From 39a55953afa9b05bde9d8b16b134086370b7eb3c Mon Sep 17 00:00:00 2001 From: Armon Dadgar Date: Mon, 7 Apr 2014 12:45:33 -0700 Subject: [PATCH] consul: Simplify TLS handling in RPC server --- consul/rpc.go | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/consul/rpc.go b/consul/rpc.go index 44030cc3fd..cb4185a3dc 100644 --- a/consul/rpc.go +++ b/consul/rpc.go @@ -45,14 +45,14 @@ func (s *Server) listen() { s.rpcClients[conn] = struct{}{} s.rpcClientLock.Unlock() - go s.handleConn(conn) + go s.handleConn(conn, false) metrics.IncrCounter([]string{"consul", "rpc", "accept_conn"}, 1) } } // handleConn is used to determine if this is a Raft or // Consul type RPC connection and invoke the correct handler -func (s *Server) handleConn(conn net.Conn) { +func (s *Server) handleConn(conn net.Conn, isTLS bool) { // Read a single byte buf := make([]byte, 1) if _, err := conn.Read(buf); err != nil { @@ -61,20 +61,8 @@ func (s *Server) handleConn(conn net.Conn) { return } - // Check if entering TLS mode - isTLS := false - if RPCType(buf[0]) == rpcTLS { - if s.rpcTLS == nil { - s.logger.Printf("[WARN] consul.rpc: TLS connection attempted, server not configured for TLS") - conn.Close() - return - } - conn = tls.Server(conn, s.rpcTLS) - isTLS = true - } - // Enforce TLS if VerifyIncoming is set - if s.config.VerifyIncoming && !isTLS { + if s.config.VerifyIncoming && !isTLS && RPCType(buf[0]) != rpcTLS { s.logger.Printf("[WARN] consul.rpc: Non-TLS connection attempted with VerifyIncoming set") conn.Close() return @@ -92,6 +80,15 @@ func (s *Server) handleConn(conn net.Conn) { case rpcMultiplex: s.handleMultiplex(conn) + case rpcTLS: + if s.rpcTLS == nil { + s.logger.Printf("[WARN] consul.rpc: TLS connection attempted, server not configured for TLS") + conn.Close() + return + } + conn = tls.Server(conn, s.rpcTLS) + s.handleConn(conn, true) + default: s.logger.Printf("[ERR] consul.rpc: unrecognized RPC byte: %v", buf[0]) conn.Close()