Strict verification for route TLS

2026-04-14 10:10:42 -07:00 · 2015-11-23 10:19:47 -08:00
parent 0eedb9a350
commit 40c8cb13ea
1 changed files with 5 additions and 0 deletions
--- a/server/opts.go
+++ b/server/opts.go
@@ -188,6 +188,11 @@ func parseCluster(cm map[string]interface{}, opts *Options) error {
 			if opts.ClusterTLSConfig, err = GenTLSConfig(tc); err != nil {
 				return err
 			}
+			// For clusters, we will force strict verification. We also act
+			// as both client and server, so will mirror the rootCA to the
+			// clientCA pool.
+			opts.ClusterTLSConfig.ClientAuth = tls.RequireAndVerifyClientCert
+			opts.ClusterTLSConfig.ClientCAs = opts.ClusterTLSConfig.RootCAs
 			opts.ClusterTLSTimeout = tc.Timeout
 		}
 	}