diff options
| author | Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.com> | 2022-06-24 00:26:56 +0500 |
|---|---|---|
| committer | Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.com> | 2022-06-24 00:26:56 +0500 |
| commit | ea7cdb8b0ede4253396838f9736c3f6e4fac2e35 (patch) | |
| tree | aa8b78bd685175d54f74b021c29576eb18f42f33 | |
| parent | 5b388ed6c1d50ba1ba17d06c3d50fd9550aa8cd4 (diff) | |
| download | seaweedfs-ea7cdb8b0ede4253396838f9736c3f6e4fac2e35.tar.xz seaweedfs-ea7cdb8b0ede4253396838f9736c3f6e4fac2e35.zip | |
seperate option
| -rw-r--r-- | weed/security/tls.go | 24 |
1 files changed, 18 insertions, 6 deletions
diff --git a/weed/security/tls.go b/weed/security/tls.go index 7b4788a31..99df9b9c3 100644 --- a/weed/security/tls.go +++ b/weed/security/tls.go @@ -21,7 +21,7 @@ import ( "github.com/chrislusf/seaweedfs/weed/util" ) -const credRefreshingInterval = 5 * time.Minute +const credRefreshingInterval = time.Duration(5) * time.Hour type Authenticator struct { AllowedWildcardDomain string @@ -64,12 +64,12 @@ func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption RootOptions: advancedtls.RootCertificateOptions{ RootProvider: serverRootProvider, }, - RequireClientCert: true, + RequireClientCert: false, VerifyPeer: func(params *advancedtls.VerificationFuncParams) (*advancedtls.VerificationResults, error) { glog.V(0).Infof("Client common name: %s.\n", params.Leaf.Subject.CommonName) return &advancedtls.VerificationResults{}, nil }, - VType: advancedtls.CertVerification, + VType: advancedtls.SkipVerification, } ta, err := advancedtls.NewServerCreds(options) if err != nil { @@ -106,7 +106,6 @@ func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption { clientOptions := pemfile.Options{ CertFile: certFileName, KeyFile: keyFileName, - RootFile: caFileName, RefreshDuration: credRefreshingInterval, } clientProvider, err := pemfile.NewProvider(clientOptions) @@ -115,14 +114,27 @@ func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption { return grpc.WithInsecure() } defer clientProvider.Close() + clientRootOptions := pemfile.Options{ + RootFile: config.GetString("grpc.ca"), + RefreshDuration: credRefreshingInterval, + } + clientRootProvider, err := pemfile.NewProvider(clientRootOptions) + if err != nil { + glog.Warningf("pemfile.NewProvider(%v) failed: %v", clientRootOptions, err) + return grpc.WithInsecure() + } + defer clientRootProvider.Close() options := &advancedtls.ClientOptions{ + IdentityOptions: advancedtls.IdentityCertificateOptions{ + IdentityProvider: clientProvider, + }, VerifyPeer: func(params *advancedtls.VerificationFuncParams) (*advancedtls.VerificationResults, error) { return &advancedtls.VerificationResults{}, nil }, RootOptions: advancedtls.RootCertificateOptions{ - RootProvider: clientProvider, + RootProvider: clientRootProvider, }, - VType: advancedtls.CertVerification, + VType: advancedtls.SkipVerification, } ta, err := advancedtls.NewClientCreds(options) if err != nil { |