From e6a3695f530b4c623334b83f5353bb1bdf3401b9 Mon Sep 17 00:00:00 2001
From: Hyde Zhang <hyde.zhang@elwoodam.com>
Date: Tue, 24 Aug 2021 20:31:01 +0100
Subject: [PATCH 1/3] Make use of SocketCAFile config

---
 tls.go | 46 ++++++++++++++++++++++++++--------------------
 1 file changed, 26 insertions(+), 20 deletions(-)

diff --git a/tls.go b/tls.go
index 951ac7e87..39cbbfd8a 100644
--- a/tls.go
+++ b/tls.go
@@ -35,33 +35,36 @@ func loadTLSConfig(settings *SessionSettings) (tlsConfig *tls.Config, err error)
 	}
 
 	if !settings.HasSetting(config.SocketPrivateKeyFile) && !settings.HasSetting(config.SocketCertificateFile) {
-		if allowSkipClientCerts {
-			tlsConfig = defaultTLSConfig()
-			tlsConfig.ServerName = serverName
-			tlsConfig.InsecureSkipVerify = insecureSkipVerify
-			setMinVersionExplicit(settings, tlsConfig)
+		if !allowSkipClientCerts {
+			return
 		}
-		return
-	}
-
-	privateKeyFile, err := settings.Setting(config.SocketPrivateKeyFile)
-	if err != nil {
-		return
-	}
-
-	certificateFile, err := settings.Setting(config.SocketCertificateFile)
-	if err != nil {
-		return
 	}
 
 	tlsConfig = defaultTLSConfig()
-	tlsConfig.Certificates = make([]tls.Certificate, 1)
 	tlsConfig.ServerName = serverName
 	tlsConfig.InsecureSkipVerify = insecureSkipVerify
 	setMinVersionExplicit(settings, tlsConfig)
 
-	if tlsConfig.Certificates[0], err = tls.LoadX509KeyPair(certificateFile, privateKeyFile); err != nil {
-		return
+	if settings.HasSetting(config.SocketPrivateKeyFile) && settings.HasSetting(config.SocketCertificateFile) {
+
+		var privateKeyFile string
+		var certificateFile string
+
+		privateKeyFile, err = settings.Setting(config.SocketPrivateKeyFile)
+		if err != nil {
+			return
+		}
+
+		certificateFile, err = settings.Setting(config.SocketCertificateFile)
+		if err != nil {
+			return
+		}
+
+		tlsConfig.Certificates = make([]tls.Certificate, 1)
+
+		if tlsConfig.Certificates[0], err = tls.LoadX509KeyPair(certificateFile, privateKeyFile); err != nil {
+			return
+		}
 	}
 
 	if !settings.HasSetting(config.SocketCAFile) {
@@ -86,7 +89,10 @@ func loadTLSConfig(settings *SessionSettings) (tlsConfig *tls.Config, err error)
 
 	tlsConfig.RootCAs = certPool
 	tlsConfig.ClientCAs = certPool
-	tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+
+	if !allowSkipClientCerts {
+		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+	}
 
 	return
 }

From ee4e0e521772be4ddb1da773a6076943d09829ab Mon Sep 17 00:00:00 2001
From: Hyde Zhang <hyde.zhang@elwoodam.com>
Date: Wed, 8 Sep 2021 11:16:16 +0100
Subject: [PATCH 2/3] Update tls.go load with CA only behaviour - Return error
 if client key cert file pair incomplete - Add simple test for TLS load with
 only CA

---
 tls.go      |  2 +-
 tls_test.go | 20 ++++++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/tls.go b/tls.go
index 39cbbfd8a..758898885 100644
--- a/tls.go
+++ b/tls.go
@@ -45,7 +45,7 @@ func loadTLSConfig(settings *SessionSettings) (tlsConfig *tls.Config, err error)
 	tlsConfig.InsecureSkipVerify = insecureSkipVerify
 	setMinVersionExplicit(settings, tlsConfig)
 
-	if settings.HasSetting(config.SocketPrivateKeyFile) && settings.HasSetting(config.SocketCertificateFile) {
+	if settings.HasSetting(config.SocketPrivateKeyFile) || settings.HasSetting(config.SocketCertificateFile) {
 
 		var privateKeyFile string
 		var certificateFile string
diff --git a/tls_test.go b/tls_test.go
index fe6745a19..60629cb6d 100644
--- a/tls_test.go
+++ b/tls_test.go
@@ -87,6 +87,26 @@ func (s *TLSTestSuite) TestLoadTLSWithCA() {
 	s.Equal(tls.RequireAndVerifyClientCert, tlsConfig.ClientAuth)
 }
 
