consul: Simplify TLS handling in RPC server

consul/rpc.go

@@ -45,14 +45,14 @@ func (s *Server) listen() {
 		s.rpcClients[conn] = struct{}{}
 		s.rpcClientLock.Unlock()
 
-		go s.handleConn(conn)
+		go s.handleConn(conn, false)
 		metrics.IncrCounter([]string{"consul", "rpc", "accept_conn"}, 1)
 	}
 }
 
 // handleConn is used to determine if this is a Raft or
 // Consul type RPC connection and invoke the correct handler
-func (s *Server) handleConn(conn net.Conn) {
+func (s *Server) handleConn(conn net.Conn, isTLS bool) {
 	// Read a single byte
 	buf := make([]byte, 1)
 	if _, err := conn.Read(buf); err != nil {
@@ -61,20 +61,8 @@ func (s *Server) handleConn(conn net.Conn) {
 		return
 	}
 
-	// Check if entering TLS mode
-	isTLS := false
-	if RPCType(buf[0]) == rpcTLS {
-		if s.rpcTLS == nil {
-			s.logger.Printf("[WARN] consul.rpc: TLS connection attempted, server not configured for TLS")
-			conn.Close()
-			return
-		}
-		conn = tls.Server(conn, s.rpcTLS)
-		isTLS = true
-	}
-
 	// Enforce TLS if VerifyIncoming is set
-	if s.config.VerifyIncoming && !isTLS {
+	if s.config.VerifyIncoming && !isTLS && RPCType(buf[0]) != rpcTLS {
 		s.logger.Printf("[WARN] consul.rpc: Non-TLS connection attempted with VerifyIncoming set")
 		conn.Close()
 		return
@@ -92,6 +80,15 @@ func (s *Server) handleConn(conn net.Conn) {
 	case rpcMultiplex:
 		s.handleMultiplex(conn)
 
+	case rpcTLS:
+		if s.rpcTLS == nil {
+			s.logger.Printf("[WARN] consul.rpc: TLS connection attempted, server not configured for TLS")
+			conn.Close()
+			return
+		}
+		conn = tls.Server(conn, s.rpcTLS)
+		s.handleConn(conn, true)
+
 	default:
 		s.logger.Printf("[ERR] consul.rpc: unrecognized RPC byte: %v", buf[0])
 		conn.Close()