Remove ServerName because we verify based on region

2026-01-06 02:15:43 +03:00 · 2016-11-01 14:17:31 -07:00
parent 7ee2a1515b
commit cd9fbfa0c7
4 changed files with 1 additions and 13 deletions
--- a/client/config/config.go
+++ b/client/config/config.go
@@ -241,7 +241,6 @@ func (c *Config) TLSConfiguration() *tlsutil.Config {
 		CAFile:               c.TLSConfig.CAFile,
 		CertFile:             c.TLSConfig.CertFile,
 		KeyFile:              c.TLSConfig.KeyFile,
-		ServerName:           c.Node.Name,
 	}
 	return tlsConf
 }
--- a/command/agent/http.go
+++ b/command/agent/http.go
@@ -67,7 +67,6 @@ func NewHTTPServer(agent *Agent, config *Config, logOutput io.Writer) (*HTTPServ
 			CAFile:               config.TLSConfig.CAFile,
 			CertFile:             config.TLSConfig.CertFile,
 			KeyFile:              config.TLSConfig.KeyFile,
-			ServerName:           config.NodeName,
 		}
 		tlsConfig, err := tlsConf.IncomingTLSConfig()
 		if err != nil {
--- a/helper/tlsutil/config.go
+++ b/helper/tlsutil/config.go
@@ -60,10 +60,6 @@ type Config struct {
 	// KeyFile is used to provide a TLS key that is used for serving TLS connections.
 	// Must be provided to serve TLS connections.
 	KeyFile string
-
-	// ServerName is used with the TLS certificate to ensure the name we
-	// provide matches the certificate
-	ServerName string
 }

 // AppendCA opens and parses the CA file and adds the certificates to
@@ -114,13 +110,8 @@ func (c *Config) OutgoingTLSConfig() (*tls.Config, error) {
 		RootCAs:            x509.NewCertPool(),
 		InsecureSkipVerify: true,
 	}
-	if c.ServerName != "" {
-		tlsConfig.ServerName = c.ServerName
-		tlsConfig.InsecureSkipVerify = false
-	}
 	if c.VerifyServerHostname {
 		// ServerName is filled in dynamically based on the target DC
-		tlsConfig.ServerName = "VerifyServerHostname"
 		tlsConfig.InsecureSkipVerify = false
 	}

@@ -235,9 +226,9 @@ func WrapTLSClient(conn net.Conn, tlsConfig *tls.Config) (net.Conn, error) {
 func (c *Config) IncomingTLSConfig() (*tls.Config, error) {
 	// Create the tlsConfig
 	tlsConfig := &tls.Config{
-		ServerName: c.ServerName,
 		ClientCAs:  x509.NewCertPool(),
 		ClientAuth: tls.NoClientCert,
+		ServerName: "*." + region + ".nomad",
 	}

 	// Parse the CA cert if any
--- a/nomad/config.go
+++ b/nomad/config.go
@@ -278,7 +278,6 @@ func (c *Config) tlsConfig() *tlsutil.Config {
 		CAFile:               c.TLSConfig.CAFile,
 		CertFile:             c.TLSConfig.CertFile,
 		KeyFile:              c.TLSConfig.KeyFile,
-		ServerName:           c.NodeName,
 	}
 	return tlsConf
 }