Merge pull request #2587 from weargoggles/patch-1

Verification options for TLS

command/agent/config-test-fixtures/basic.hcl

@@ -138,4 +138,5 @@ tls {
     ca_file = "foo"
     cert_file = "bar"
     key_file = "pipe"
+    verify_https_client = true
 }

command/agent/config_parse.go

@@ -689,6 +689,7 @@ func parseTLSConfig(result **config.TLSConfig, list *ast.ObjectList) error {
 		"ca_file",
 		"cert_file",
 		"key_file",
+		"verify_https_client",
 	}
 
 	if err := checkHCLKeys(listVal, valid); err != nil {

command/agent/config_parse_test.go

@@ -154,6 +154,7 @@ func TestConfig_Parse(t *testing.T) {
 					CAFile:               "foo",
 					CertFile:             "bar",
 					KeyFile:              "pipe",
+					VerifyHTTPSClient:    true,
 				},
 				HTTPAPIResponseHeaders: map[string]string{
 					"Access-Control-Allow-Origin": "*",

command/agent/http.go

@@ -65,7 +65,7 @@ func NewHTTPServer(agent *Agent, config *Config) (*HTTPServer, error) {
 	// If TLS is enabled, wrap the listener with a TLS listener
 	if config.TLSConfig.EnableHTTP {
 		tlsConf := &tlsutil.Config{
-			VerifyIncoming:       false,
+			VerifyIncoming:       config.TLSConfig.VerifyHTTPSClient,
 			VerifyOutgoing:       true,
 			VerifyServerHostname: config.TLSConfig.VerifyServerHostname,
 			CAFile:               config.TLSConfig.CAFile,

nomad/structs/config/tls.go

@@ -28,6 +28,9 @@ type TLSConfig struct {
 	// KeyFile is used to provide a TLS key that is used for serving TLS connections.
 	// Must be provided to serve TLS connections.
 	KeyFile string `mapstructure:"key_file"`
+
+	// Verify connections to the HTTPS API
+	VerifyHTTPSClient bool `mapstructure:"verify_https_client"`
 }
 
 // Merge is used to merge two TLS configs together
@@ -52,6 +55,8 @@ func (t *TLSConfig) Merge(b *TLSConfig) *TLSConfig {
 	if b.KeyFile != "" {
 		result.KeyFile = b.KeyFile
 	}
-
+	if b.VerifyHTTPSClient {
+		result.VerifyHTTPSClient = true
+	}
 	return &result
 }