Must be provided to serve TLS connections.
+	CertFile string `mapstructure:"cert_file"`
+
+	// KeyFile is used to provide a TLS key that is used for serving TLS connections.
+	// Must be provided to serve TLS connections.
+	KeyFile string `mapstructure:"key_file"`
+}
+
+// Merge is used to merge two TLS configs together
+func (t *TLSConfig) Merge(b *TLSConfig) *TLSConfig {
+	result := *t
+
+	if b.EnableHTTP {
+		result.EnableHTTP = true
+	}
+	if b.EnableRPC {
+		result.EnableRPC = true
+	}
+	if b.VerifyServerHostname {
+		result.VerifyServerHostname = true
+	}
+	if b.CAFile != "" {
+		result.CAFile = b.CAFile
+	}
+	if b.CertFile != "" {
+		result.CertFile = b.CertFile
+	}
+	if b.KeyFile != "" {
+		result.KeyFile = b.KeyFile
+	}
+
+	return &result
+}