Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

config: reload tikv/tidb cluster tls for every new established conn (#14833) #15162

Merged
merged 2 commits into from
Mar 17, 2020
Merged

config: reload tikv/tidb cluster tls for every new established conn (#14833) #15162

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b87f4b1
config: reload tikv/tidb cluster tls for every new established conn (…
lysu Feb 19, 2020
d6113a5
fix after rebase
lysu Mar 17, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 32 additions & 23 deletions config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -148,39 +148,48 @@ func (e *ErrConfigValidationFailed) Error() string {
}

// ToTLSConfig generates tls's config based on security section of the config.
func (s *Security) ToTLSConfig() (*tls.Config, error) {
var tlsConfig *tls.Config
func (s *Security) ToTLSConfig() (tlsConfig *tls.Config, err error) {
if len(s.ClusterSSLCA) != 0 {
var certificates = make([]tls.Certificate, 0)
if len(s.ClusterSSLCert) != 0 && len(s.ClusterSSLKey) != 0 {
// Load the client certificates from disk
certificate, err := tls.LoadX509KeyPair(s.ClusterSSLCert, s.ClusterSSLKey)
if err != nil {
return nil, errors.Errorf("could not load client key pair: %s", err)
}
certificates = append(certificates, certificate)
}

// Create a certificate pool from the certificate authority
certPool := x509.NewCertPool()
ca, err := ioutil.ReadFile(s.ClusterSSLCA)
// Create a certificate pool from the certificate authority
var ca []byte
ca, err = ioutil.ReadFile(s.ClusterSSLCA)
if err != nil {
return nil, errors.Errorf("could not read ca certificate: %s", err)
err = errors.Errorf("could not read ca certificate: %s", err)
return
}

// Append the certificates from the CA
if !certPool.AppendCertsFromPEM(ca) {
return nil, errors.New("failed to append ca certs")
err = errors.New("failed to append ca certs")
return
}

tlsConfig = &tls.Config{
Certificates: certificates,
RootCAs: certPool,
ClientCAs: certPool,
RootCAs: certPool,
ClientCAs: certPool,
}
}

return tlsConfig, nil
if len(s.ClusterSSLCert) != 0 && len(s.ClusterSSLKey) != 0 {
getCert := func() (*tls.Certificate, error) {
// Load the client certificates from disk
cert, err := tls.LoadX509KeyPair(s.ClusterSSLCert, s.ClusterSSLKey)
if err != nil {
return nil, errors.Errorf("could not load client key pair: %s", err)
}
return &cert, nil
}
// pre-test cert's loading.
if _, err = getCert(); err != nil {
return
}
tlsConfig.GetClientCertificate = func(info *tls.CertificateRequestInfo) (certificate *tls.Certificate, err error) {
return getCert()
}
tlsConfig.GetCertificate = func(info *tls.ClientHelloInfo) (certificate *tls.Certificate, err error) {
return getCert()
}
}
}
return
}

// Status is the status section of the config.
Expand Down