+func (s *TLSTestSuite) TestLoadTLSWithOnlyCA() {
+	s.settings.GlobalSettings().Set(config.SocketUseSSL, "Y")
+	s.settings.GlobalSettings().Set(config.SocketCAFile, s.CAFile)
+
+	tlsConfig, err := loadTLSConfig(s.settings.GlobalSettings())
+	s.Nil(err)
+	s.NotNil(tlsConfig)
+
+	s.NotNil(tlsConfig.RootCAs)
+	s.NotNil(tlsConfig.ClientCAs)
+}
+
+func (s *TLSTestSuite) TestLoadTLSWithoutSSLWithOnlyCA() {
+	s.settings.GlobalSettings().Set(config.SocketCAFile, s.CAFile)
+
+	tlsConfig, err := loadTLSConfig(s.settings.GlobalSettings())
+	s.Nil(err)
+	s.Nil(tlsConfig)
+}
+
 func (s *TLSTestSuite) TestServerNameUseSSL() {
 	s.settings.GlobalSettings().Set(config.SocketUseSSL, "Y")
 	s.settings.GlobalSettings().Set(config.SocketServerName, "DummyServerNameUseSSL")

From bd4a36cfddf4b6431f693d961b17ab4cd35ff3a0 Mon Sep 17 00:00:00 2001
From: Hyde Zhang <hyde.zhang@elwoodam.com>
Date: Wed, 8 Sep 2021 11:54:18 +0100
Subject: [PATCH 3/3] Require client certs verification when SocketUseSSL N

---
 tls.go      |  8 ++++----
 tls_test.go | 12 +++++++++++-
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/tls.go b/tls.go
index 758898885..e8a541c0b 100644
--- a/tls.go
+++ b/tls.go
@@ -67,6 +67,10 @@ func loadTLSConfig(settings *SessionSettings) (tlsConfig *tls.Config, err error)
 		}
 	}
 
+	if !allowSkipClientCerts {
+		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+	}
+
 	if !settings.HasSetting(config.SocketCAFile) {
 		return
 	}
@@ -90,10 +94,6 @@ func loadTLSConfig(settings *SessionSettings) (tlsConfig *tls.Config, err error)
 	tlsConfig.RootCAs = certPool
 	tlsConfig.ClientCAs = certPool
 
-	if !allowSkipClientCerts {
-		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
-	}
-
 	return
 }
 
diff --git a/tls_test.go b/tls_test.go
index 60629cb6d..f1f17dfbb 100644
--- a/tls_test.go
+++ b/tls_test.go
@@ -60,7 +60,7 @@ func (s *TLSTestSuite) TestLoadTLSNoCA() {
 	s.Len(tlsConfig.Certificates, 1)
 	s.Nil(tlsConfig.RootCAs)
 	s.Nil(tlsConfig.ClientCAs)
-	s.Equal(tls.NoClientCert, tlsConfig.ClientAuth)
+	s.Equal(tls.RequireAndVerifyClientCert, tlsConfig.ClientAuth)
 }
 
 func (s *TLSTestSuite) TestLoadTLSWithBadCA() {
@@ -107,6 +107,16 @@ func (s *TLSTestSuite) TestLoadTLSWithoutSSLWithOnlyCA() {
 	s.Nil(tlsConfig)
 }
 
+func (s *TLSTestSuite) TestLoadTLSAllowSkipClientCerts() {
+	s.settings.GlobalSettings().Set(config.SocketUseSSL, "Y")
+
+	tlsConfig, err := loadTLSConfig(s.settings.GlobalSettings())
+	s.Nil(err)
+	s.NotNil(tlsConfig)
+
+	s.Equal(tls.NoClientCert, tlsConfig.ClientAuth)
+}
+
 func (s *TLSTestSuite) TestServerNameUseSSL() {
 	s.settings.GlobalSettings().Set(config.SocketUseSSL, "Y")
 	s.settings.GlobalSettings().Set(config.SocketServerName, "DummyServerNameUseSSL")