From 87d16af2e2292eb57d5c154e7d838f5ffee79536 Mon Sep 17 00:00:00 2001
From: Anthony Romano <anthony.romano@coreos.com>
Date: Fri, 16 Jun 2017 19:04:57 -0700
Subject: [PATCH] embed: use transport TLS listener for client listener for
 CRLs

---
 embed/etcd.go  |  7 +------
 embed/serve.go | 13 ++++++++++---
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/embed/etcd.go b/embed/etcd.go
index b8e170f06..67ee665a5 100644
--- a/embed/etcd.go
+++ b/embed/etcd.go
@@ -16,7 +16,6 @@ package embed
 
 import (
 	"context"
-	"crypto/tls"
 	"fmt"
 	"io/ioutil"
 	defaultLog "log"
@@ -365,12 +364,8 @@ func startClientListeners(cfg *Config) (sctxs map[string]*serveCtx, err error) {
 }
 
 func (e *Etcd) serve() (err error) {
-	var ctlscfg *tls.Config
 	if !e.cfg.ClientTLSInfo.Empty() {
 		plog.Infof("ClientTLS: %s", e.cfg.ClientTLSInfo)
-		if ctlscfg, err = e.cfg.ClientTLSInfo.ServerConfig(); err != nil {
-			return err
-		}
 	}
 
 	if e.cfg.CorsInfo.String() != "" {
@@ -394,7 +389,7 @@ func (e *Etcd) serve() (err error) {
 	}
 	for _, sctx := range e.sctxs {
 		go func(s *serveCtx) {
-			e.errHandler(s.serve(e.Server, ctlscfg, v2h, e.errHandler))
+			e.errHandler(s.serve(e.Server, &e.cfg.ClientTLSInfo, v2h, e.errHandler))
 		}(sctx)
 	}
 	return nil
diff --git a/embed/serve.go b/embed/serve.go
index a70fa307a..616673fcc 100644
--- a/embed/serve.go
+++ b/embed/serve.go
@@ -15,7 +15,6 @@
 package embed
 
 import (
-	"crypto/tls"
 	"io/ioutil"
 	defaultLog "log"
 	"net"
@@ -33,6 +32,7 @@ import (
 	"github.com/coreos/etcd/etcdserver/api/v3rpc"
 	etcdservergw "github.com/coreos/etcd/etcdserver/etcdserverpb/gw"
 	"github.com/coreos/etcd/pkg/debugutil"
+	"github.com/coreos/etcd/pkg/transport"
 
 	"github.com/cockroachdb/cmux"
 	gw "github.com/grpc-ecosystem/grpc-gateway/runtime"
@@ -65,7 +65,7 @@ func newServeCtx() *serveCtx {
 // serve accepts incoming connections on the listener l,
 // creating a new service goroutine for each. The service goroutines
 // read requests and then call handler to reply to them.
-func (sctx *serveCtx) serve(s *etcdserver.EtcdServer, tlscfg *tls.Config, handler http.Handler, errHandler func(error)) error {
+func (sctx *serveCtx) serve(s *etcdserver.EtcdServer, tlsinfo *transport.TLSInfo, handler http.Handler, errHandler func(error)) error {
 	logger := defaultLog.New(ioutil.Discard, "etcdhttp", 0)
 	<-s.ReadyNotify()
 	plog.Info("ready to serve client requests")
@@ -106,6 +106,10 @@ func (sctx *serveCtx) serve(s *etcdserver.EtcdServer, tlscfg *tls.Config, handle
 	}
 
 	if sctx.secure {
+		tlscfg, tlsErr := tlsinfo.ServerConfig()
+		if tlsErr != nil {
+			return tlsErr
+		}
 		gs := v3rpc.Server(s, tlscfg)
 		sctx.grpcServerC <- gs
 		v3electionpb.RegisterElectionServer(gs, servElection)
@@ -125,7 +129,10 @@ func (sctx *serveCtx) serve(s *etcdserver.EtcdServer, tlscfg *tls.Config, handle
 			return err
 		}
 
-		tlsl := tls.NewListener(m.Match(cmux.Any()), tlscfg)
+		tlsl, lerr := transport.NewTLSListener(m.Match(cmux.Any()), tlsinfo)
+		if lerr != nil {
+			return lerr
+		}
 		// TODO: add debug flag; enable logging when debug flag is set
 		httpmux := sctx.createMux(gwmux, handler)