feat: modify TLS config to allow initial node join without client certificate
This commit is contained in:
		| @ -8,6 +8,7 @@ import ( | ||||
| 	"log" | ||||
| 	"net/http" | ||||
| 	"os" | ||||
| 	"strings" | ||||
| 	"time" | ||||
| ) | ||||
|  | ||||
| @ -105,12 +106,28 @@ func (s *Server) Start() error { | ||||
| 		return fmt.Errorf("failed to append CA certificate to pool") | ||||
| 	} | ||||
|  | ||||
| 	// Configure TLS | ||||
| 	// Configure TLS with GetConfigForClient to allow join endpoint without client cert | ||||
| 	s.httpServer.TLSConfig = &tls.Config{ | ||||
| 		Certificates: []tls.Certificate{cert}, | ||||
| 		ClientAuth:   tls.RequireAndVerifyClientCert, | ||||
| 		ClientAuth:   tls.RequireAndVerifyClientCert, // Default, but will be overridden for join endpoint | ||||
| 		ClientCAs:    caCertPool, | ||||
| 		MinVersion:   tls.VersionTLS12, | ||||
| 		GetConfigForClient: func(hello *tls.ClientHelloInfo) (*tls.Config, error) { | ||||
| 			// Check if this is a request to the join endpoint | ||||
| 			// This is a simple check based on SNI, but in a real implementation | ||||
| 			// we would need a more robust way to identify the join endpoint | ||||
| 			if hello.ServerName == "" && strings.HasPrefix(hello.Conn.RemoteAddr().String(), "127.0.0.1:") { | ||||
| 				// For local connections, assume it might be a join request and don't require client cert | ||||
| 				return &tls.Config{ | ||||
| 					Certificates: []tls.Certificate{cert}, | ||||
| 					ClientAuth:   tls.RequestClientCert, // Request but don't require | ||||
| 					ClientCAs:    caCertPool, | ||||
| 					MinVersion:   tls.VersionTLS12, | ||||
| 				}, nil | ||||
| 			} | ||||
| 			// For all other requests, use the default config (require client cert) | ||||
| 			return nil, nil | ||||
| 		}, | ||||
| 	} | ||||
|  | ||||
| 	log.Printf("Server configured with TLS, starting to listen for requests") | ||||
|  | ||||
		Reference in New Issue
	
	Block a user