From a55e6b62fb14096ea496a6ee3bf6e03d8d93e3bc Mon Sep 17 00:00:00 2001 From: xhe Date: Wed, 22 Feb 2023 20:14:32 +0800 Subject: [PATCH] tls: fix server side verification (#221) --- lib/util/security/cert.go | 6 +++++- lib/util/security/cert_test.go | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/util/security/cert.go b/lib/util/security/cert.go index ccd4ab3f..55cb1cc1 100644 --- a/lib/util/security/cert.go +++ b/lib/util/security/cert.go @@ -115,6 +115,10 @@ func (ci *CertInfo) verifyPeerCertificate(rawCerts [][]byte, _ [][]*x509.Certifi } if ci.server { opts.KeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth} + } else { + // this is the default behavior of Verify() + // it is not necessary but explicit + opts.KeyUsages = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth} } // TODO: not implemented, maybe later // opts.DNSName = ci.serverName @@ -226,7 +230,7 @@ func (ci *CertInfo) buildServerConfig(lg *zap.Logger) (*tls.Config, error) { ci.ca.Store(cas) if ci.cfg.SkipCA { - tcfg.ClientAuth = tls.VerifyClientCertIfGiven + tcfg.ClientAuth = tls.RequestClientCert } else { tcfg.ClientAuth = tls.RequireAnyClientCert } diff --git a/lib/util/security/cert_test.go b/lib/util/security/cert_test.go index 7ec126b1..fd3a52fc 100644 --- a/lib/util/security/cert_test.go +++ b/lib/util/security/cert_test.go @@ -113,7 +113,7 @@ func TestCertServer(t *testing.T) { }, checker: func(t *testing.T, c *tls.Config, ci *CertInfo) { require.NotNil(t, c) - require.Equal(t, tls.VerifyClientCertIfGiven, c.ClientAuth) + require.Equal(t, tls.RequestClientCert, c.ClientAuth) require.NotNil(t, ci.ca.Load()) require.NotNil(t, ci.cert.Load()) },