Added --crl-check flag for the certs with built-in CRL info

etcd-io · Jul 20, 2016 · 791f37d · 791f37d
1 parent d10aaa5
commit 791f37d
Show file tree

Hide file tree

Showing 5 changed files with 42 additions and 13 deletions.
diff --git a/embed/config.go b/embed/config.go
@@ -123,6 +123,7 @@ type securityConfig struct {
 	KeyFile       string `json:"key-file"`
 	CertAuth      bool   `json:"client-cert-auth"`
 	TrustedCAFile string `json:"trusted-ca-file"`
+	CRLCheck      bool   `json:"crl-check"`
 	CRLFile       string `json:"crl-file"`
 	AutoTLS       bool   `json:"auto-tls"`
 }
@@ -213,8 +214,9 @@ func (cfg *configYAML) configFromFile(path string) error {
 		tls.CAFile = ysc.CAFile
 		tls.CertFile = ysc.CertFile
 		tls.KeyFile = ysc.KeyFile
-		tls.ClientCertAuth = ysc.CertAuth
 		tls.TrustedCAFile = ysc.TrustedCAFile
+		tls.ClientCertAuth = ysc.CertAuth
+		tls.CRLCheck = (ysc.CRLCheck || ysc.CRLFile != "") && ysc.CertAuth
 		tls.CRLFile = ysc.CRLFile
 	}
 	copySecurityDetails(&cfg.ClientTLSInfo, &cfg.ClientSecurityJSON)

diff --git a/embed/etcd.go b/embed/etcd.go
@@ -294,18 +294,30 @@ func (e *Etcd) serve() (err error) {
 	}
 
 	// Start the peer server in a goroutine
-	ph := tlsutil.NewRevokeHandler(
-		v2http.NewPeerHandler(e.Server),
-		e.cfg.PeerTLSInfo.CRLFile)
+	var ph, clientHandler http.Handler
+	if e.cfg.PeerTLSInfo.CRLCheck {
+		// Enable CRL checker handler for the peer server
+		ph = tlsutil.NewRevokeHandler(
+			v2http.NewPeerHandler(e.Server),
+			e.cfg.PeerTLSInfo.CRLFile)
+	} else {
+		ph = v2http.NewPeerHandler(e.Server)
+	}
+	// Start the peer server in a goroutine
 	for _, l := range e.Peers {
 		go func(l net.Listener) {
 			e.errc <- servePeerHTTP(l, ph)
 		}(l)
 	}
 
-	clientHandler := tlsutil.NewRevokeHandler(
-		v2http.NewClientHandler(e.Server, e.Server.Cfg.ReqTimeout()),
-		e.cfg.ClientTLSInfo.CRLFile)
+	if e.cfg.ClientTLSInfo.CRLCheck {
+		// Enable CRL checker handler for the client server
+		clientHandler = tlsutil.NewRevokeHandler(
+			v2http.NewClientHandler(e.Server, e.Server.Cfg.ReqTimeout()),
+			e.cfg.ClientTLSInfo.CRLFile)
+	} else {
+		clientHandler = v2http.NewClientHandler(e.Server, e.Server.Cfg.ReqTimeout())
+	}
 	// Start a client server goroutine for each listen address
 	ch := http.Handler(&cors.CORSHandler{
 		Handler: clientHandler,

