require and verify client certs, add clien CAs from /etc/grid-security

dmwm · Oct 27, 2022 · 8297f4c · 8297f4c
1 parent 7c50521
commit 8297f4c
Showing 1 changed file with 10 additions and 8 deletions.
diff --git a/utils.go b/utils.go
@@ -201,24 +201,26 @@ func getServer(serverCrt, serverKey string, customVerify bool) (*http.Server, er
 
 	}
 	// if we do not require custom verification we'll load server crt/key and present to client
-	if customVerify == false {
+	if customVerify == false { // oauth server
 		//         cert, err := tls.LoadX509KeyPair(serverCrt, serverKey)
 		tlsConfig = &tls.Config{
 			MinVersion:   uint16(minVer),
 			MaxVersion:   uint16(maxVer),
 			RootCAs:      _rootCAs,
 			Certificates: []tls.Certificate{cert},
 		}
-	} else { // otherwise we'll perform custom verification of client's certificates
+	} else { // otherwise (x509 server) we'll perform custom verification of client's certificates
 		tlsConfig = &tls.Config{
 			// Set InsecureSkipVerify to skip the default validation we are
 			// replacing. This will not disable VerifyPeerCertificate.
-			MinVersion:         uint16(minVer),
-			MaxVersion:         uint16(maxVer),
-			InsecureSkipVerify: Config.InsecureSkipVerify,
-			ClientAuth:         tls.RequestClientCert,
-			RootCAs:            _rootCAs,
-			Certificates:       []tls.Certificate{cert},
+			MinVersion: uint16(minVer),
+			MaxVersion: uint16(maxVer),
+			//             InsecureSkipVerify: Config.InsecureSkipVerify,
+			//             ClientAuth:   tls.RequestClientCert,
+			ClientAuth:   tls.RequireAndVerifyClientCert,
+			ClientCAs:    _rootCAs, // this comes from /etc/grid-security/certificate
+			RootCAs:      _rootCAs,
+			Certificates: []tls.Certificate{cert},
 		}
 		tlsConfig.VerifyPeerCertificate = VerifyPeerCertificate
 	}