Add option to disable client certificate requesting. (#3373)

Fixes #3372
2017-09-25 14:41:46 -04:00 · 2017-09-25 14:41:46 -04:00 · 17a15cd594
parent 29911bfea8
commit 17a15cd594
5 changed files with 64 additions and 15 deletions
--- a/command/server/config.go
+++ b/command/server/config.go
@ -707,6 +707,7 @@ func parseListeners(result *Config, list *ast.ObjectList) error {
 			"tls_cipher_suites",
 			"tls_prefer_server_cipher_suites",
 			"tls_require_and_verify_client_cert",
+			"tls_disable_client_certs",
 			"tls_client_ca_file",
 			"token",
 		}
--- a/command/server/config_test.go
+++ b/command/server/config_test.go
@ -270,6 +270,7 @@ listener "tcp" {
 	tls_client_ca_file = "./certs/rootca.crt"
 	tls_min_version = "tls12"
 	tls_require_and_verify_client_cert = true
+	tls_disable_client_certs = true
 }`))

 	var config Config
@ -298,6 +299,7 @@ listener "tcp" {
 					"tls_client_ca_file":                 "./certs/rootca.crt",
 					"tls_min_version":                    "tls12",
 					"tls_require_and_verify_client_cert": true,
+					"tls_disable_client_certs":           true,
 				},
 			},
 		},
--- a/command/server/listener.go
+++ b/command/server/listener.go
@ -130,12 +130,14 @@ func listenerWrapTLS(
 		}
 		tlsConf.PreferServerCipherSuites = preferServer
 	}
+	var requireVerifyCerts bool
+	var err error
 	if v, ok := config["tls_require_and_verify_client_cert"]; ok {
-		requireClient, err := parseutil.ParseBool(v)
+		requireVerifyCerts, err = parseutil.ParseBool(v)
 		if err != nil {
 			return nil, nil, nil, fmt.Errorf("invalid value for 'tls_require_and_verify_client_cert': %v", err)
 		}
-		if requireClient {
+		if requireVerifyCerts {
 			tlsConf.ClientAuth = tls.RequireAndVerifyClientCert
 		}
 		if tlsClientCaFile, ok := config["tls_client_ca_file"]; ok {
@ -151,6 +153,16 @@ func listenerWrapTLS(
 			tlsConf.ClientCAs = caPool
 		}
 	}
+	if v, ok := config["tls_disable_client_certs"]; ok {
+		disableClientCerts, err := parseutil.ParseBool(v)
+		if err != nil {
+			return nil, nil, nil, fmt.Errorf("invalid value for 'tls_disable_client_certs': %v", err)
+		}
+		if disableClientCerts && requireVerifyCerts {
+			return nil, nil, nil, fmt.Errorf("'tls_disable_client_certs' and 'tls_require_and_verify_client_cert' are mutually exclusive")
+		}
+		tlsConf.ClientAuth = tls.NoClientCert
+	}

 	ln = tls.NewListener(ln, tlsConf)
 	props["tls"] = "enabled"
--- a/command/server/listener_tcp_test.go
+++ b/command/server/listener_tcp_test.go
@ -64,11 +64,15 @@ func TestTCPListener_tls(t *testing.T) {
 		cwd+"/test-fixtures/reload/reload_foo.pem",
 		cwd+"/test-fixtures/reload/reload_foo.key")

-	connFn := func(lnReal net.Listener) (net.Conn, error) {
-		conn, err := tls.Dial("tcp", ln.Addr().String(), &tls.Config{
+	connFn := func(clientCerts bool) func(net.Listener) (net.Conn, error) {
+		return func(lnReal net.Listener) (net.Conn, error) {
+			conf := &tls.Config{
 				RootCAs: certPool,
-			Certificates: []tls.Certificate{clientCert},
-		})
+			}
+			if clientCerts {
+				conf.Certificates = []tls.Certificate{clientCert}
+			}
+			conn, err := tls.Dial("tcp", ln.Addr().String(), conf)

 			if err != nil {
 				return nil, err
@ -78,6 +82,32 @@ func TestTCPListener_tls(t *testing.T) {
 			}
 			return conn, nil
 		}
+	}

-	testListenerImpl(t, ln, connFn, "foo.example.com")
+	testListenerImpl(t, ln, connFn(true), "foo.example.com")
+
+	ln, _, _, err = tcpListenerFactory(map[string]interface{}{
+		"address":                            "127.0.0.1:0",
+		"tls_cert_file":                      wd + "reload_foo.pem",
+		"tls_key_file":                       wd + "reload_foo.key",
+		"tls_require_and_verify_client_cert": "true",
+		"tls_disable_client_certs":           "true",
+		"tls_client_ca_file":                 wd + "reload_ca.pem",
+	}, nil)
+	if err == nil {
+		t.Fatal("expected error due to mutually exclusive client cert options")
+	}
+
+	ln, _, _, err = tcpListenerFactory(map[string]interface{}{
+		"address":                  "127.0.0.1:0",
+		"tls_cert_file":            wd + "reload_foo.pem",
+		"tls_key_file":             wd + "reload_foo.key",
+		"tls_disable_client_certs": "true",
+		"tls_client_ca_file":       wd + "reload_ca.pem",
+	}, nil)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	testListenerImpl(t, ln, connFn(false), "foo.example.com")
 }
--- a/website/source/docs/configuration/listener/tcp.html.md
+++ b/website/source/docs/configuration/listener/tcp.html.md
@ -74,6 +74,10 @@ listener "tcp" {
 - `tls_client_ca_file` `(string: "")` – PEM-encoded Certificate Authority file
  used for checking the authenticity of client.

+- `tls_disable_client_certs` `(string: "false")` – Turns off client
+  authentication for this listener. The default behavior (when this is false)
+  is for Vault to request client certificates when available.
+
 ## `tcp` Listener Examples

 ### Configuring TLS