From 40c8cb13eafdf1ea2793537e1a01cb280b427042 Mon Sep 17 00:00:00 2001
From: Derek Collison <derek.collison@gmail.com>
Date: Mon, 23 Nov 2015 10:19:47 -0800
Subject: [PATCH] Strict verification for route TLS

---
 server/opts.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/server/opts.go b/server/opts.go
index 630947fd..d513f0e3 100644
--- a/server/opts.go
+++ b/server/opts.go
@@ -188,6 +188,11 @@ func parseCluster(cm map[string]interface{}, opts *Options) error {
 			if opts.ClusterTLSConfig, err = GenTLSConfig(tc); err != nil {
 				return err
 			}
+			// For clusters, we will force strict verification. We also act
+			// as both client and server, so will mirror the rootCA to the
+			// clientCA pool.
+			opts.ClusterTLSConfig.ClientAuth = tls.RequireAndVerifyClientCert
+			opts.ClusterTLSConfig.ClientCAs = opts.ClusterTLSConfig.RootCAs
 			opts.ClusterTLSTimeout = tc.Timeout
 		}
 	}