From 0fa6d385749efc6fa4a0fb75ed6d5f97bb0665b8 Mon Sep 17 00:00:00 2001
From: Brandon Philips <brandon@ifup.co>
Date: Fri, 31 Jan 2014 16:56:15 -0800
Subject: [PATCH] fix(server): fix client certificate verification

In d0c4916fe9b2afaa273a2a7bc9782321a866ab9f the TLS CA Certificate
verification broke.

This was bisected using the following basic test:

```
./bin/etcd -f -name machine0 -data-dir machine0 -ca-file=/tmp/ca/ca.crt -cert-file=/tmp/ca/server.crt -key-file=/tmp/ca/server.key.insecure
```

And in another window doing

```
curl --key /tmp/ca/server2.key.insecure  --cert /tmp/ca/server2.crt -k -L https://127.0.0.1:4001/v2/keys/foo -XPUT -d value=bar -v
```

Before merging this PR there are a few things that need to be fixed up:

1) Tests for client certs both positive and negative
2) Refactor (or at least documentation of) the TLSConfig types
---
 etcd.go            | 4 ++--
 server/listener.go | 8 ++++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/etcd.go b/etcd.go
index dc373fff3..c37f75776 100644
--- a/etcd.go
+++ b/etcd.go
@@ -135,7 +135,7 @@ func main() {
 
 	var psListener net.Listener
 	if psConfig.Scheme == "https" {
-		psListener, err = server.NewTLSListener(info.RaftListenHost, info.RaftTLS.CertFile, info.RaftTLS.KeyFile)
+		psListener, err = server.NewTLSListener(&tlsConfig.Server, info.RaftListenHost, info.RaftTLS.CertFile, info.RaftTLS.KeyFile)
 	} else {
 		psListener, err = server.NewListener(info.RaftListenHost)
 	}
@@ -165,7 +165,7 @@ func main() {
 
 	var sListener net.Listener
 	if tlsConfig.Scheme == "https" {
-		sListener, err = server.NewTLSListener(info.EtcdListenHost, info.EtcdTLS.CertFile, info.EtcdTLS.KeyFile)
+		sListener, err = server.NewTLSListener(&tlsConfig.Server, info.EtcdListenHost, info.EtcdTLS.CertFile, info.EtcdTLS.KeyFile)
 	} else {
 		sListener, err = server.NewListener(info.EtcdListenHost)
 	}
diff --git a/server/listener.go b/server/listener.go
index dd3cfa9e1..f007f0cb3 100644
--- a/server/listener.go
+++ b/server/listener.go
@@ -16,11 +16,15 @@ func NewListener(addr string) (net.Listener, error) {
 	return l, nil
 }
 
-func NewTLSListener(addr, certFile, keyFile string) (net.Listener, error) {
+func NewTLSListener(config *tls.Config, addr, certFile, keyFile string) (net.Listener, error) {
 	if addr == "" {
 		addr = ":https"
 	}
-	config := &tls.Config{}
+
+	if config == nil {
+		config = &tls.Config{}
+	}
+
 	config.NextProtos = []string{"http/1.1"}
 
 	var err error