Implemented mTLS listener to verify client certificates.

.gitignore

@@ -1,6 +1,4 @@
 .idea
 bin
-openssl
-docker-compose.y*ml
 volumes
 /config/

Dockerfile

@@ -23,6 +23,7 @@ CMD "./server" \
   "--snapshotThreshold" "${SNAPSHOT_THRESHOLD}" \
   "--snapshotInterval" "${SNAPSHOT_INTERVAL}" \
   "--tls=${TLS}" \
+  "--mtls=${MTLS}" \
   "--inMemory=${IN_MEMORY}" \
   "--bootstrapCluster=${BOOTSTRAP_CLUSTER}" \
   "--aclConfig=${ACL_CONFIG}" \
@@ -31,5 +32,8 @@ CMD "./server" \
   "--forwardCommand=${FORWARD_COMMAND}" \
   "--restoreSnapshot=${RESTORE_SNAPSHOT}" \
   "--restoreAOF=${RESTORE_AOF}" \
-  "--certKeyPair=${CERT_KEY_PAIR}" \
-  "--clientCert=${CLIENT_CERT}" \
+  # List of server cert/key pairs
+  "--certKeyPair=${CERT_KEY_PAIR_1}" \
+  "--certKeyPair=${CERT_KEY_PAIR_2}" \
+  # List of client certs
+  "--clientCA=${CLIENT_CA_1}" \

