[question] Does pkg/transport not support multiple tls root ca files?

[Fullstop000]

I'm working on a distributed system and use pkg/transport and raft. When I try to set multiple root ca files in TLSInfo, it seems we can only set one ca file because there is only a public string type field called TrustedCAFile.

After a little code digging, I find when generating a normal tls config used by crypto/tls, the cafiles() only use what is set in TrustedCAFile as the root CA

etcd/pkg/transport/listener.go

Lines 319 to 326 in 1eee465

	// cafiles returns a list of CA file paths.
	func (info TLSInfo) cafiles() []string {
	cs := make([]string, 0)
	if info.TrustedCAFile != "" {
	cs = append(cs, info.TrustedCAFile)
	}
	return cs
	}

etcd/pkg/transport/listener.go

Lines 371 to 376 in 1eee465

	if len(cs) > 0 {
	cfg.RootCAs, err = tlsutil.NewCertPool(cs)
	if err != nil {
	return nil, err
	}
	}

This behavior confuses me and I come up a few questions:

1. It seems there is no easy way to add root CAs if I want to create a listener by NewTimeoutListener or a transport by NewTransport
2. If I want to use the same CA for every node ( a node can be both a client and a server) and set it as TrustedCAFile, the client auth will be enabled which is not required
   

   etcd/pkg/transport/listener.go

   Lines 335 to 338 in 1eee465

   	cfg.ClientAuth = tls.NoClientCert
   	if info.TrustedCAFile != "" || info.ClientCertAuth {
   	cfg.ClientAuth = tls.RequireAndVerifyClientCert
   	}

[jingyih]

cc @wenjiaswe

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 21 days if no further activity occurs. Thank you for your contributions.