[FAB-8246] Make orderer mutual TLS conf consistent

Jason Yellick · Jason Yellick · commit 448917b6bdcc · 2018-02-13T14:57:09.000-05:00
The peer turns on mutual TLS with clientAuthRequired, while the orderer
turns on mutual TLS with ClientAuthEnabled.  This is inconsistent, and
as it's a v1.1 feature, may be safely fixed without worry for backwards
compatability.

Change-Id: Ic3c2817177df0dae6e76bc3d6c8cd965d0502d40
Signed-off-by: Jason Yellick &lt;jyellick@us.ibm.com&gt;
diff --git a/examples/cluster/config/orderer.yaml b/examples/cluster/config/orderer.yaml
@@ -34,7 +34,7 @@ General:
         Certificate: tls/server.crt
         RootCAs:
           - tls/ca.crt
-        ClientAuthEnabled: false
+        ClientAuthRequired: false
         ClientRootCAs:
 
     # Log Level: The level at which to log. This accepts logging specifications
diff --git a/orderer/common/localconfig/config.go b/orderer/common/localconfig/config.go
@@ -97,12 +97,12 @@ type Keepalive struct {
 
 // TLS contains configuration for TLS connections.
 type TLS struct {
-	Enabled           bool
-	PrivateKey        string
-	Certificate       string
-	RootCAs           []string
-	ClientAuthEnabled bool
-	ClientRootCAs     []string
+	Enabled            bool
+	PrivateKey         string
+	Certificate        string
+	RootCAs            []string
+	ClientAuthRequired bool
+	ClientRootCAs      []string
 }
 
 // Authentication contains configuration parameters related to authenticating
diff --git a/orderer/common/server/main.go b/orderer/common/server/main.go
@@ -136,7 +136,7 @@ func initializeServerConfig(conf *config.TopLevel) comm.ServerConfig {
 	// secure server config
 	secureOpts := &comm.SecureOptions{
 		UseTLS:            conf.General.TLS.Enabled,
-		RequireClientCert: conf.General.TLS.ClientAuthEnabled,
+		RequireClientCert: conf.General.TLS.ClientAuthRequired,
 	}
 	// check to see if TLS is enabled
 	if secureOpts.UseTLS {
diff --git a/orderer/common/server/main_test.go b/orderer/common/server/main_test.go
@@ -79,12 +79,12 @@ func TestInitializeServerConfig(t *testing.T) {
 	conf := &config.TopLevel{
 		General: config.General{
 			TLS: config.TLS{
-				Enabled:           true,
-				ClientAuthEnabled: true,
-				Certificate:       "main.go",
-				PrivateKey:        "main.go",
-				RootCAs:           []string{"main.go"},
-				ClientRootCAs:     []string{"main.go"},
+				Enabled:            true,
+				ClientAuthRequired: true,
+				Certificate:        "main.go",
+				PrivateKey:         "main.go",
+				RootCAs:            []string{"main.go"},
+				ClientRootCAs:      []string{"main.go"},
 			},
 		},
 	}
@@ -131,12 +131,12 @@ func TestInitializeServerConfig(t *testing.T) {
 					&config.TopLevel{
 						General: config.General{
 							TLS: config.TLS{
-								Enabled:           true,
-								ClientAuthEnabled: true,
-								Certificate:       tc.certificate,
-								PrivateKey:        tc.privateKey,
-								RootCAs:           []string{tc.rootCA},
-								ClientRootCAs:     []string{tc.clientCertificate},
+								Enabled:            true,
+								ClientAuthRequired: true,
+								Certificate:        tc.certificate,
+								PrivateKey:         tc.privateKey,
+								RootCAs:            []string{tc.rootCA},
+								ClientRootCAs:      []string{tc.clientCertificate},
 							},
 						},
 					})
@@ -255,8 +255,8 @@ func TestInitializeGrpcServer(t *testing.T) {
 			ListenAddress: host,
 			ListenPort:    uint16(port),
 			TLS: config.TLS{
-				Enabled:           false,
-				ClientAuthEnabled: false,
+				Enabled:            false,
+				ClientAuthRequired: false,
 			},
 		},
 	}
@@ -280,8 +280,8 @@ func TestUpdateTrustedRoots(t *testing.T) {
 			ListenAddress: "localhost",
 			ListenPort:    uint16(port),
 			TLS: config.TLS{
-				Enabled:           false,
-				ClientAuthEnabled: false,
+				Enabled:            false,
+				ClientAuthRequired: false,
 			},
 		},
 	}
@@ -309,10 +309,10 @@ func TestUpdateTrustedRoots(t *testing.T) {
 			ListenAddress: "localhost",
 			ListenPort:    uint16(port),
 			TLS: config.TLS{
-				Enabled:           true,
-				ClientAuthEnabled: true,
-				PrivateKey:        filepath.Join(".", "testdata", "tls", "server.key"),
-				Certificate:       filepath.Join(".", "testdata", "tls", "server.crt"),
+				Enabled:            true,
+				ClientAuthRequired: true,
+				PrivateKey:         filepath.Join(".", "testdata", "tls", "server.key"),
+				Certificate:        filepath.Join(".", "testdata", "tls", "server.crt"),
 			},
 		},
 	}
diff --git a/sampleconfig/orderer.yaml b/sampleconfig/orderer.yaml
@@ -34,7 +34,7 @@ General:
         Certificate: tls/server.crt
         RootCAs:
           - tls/ca.crt
-        ClientAuthEnabled: false
+        ClientAuthRequired: false
         ClientRootCAs:
 
     # Keepalive settings for the GRPC server.

Original file line number	Diff line number	Diff line change
`@@ -136,7 +136,7 @@ func initializeServerConfig(conf *config.TopLevel) comm.ServerConfig {`
`136`	`136`	`// secure server config`
`137`	`137`	`secureOpts := &comm.SecureOptions{`
`138`	`138`	`UseTLS: conf.General.TLS.Enabled,`
`139`		`- RequireClientCert: conf.General.TLS.ClientAuthEnabled,`
	`139`	`+ RequireClientCert: conf.General.TLS.ClientAuthRequired,`
`140`	`140`	`}`
`141`	`141`	`// check to see if TLS is enabled`
`142`	`142`	`if secureOpts.UseTLS {`