pkg/transport: fix HTTPS downgrade bug for keepalive listener

If TLS config is empty, etcd downgrades keepalive listener from HTTPS to HTTP without warning. This results in HTTPS downgrade bug for client urls. The commit returns error if it cannot listen on TLS.
2024-09-27 06:25:44 +00:00 · 2015-07-14 12:18:15 -07:00 · 2015-07-14 12:18:15 -07:00 · 6317abf7e4
commit 6317abf7e4
parent 43437e21f9
2 changed files with 12 additions and 1 deletions
--- a/pkg/transport/keepalive_listener.go
+++ b/pkg/transport/keepalive_listener.go
@ -16,6 +16,7 @@ package transport

 import (
 	"crypto/tls"
+	"fmt"
 	"net"
 	"time"
 )
@ -28,7 +29,10 @@ func NewKeepAliveListener(addr string, scheme string, info TLSInfo) (net.Listene
 		return nil, err
 	}

-	if !info.Empty() && scheme == "https" {
+	if scheme == "https" {
+		if info.Empty() {
+			return nil, fmt.Errorf("cannot listen on TLS for %s: KeyFile and CertFile are not presented", scheme+"://"+addr)
+		}
 		cfg, err := info.ServerConfig()
 		if err != nil {
 			return nil, err
--- a/pkg/transport/keepalive_listener_test.go
+++ b/pkg/transport/keepalive_listener_test.go
@ -62,3 +62,10 @@ func TestNewKeepAliveListener(t *testing.T) {
 	conn.Close()
 	tlsln.Close()
 }
+
+func TestNewKeepAliveListenerTLSEmptyInfo(t *testing.T) {
+	_, err := NewListener("127.0.0.1:0", "https", TLSInfo{})
+	if err == nil {
+		t.Errorf("err = nil, want not presented error")
+	}
+}