nsqd: use --tls-root-ca-file in nsqauth request #1473
Conversation
| tlsConfig.RootCAs = tlsCertPool | ||
| } | ||
|
|
||
| return tlsConfig, nil |
There was a problem hiding this comment.
Question: Shouldn't tlsConfig be nil if opts.TLSRootCAFile is unspecified?
There was a problem hiding this comment.
Our intention was to respect the existing TLSMinVersion flag for clients as well, which is why we're passing a tls.Config with MinVersion set to the flag. This behavior was inspired by the very similar buildTLSConfig function for assembling the tls.Config for the server:
Line 751 in eb27dd5
The documentation for tls.Config in Go 1.17 the current go version specified in go.mod specifies TLS 1.0 as the default minimum versions (which has been deprecated by RFC 8996, however the latest Go version (1.21.3) sets TLS 1.2 as the minimum for TLS clients per default (https://pkg.go.dev/crypto/tls@go1.21.3#Config). Because of this, we would want to respect the existing config option in Go 1.17. Alternatively, the project could be upgraded to Go 1.21 to ensure that a secure TLS version is used.
Because (according to the documentation) the zero value of tls.Config should work in the same way its nil value does, this should not affect any other TLS options.
|
LGTM, thanks! |
This change allows the parameter
--tls-root-ca-fileto set the root CA file for auth requests as well.