From 8058ab039f9a7e23575fc68007788383530fec1e Mon Sep 17 00:00:00 2001 From: Alex Dadgar Date: Wed, 10 Jan 2018 16:11:36 -0800 Subject: [PATCH] Store the whole verified certificate chain --- nomad/rpc.go | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/nomad/rpc.go b/nomad/rpc.go index db1e7693c..41f664301 100644 --- a/nomad/rpc.go +++ b/nomad/rpc.go @@ -3,6 +3,7 @@ package nomad import ( "context" "crypto/tls" + "crypto/x509" "fmt" "io" "math/rand" @@ -66,11 +67,9 @@ type RPCContext struct { // TLS marks whether the RPC is over a TLS based connection TLS bool - // TLSRole is the certificate role making the TLS connection. - TLSRole string - - // TLSRegion is the region on the certificate making the TLS connection - TLSRegion string + // VerifiedChains is is the Verified certificates presented by the incoming + // connection. + VerifiedChains [][]*x509.Certificate // NodeID marks the NodeID that initiated the connection. NodeID string @@ -188,15 +187,9 @@ func (s *Server) handleConn(ctx context.Context, conn net.Conn, rpcCtx *RPCConte // using TLS rpcCtx.TLS = true - // Parse the region and role from the TLS certificate + // Store the verified chains so they can be inspected later. state := tlsConn.ConnectionState() - parts := strings.SplitN(state.ServerName, ".", 3) - if len(parts) != 3 || (parts[0] != "server" && parts[0] != "client") || parts[2] != "nomad" { - s.logger.Printf("[WARN] nomad.rpc: invalid server name %q on verified TLS connection", state.ServerName) - } else { - rpcCtx.TLSRole = parts[0] - rpcCtx.TLSRegion = parts[1] - } + rpcCtx.VerifiedChains = state.VerifiedChains s.handleConn(ctx, conn, rpcCtx)