tls: fix server side verification (#221)

pingcap · Feb 22, 2023 · a55e6b6 · a55e6b6
1 parent c68bfd3
commit a55e6b6
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/lib/util/security/cert.go b/lib/util/security/cert.go
@@ -115,6 +115,10 @@ func (ci *CertInfo) verifyPeerCertificate(rawCerts [][]byte, _ [][]*x509.Certifi
 	}
 	if ci.server {
 		opts.KeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
+	} else {
+		// this is the default behavior of Verify()
+		// it is not necessary but explicit
+		opts.KeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
 	}
 	// TODO: not implemented, maybe later
 	// opts.DNSName = ci.serverName
@@ -226,7 +230,7 @@ func (ci *CertInfo) buildServerConfig(lg *zap.Logger) (*tls.Config, error) {
 	ci.ca.Store(cas)
 
 	if ci.cfg.SkipCA {
-		tcfg.ClientAuth = tls.VerifyClientCertIfGiven
+		tcfg.ClientAuth = tls.RequestClientCert
 	} else {
 		tcfg.ClientAuth = tls.RequireAnyClientCert
 	}

diff --git a/lib/util/security/cert_test.go b/lib/util/security/cert_test.go
@@ -113,7 +113,7 @@ func TestCertServer(t *testing.T) {
 			},
 			checker: func(t *testing.T, c *tls.Config, ci *CertInfo) {
 				require.NotNil(t, c)
-				require.Equal(t, tls.VerifyClientCertIfGiven, c.ClientAuth)
+				require.Equal(t, tls.RequestClientCert, c.ClientAuth)
 				require.NotNil(t, ci.ca.Load())
 				require.NotNil(t, ci.cert.Load())
 			},