diff --git a/etcdmain/config.go b/etcdmain/config.go
@@ -173,14 +173,16 @@ func newConfig() *config {
 	fs.StringVar(&cfg.ClientTLSInfo.KeyFile, "key-file", "", "Path to the client server TLS key file.")
 	fs.BoolVar(&cfg.ClientTLSInfo.ClientCertAuth, "client-cert-auth", false, "Enable client cert authentication.")
 	fs.StringVar(&cfg.ClientTLSInfo.TrustedCAFile, "trusted-ca-file", "", "Path to the client server TLS trusted CA key file.")
-	fs.StringVar(&cfg.ClientTLSInfo.CRLFile, "crl-file", "", "Path to the client server certificate revocation list file.")
+	fs.BoolVar(&cfg.ClientTLSInfo.CRLCheck, "crl-check", false, "Enable CRL check for the client server. Works only when --client-cert-auth flag is set.")
+	fs.StringVar(&cfg.ClientTLSInfo.CRLFile, "crl-file", "", "Path to the client server certificate revocation list file. If set, automatically enables --crl-check flag.")
 	fs.BoolVar(&cfg.ClientAutoTLS, "auto-tls", false, "Client TLS using generated certificates")
 	fs.StringVar(&cfg.PeerTLSInfo.CAFile, "peer-ca-file", "", "DEPRECATED: Path to the peer server TLS CA file.")
 	fs.StringVar(&cfg.PeerTLSInfo.CertFile, "peer-cert-file", "", "Path to the peer server TLS cert file.")
 	fs.StringVar(&cfg.PeerTLSInfo.KeyFile, "peer-key-file", "", "Path to the peer server TLS key file.")
 	fs.BoolVar(&cfg.PeerTLSInfo.ClientCertAuth, "peer-client-cert-auth", false, "Enable peer client cert authentication.")
 	fs.StringVar(&cfg.PeerTLSInfo.TrustedCAFile, "peer-trusted-ca-file", "", "Path to the peer server TLS trusted CA file.")
-	fs.StringVar(&cfg.PeerTLSInfo.CRLFile, "peer-crl-file", "", "Path to the peer server certificate revocation list file.")
+	fs.BoolVar(&cfg.PeerTLSInfo.CRLCheck, "peer-crl-check", false, "Enable CRL check for the peer server. Works only when --peer-client-cert-auth flag is set.")
+	fs.StringVar(&cfg.PeerTLSInfo.CRLFile, "peer-crl-file", "", "Path to the peer server certificate revocation list file. If set, automatically enables --peer-crl-check flag.")
 	fs.BoolVar(&cfg.PeerAutoTLS, "peer-auto-tls", false, "Peer TLS using generated certificates")
 
 	// logging
@@ -234,6 +236,14 @@ func (cfg *config) parse(arguments []string) error {
 	} else {
 		err = cfg.configFromCmdLine()
 	}
+
+	if cfg.ClientTLSInfo.CRLFile != "" && cfg.ClientTLSInfo.ClientCertAuth {
+		cfg.ClientTLSInfo.CRLCheck = true
+	}
+
+	if cfg.PeerTLSInfo.CRLFile != "" && cfg.PeerTLSInfo.ClientCertAuth {
+		cfg.PeerTLSInfo.CRLCheck = true
+	}
 	return err
 }
 

diff --git a/etcdmain/help.go b/etcdmain/help.go
@@ -118,8 +118,10 @@ security flags:
 		enable client cert authentication.
 	--trusted-ca-file ''
 		path to the client server TLS trusted CA key file.
+	--crl-check 'false'
+		enable CRL check for the client server. Works only when --client-cert-auth flag is set.
 	--crl-file ''
-		path to the client server certificate revocation list file.
+		path to the client server certificate revocation list file. If set, automatically enables --crl-check flag.
 	--auto-tls 'false'
 		client TLS using generated certificates.
 	--peer-ca-file '' [DEPRECATED]
@@ -132,8 +134,10 @@ security flags:
 		enable peer client cert authentication.
 	--peer-trusted-ca-file ''
 		path to the peer server TLS trusted CA file.
+	--peer-crl-check 'false'
+		enable CRL check for the peer server. Works only when --peer-client-cert-auth flag is set.
 	--peer-crl-file ''
-		path to the peer server certificate revocation list file.
+		path to the peer server certificate revocation list file. If set, automatically enables --peer-crl-check flag.
 	--peer-auto-tls 'false'
 		peer TLS using self-generated certificates if --peer-key-file and --peer-cert-file are not provided.
 

diff --git a/pkg/transport/listener.go b/pkg/transport/listener.go
@@ -65,8 +65,9 @@ type TLSInfo struct {
 	KeyFile        string
 	CAFile         string
 	TrustedCAFile  string
-	CRLFile        string
 	ClientCertAuth bool
+	CRLCheck       bool
+	CRLFile        string
 
 	selfCert bool
 
@@ -76,7 +77,7 @@ type TLSInfo struct {
 }
 
 func (info TLSInfo) String() string {
-	return fmt.Sprintf("cert = %s, key = %s, ca = %s, trusted-ca = %s, cert-auth = %v, crl-file = %s", info.CertFile, info.KeyFile, info.CAFile, info.TrustedCAFile, info.ClientCertAuth, info.CRLFile)
+	return fmt.Sprintf("cert = %s, key = %s, ca = %s, trusted-ca = %s, cert-auth = %v, crl-check = %v, crl-file = %s", info.CertFile, info.KeyFile, info.CAFile, info.TrustedCAFile, info.ClientCertAuth, info.CRLCheck, info.CRLFile)
 }
 
 func (info TLSInfo) Empty() bool {