consul: Enable incoming TLS connections to server

consul/rpc.go

@@ -1,6 +1,7 @@
 package consul
 
 import (
+	"crypto/tls"
 	"fmt"
 	"github.com/armon/go-metrics"
 	"github.com/hashicorp/consul/consul/structs"
@@ -19,6 +20,7 @@ const (
 	rpcConsul RPCType = iota
 	rpcRaft
 	rpcMultiplex
+	rpcTLS
 )
 
 const (
@@ -71,6 +73,15 @@ func (s *Server) handleConn(conn net.Conn) {
 	case rpcMultiplex:
 		s.handleMultiplex(conn)
 
+	case rpcTLS:
+		if s.rpcTLS == nil {
+			s.logger.Printf("[WARN] consul.rpc: TLS connection attempted, server not configured for TLS")
+			conn.Close()
+			return
+		}
+		conn = tls.Server(conn, s.rpcTLS)
+		s.handleConn(conn)
+
 	default:
 		s.logger.Printf("[ERR] consul.rpc: unrecognized RPC byte: %v", buf[0])
 		conn.Close()

consul/server.go

@@ -83,6 +83,9 @@ type Server struct {
 	rpcListener net.Listener
 	rpcServer   *rpc.Server
 
+	// rpcTLS is the TLS config for incoming TLS requests
+	rpcTLS *tls.Config
+
 	// serfLAN is the Serf cluster maintained inside the DC
 	// which contains all the DC nodes
 	serfLAN *serf.Serf
@@ -123,7 +126,7 @@ func NewServer(config *Config) (*Server, error) {
 		config.LogOutput = os.Stderr
 	}
 
-	// Create the tlsConfig
+	// Create the tlsConfig for outgoing connections
 	var tlsConfig *tls.Config
 	var err error
 	if config.VerifyOutgoing {
@@ -132,6 +135,12 @@ func NewServer(config *Config) (*Server, error) {
 		}
 	}
 
+	// Get the incoming tls config
+	incomingTLS, err := config.IncomingTLSConfig()
+	if err != nil {
+		return nil, err
+	}
+
 	// Create a logger
 	logger := log.New(config.LogOutput, "", log.LstdFlags)
 
@@ -146,6 +155,7 @@ func NewServer(config *Config) (*Server, error) {
 		remoteConsuls: make(map[string][]net.Addr),
 		rpcClients:    make(map[net.Conn]struct{}),
 		rpcServer:     rpc.NewServer(),
+		rpcTLS:        incomingTLS,
 		shutdownCh:    make(chan struct{}),
 	}