From 44ca8e42bebcf922d90e27a423cacee2e90c0be1 Mon Sep 17 00:00:00 2001 From: lysu Date: Wed, 19 Feb 2020 20:16:33 +0800 Subject: [PATCH] config: reload tikv/tidb cluster tls for every new established conn (#14833) --- config/config.go | 53 ++++++++++++++++++++++++++++-------------------- 1 file changed, 31 insertions(+), 22 deletions(-) diff --git a/config/config.go b/config/config.go index ac6335245e6ec..d5bfd4e3877bf 100644 --- a/config/config.go +++ b/config/config.go @@ -149,38 +149,47 @@ func (e *ErrConfigValidationFailed) Error() string { } // ToTLSConfig generates tls's config based on security section of the config. -func (s *Security) ToTLSConfig() (*tls.Config, error) { - var tlsConfig *tls.Config +func (s *Security) ToTLSConfig() (tlsConfig *tls.Config, err error) { if len(s.ClusterSSLCA) != 0 { - var certificates = make([]tls.Certificate, 0) - if len(s.ClusterSSLCert) != 0 && len(s.ClusterSSLKey) != 0 { - // Load the client certificates from disk - certificate, err := tls.LoadX509KeyPair(s.ClusterSSLCert, s.ClusterSSLKey) - if err != nil { - return nil, errors.Errorf("could not load client key pair: %s", err) - } - certificates = append(certificates, certificate) - } - - // Create a certificate pool from the certificate authority certPool := x509.NewCertPool() - ca, err := ioutil.ReadFile(s.ClusterSSLCA) + // Create a certificate pool from the certificate authority + var ca []byte + ca, err = ioutil.ReadFile(s.ClusterSSLCA) if err != nil { - return nil, errors.Errorf("could not read ca certificate: %s", err) + err = errors.Errorf("could not read ca certificate: %s", err) + return } - // Append the certificates from the CA if !certPool.AppendCertsFromPEM(ca) { - return nil, errors.New("failed to append ca certs") + err = errors.New("failed to append ca certs") + return } - tlsConfig = &tls.Config{ - Certificates: certificates, - RootCAs: certPool, + RootCAs: certPool, } - } - return tlsConfig, nil + if len(s.ClusterSSLCert) != 0 && len(s.ClusterSSLKey) != 0 { + getCert := func() (*tls.Certificate, error) { + // Load the client certificates from disk + cert, err := tls.LoadX509KeyPair(s.ClusterSSLCert, s.ClusterSSLKey) + if err != nil { + return nil, errors.Errorf("could not load client key pair: %s", err) + } + return &cert, nil + } + // pre-test cert's loading. + if _, err = getCert(); err != nil { + return + } + tlsConfig.GetClientCertificate = func(info *tls.CertificateRequestInfo) (certificate *tls.Certificate, err error) { + return getCert() + } + tlsConfig.GetCertificate = func(info *tls.ClientHelloInfo) (certificate *tls.Certificate, err error) { + return getCert() + } + } + } + return } // Status is the status section of the config.