From b906f22fe910de2d7d14c9bf444b7e5a29328422 Mon Sep 17 00:00:00 2001
From: "Robert M. Thomson" <robert.m.thomson@here.com>
Date: Wed, 24 Feb 2016 16:50:10 +0100
Subject: [PATCH] Add VAULT_TLS_SERVER_NAME environment variable

If specified, verify a specific server name during TLS negotiation
rather than the server name in the URL.
---
 api/client.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/api/client.go b/api/client.go
index 16e6f62800cd..9746d2ac7cbb 100644
--- a/api/client.go
+++ b/api/client.go
@@ -25,6 +25,7 @@ const EnvVaultCAPath = "VAULT_CAPATH"
 const EnvVaultClientCert = "VAULT_CLIENT_CERT"
 const EnvVaultClientKey = "VAULT_CLIENT_KEY"
 const EnvVaultInsecure = "VAULT_SKIP_VERIFY"
+const EnvVaultTLSServerName = "VAULT_TLS_SERVER_NAME"
 
 var (
 	errRedirect = errors.New("redirect")
@@ -81,6 +82,7 @@ func (c *Config) ReadEnvironment() error {
 	var envClientKey string
 	var envInsecure bool
 	var foundInsecure bool
+	var envTLSServerName string
 
 	var newCertPool *x509.CertPool
 	var clientCert tls.Certificate
@@ -109,6 +111,9 @@ func (c *Config) ReadEnvironment() error {
 		}
 		foundInsecure = true
 	}
+	if v := os.Getenv(EnvVaultTLSServerName); v != "" {
+		envTLSServerName = v
+	}
 	// If we need custom TLS configuration, then set it
 	if envCACert != "" || envCAPath != "" || envClientCert != "" || envClientKey != "" || envInsecure {
 		var err error
@@ -146,6 +151,9 @@ func (c *Config) ReadEnvironment() error {
 	if foundClientCert {
 		clientTLSConfig.Certificates = []tls.Certificate{clientCert}
 	}
+	if envTLSServerName != "" {
+		clientTLSConfig.ServerName = envTLSServerName
+	}
 
 	return nil
 }