pkg/transport: Improved description of flag peer-skip-client-san-verification

2024-09-27 06:25:44 +00:00 · 2019-06-11 17:28:01 +02:00 · 2019-06-11 17:28:01 +02:00 · 03fd396610
commit 03fd396610
parent 2f476f2b5a
3 changed files with 21 additions and 21 deletions
--- a/etcdmain/config.go
+++ b/etcdmain/config.go
@ -213,7 +213,7 @@ func newConfig() *config {
 	fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedCN, "peer-cert-allowed-cn", "", "Allowed CN for inter peer authentication.")
 	fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedHostname, "peer-cert-allowed-hostname", "", "Allowed TLS hostname for inter peer authentication.")
 	fs.Var(flags.NewStringsValue(""), "cipher-suites", "Comma-separated list of supported TLS cipher suites between client/server and peers (empty will be auto-populated by Go).")
-	fs.BoolVar(&cfg.ec.PeerTLSInfo.SkipClientVerify, "peer-skip-client-verify", false, "Skip client IP verification for peer connections.")
+	fs.BoolVar(&cfg.ec.PeerTLSInfo.SkipClientSANVerify, "peer-skip-client-san-verification", false, "Skip verification of SAN field in client certificate for peer connections.")

 	fs.Var(
 		flags.NewUniqueURLsWithExceptions("*", "*"),
--- a/pkg/transport/listener.go
+++ b/pkg/transport/listener.go
@ -56,20 +56,20 @@ func wrapTLS(scheme string, tlsinfo *TLSInfo, l net.Listener) (net.Listener, err
 	if scheme != "https" && scheme != "unixs" {
 		return l, nil
 	}
-	if tlsinfo != nil && tlsinfo.SkipClientVerify {
+	if tlsinfo != nil && tlsinfo.SkipClientSANVerify {
 		return NewTLSListener(l, tlsinfo)
 	}
 	return newTLSListener(l, tlsinfo, checkSAN)
 }

 type TLSInfo struct {
-	CertFile           string
-	KeyFile            string
-	TrustedCAFile      string
-	ClientCertAuth     bool
-	CRLFile            string
-	InsecureSkipVerify bool
-	SkipClientVerify   bool
+	CertFile            string
+	KeyFile             string
+	TrustedCAFile       string
+	ClientCertAuth      bool
+	CRLFile             string
+	InsecureSkipVerify  bool
+	SkipClientSANVerify bool

 	// ServerName ensures the cert matches the given host in case of discovery / virtual hosting
 	ServerName string
--- a/pkg/transport/listener_test.go
+++ b/pkg/transport/listener_test.go
@ -78,18 +78,18 @@ func testNewListenerTLSInfoAccept(t *testing.T, tlsInfo TLSInfo) {
 	}
 	defer conn.Close()
 	if _, ok := conn.(*tls.Conn); !ok {
-		t.Errorf("failed to accept *tls.Conn")
+		t.Error("failed to accept *tls.Conn")
 	}
 }

-// TestNewListenerTLSInfoSkipClientVerify tests that if client IP address mismatches
+// TestNewListenerTLSInfoSkipClientSANVerify tests that if client IP address mismatches
 // with specified address in its certificate the connection is still accepted
-// if the flag SkipClientVerify is set (i.e. checkSAN() is disabled for the client side)
-func TestNewListenerTLSInfoSkipClientVerify(t *testing.T) {
+// if the flag SkipClientSANVerify is set (i.e. checkSAN() is disabled for the client side)
+func TestNewListenerTLSInfoSkipClientSANVerify(t *testing.T) {
 	tests := []struct {
-		skipClientVerify bool
-		goodClientHost   bool
-		acceptExpected   bool
+		skipClientSANVerify bool
+		goodClientHost      bool
+		acceptExpected      bool
 	}{
 		{false, true, true},
 		{false, false, false},
@ -97,11 +97,11 @@ func TestNewListenerTLSInfoSkipClientVerify(t *testing.T) {
 		{true, false, true},
 	}
 	for _, test := range tests {
-		testNewListenerTLSInfoClientCheck(t, test.skipClientVerify, test.goodClientHost, test.acceptExpected)
+		testNewListenerTLSInfoClientCheck(t, test.skipClientSANVerify, test.goodClientHost, test.acceptExpected)
 	}
 }

-func testNewListenerTLSInfoClientCheck(t *testing.T, skipClientVerify, goodClientHost, acceptExpected bool) {
+func testNewListenerTLSInfoClientCheck(t *testing.T, skipClientSANVerify, goodClientHost, acceptExpected bool) {
 	tlsInfo, del, err := createSelfCert()
 	if err != nil {
 		t.Fatalf("unable to create cert: %v", err)
@ -118,7 +118,7 @@ func testNewListenerTLSInfoClientCheck(t *testing.T, skipClientVerify, goodClien
 	}
 	defer del2()

-	tlsInfo.SkipClientVerify = skipClientVerify
+	tlsInfo.SkipClientSANVerify = skipClientSANVerify
 	tlsInfo.TrustedCAFile = clientTLSInfo.CertFile

 	rootCAs := x509.NewCertPool()
@ -166,7 +166,7 @@ func testNewListenerTLSInfoClientCheck(t *testing.T, skipClientVerify, goodClien
 	select {
 	case <-chClientErr:
 		if acceptExpected {
-			t.Errorf("accepted for good client address: skipClientVerify=%t, goodClientHost=%t", skipClientVerify, goodClientHost)
+			t.Errorf("accepted for good client address: skipClientSANVerify=%t, goodClientHost=%t", skipClientSANVerify, goodClientHost)
 		}
 	case acceptErr := <-chAcceptErr:
 		t.Fatalf("unexpected Accept error: %v", acceptErr)
@ -176,7 +176,7 @@ func testNewListenerTLSInfoClientCheck(t *testing.T, skipClientVerify, goodClien
 			t.Errorf("failed to accept *tls.Conn")
 		}
 		if !acceptExpected {
-			t.Errorf("accepted for bad client address: skipClientVerify=%t, goodClientHost=%t", skipClientVerify, goodClientHost)
+			t.Errorf("accepted for bad client address: skipClientSANVerify=%t, goodClientHost=%t", skipClientSANVerify, goodClientHost)
 		}
 	}
 }