docker-compose.yaml

@@ -0,0 +1,219 @@
+version: '3.8'
+
+networks:
+  testnet:
+    driver: bridge
+
+services:
+  standalone_node:
+    container_name: standalone_node
+    build:
+      context: .
+      dockerfile: Dockerfile
+    environment:
+      - PORT=7480
+      - RAFT_PORT=8000
+      - ML_PORT=7946
+      - SERVER_ID=1
+      - PLUGIN_DIR=/usr/local/lib/echovault
+      - DATA_DIR=/var/lib/echovault
+      - IN_MEMORY=false
+      - TLS=true
+      - MTLS=true
+      - BOOTSTRAP_CLUSTER=false
+      - ACL_CONFIG=/etc/config/echovault/acl.yml
+      - REQUIRE_PASS=true
+      - PASSWORD=default_password
+      - FORWARD_COMMAND=false
+      - SNAPSHOT_THRESHOLD=1000
+      - SNAPSHOT_INTERVAL=5m30s
+      - RESTORE_SNAPSHOT=false
+      - RESTORE_AOF=true
+      # List of server cert/key pairs
+      - CERT_KEY_PAIR_1=/etc/ssl/certs/echovault/server/server1.crt,/etc/ssl/certs/echovault/server/server1.key
+      - CERT_KEY_PAIR_2=/etc/ssl/certs/echovault/server/server2.crt,/etc/ssl/certs/echovault/server/server2.key
+      # List of client certificate authorities
+      - CLIENT_CA_1=/etc/ssl/certs/echovault/client/rootCA.crt
+    ports:
+      - "7479:7480"
+      - "7946:7946"
+      - "7999:8000"
+    volumes:
+      - ./config/acl.yml:/etc/config/echovault/acl.yml
+      - ./volumes/standalone_node:/var/lib/echovault
+    networks:
+      - testnet
+
+#  cluster_node_1:
+#    container_name: cluster_node_1
+#    build:
+#      context: .
+#      dockerfile: Dockerfile
+#    environment:
+#      - PORT=7480
+#      - RAFT_PORT=8000
+#      - ML_PORT=7946
+#      - KEY=/etc/ssl/certs/echovault/server1.key
+#      - CERT=/etc/ssl/certs/echovault/server1.crt
+#      - SERVER_ID=1
+#      - PLUGIN_DIR=/usr/local/lib/echovault
+#      - DATA_DIR=/var/lib/echovault
+#      - IN_MEMORY=false
+#      - TLS=true
+#      - BOOTSTRAP_CLUSTER=true
+#      - ACL_CONFIG=/etc/config/echovault/acl.yml
+#      - REQUIRE_PASS=false
+#      - FORWARD_COMMAND=true
+#      - SNAPSHOT_THRESHOLD=1000
+#      - SNAPSHOT_INTERVAL=300
+#      - RESTORE_SNAPSHOT=false
+#      - RESTORE_AOF=false
+#    ports:
+#      - "7480:7480"
+#      - "7945:7946"
+#      - "8000:8000"
+#    volumes:
+#      - ./config/acl.yml:/etc/config/echovault/acl.yml
+#      - ./volumes/cluster_node_1:/var/lib/echovault
+#    networks:
+#      - testnet
+#
+#  cluster_node_2:
+#    container_name: cluster_node_2
+#    build:
+#      context: .
+#      dockerfile: Dockerfile
+#    environment:
+#      - PORT=7480
+#      - RAFT_PORT=8000
+#      - ML_PORT=7946
+#      - KEY=/etc/ssl/certs/echovault/server1.key
+#      - CERT=/etc/ssl/certs/echovault/server1.crt
+#      - SERVER_ID=2
+#      - JOIN_ADDR=cluster_node_1:7946
+#      - PLUGIN_DIR=/usr/local/lib/echovault
+#      - DATA_DIR=/var/lib/echovault
+#      - IN_MEMORY=false
+#      - TLS=true
+#      - BOOTSTRAP_CLUSTER=false
+#      - ACL_CONFIG=/etc/config/echovault/acl.yml
+#      - REQUIRE_PASS=false
+#      - FORWARD_COMMAND=true
+#      - SNAPSHOT_THRESHOLD=1000
+#      - SNAPSHOT_INTERVAL=300
+#      - RESTORE_SNAPSHOT=false
+#      - RESTORE_AOF=false
+#    ports:
+#      - "7481:7480"
+#      - "7947:7946"
+#      - "8001:8000"
+#    volumes:
+#      - ./config/acl.yml:/etc/config/echovault/acl.yml
+#      - ./volumes/cluster_node_2:/var/lib/echovault
+#    networks:
+#      - testnet
+#
+#  cluster_node_3:
+#    container_name: cluster_node_3
+#    build:
+#      context: .
+#      dockerfile: Dockerfile
+#    environment:
+#      - PORT=7480
+#      - RAFT_PORT=8000
+#      - ML_PORT=7946
+#      - KEY=/etc/ssl/certs/echovault/server1.key
+#      - CERT=/etc/ssl/certs/echovault/server1.crt
+#      - SERVER_ID=3
+#      - JOIN_ADDR=cluster_node_1:7946
+#      - PLUGIN_DIR=/usr/local/lib/echovault
+#      - DATA_DIR=/var/lib/echovault
+#      - IN_MEMORY=false
+#      - TLS=true
+#      - BOOTSTRAP_CLUSTER=false
+#      - ACL_CONFIG=/etc/config/echovault/acl.yml
+#      - REQUIRE_PASS=false
+#      - FORWARD_COMMAND=true
+#      - SNAPSHOT_THRESHOLD=1000
+#      - SNAPSHOT_INTERVAL=300
+#      - RESTORE_SNAPSHOT=false
+#      - RESTORE_AOF=false
+#    ports:
+#      - "7482:7480"
+#      - "7948:7946"
+#      - "8002:8000"
+#    volumes:
+#      - ./config/acl.yml:/etc/config/echovault/acl.yml
+#      - ./volumes/cluster_node_3:/var/lib/echovault
+#    networks:
+#      - testnet
+#
+#  cluster_node_4:
+#    container_name: cluster_node_4
+#    build:
+#      context: .
+#      dockerfile: Dockerfile
+#    environment:
+#      - PORT=7480
+#      - RAFT_PORT=8000
+#      - ML_PORT=7946
+#      - KEY=/etc/ssl/certs/echovault/server1.key
+#      - CERT=/etc/ssl/certs/echovault/server1.crt
+#      - SERVER_ID=4
+#      - JOIN_ADDR=cluster_node_1:7946
+#      - PLUGIN_DIR=/usr/local/lib/echovault
+#      - DATA_DIR=/var/lib/echovault
+#      - IN_MEMORY=false
+#      - TLS=true
+#      - BOOTSTRAP_CLUSTER=false
+#      - ACL_CONFIG=/etc/config/echovault/acl.yml
+#      - REQUIRE_PASS=false
+#      - FORWARD_COMMAND=true
+#      - SNAPSHOT_THRESHOLD=1000
+#      - SNAPSHOT_INTERVAL=300
+#      - RESTORE_SNAPSHOT=false
+#      - RESTORE_AOF=false
+#    ports:
+#      - "7483:7480"
+#      - "7949:7946"
+#      - "8003:8000"
+#    volumes:
+#      - ./config/acl.yml:/etc/config/echovault/acl.yml
+#      - ./volumes/cluster_node_4:/var/lib/echovault
+#    networks:
+#      - testnet
+#
+#  cluster_node_5:
+#    container_name: cluster_node_5
+#    build:
+#      context: .
+#      dockerfile: Dockerfile
+#    environment:
+#      - PORT=7480
+#      - RAFT_PORT=8000
+#      - ML_PORT=7946
+#      - KEY=/etc/ssl/certs/echovault/server1.key
+#      - CERT=/etc/ssl/certs/echovault/server1.crt
+#      - SERVER_ID=5
+#      - JOIN_ADDR=cluster_node_1:7946
+#      - PLUGIN_DIR=/usr/local/lib/echovault
+#      - DATA_DIR=/var/lib/echovault
+#      - IN_MEMORY=false
+#      - TLS=true
+#      - BOOTSTRAP_CLUSTER=false
+#      - ACL_CONFIG=/etc/config/echovault/acl.yml
+#      - REQUIRE_PASS=false
+#      - FORWARD_COMMAND=true
+#      - SNAPSHOT_THRESHOLD=1000
+#      - SNAPSHOT_INTERVAL=300
+#      - RESTORE_SNAPSHOT=false
+#      - RESTORE_AOF=false
+#    ports:
+#      - "7484:7480"
+#      - "7950:7946"
+#      - "8004:8000"
+#    volumes:
+#      - ./config/acl.yml:/etc/config/echovault/acl.yml
+#      - ./volumes/cluster_node_5:/var/lib/echovault
+#    networks:
+#      - testnet

openssl/client/rootCA.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDUTCCAjmgAwIBAgIUYEq8SoSfeaJZt32PKfPoBVBUeVswDQYJKoZIhvcNAQEL
+BQAwODESMBAGA1UEAwwJbG9jYWxob3N0MQswCQYDVQQGEwJNWTEVMBMGA1UEBwwM
+S3VhbGEgTHVtcHVyMB4XDTI0MDIwMjIxMTgzOVoXDTM0MDEzMDIxMTgzOVowODES
+MBAGA1UEAwwJbG9jYWxob3N0MQswCQYDVQQGEwJNWTEVMBMGA1UEBwwMS3VhbGEg
+THVtcHVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2YHqodqIKVnB
+1jIY4YsjIWHEZbT3YnDdNOQu23iMv8fB2dhwBJGAlnvX3xZ+UTkbKsBfMK6JfHfI
+1X7LcPaxs93x8iKs9nUp3wdyCTuzb4HpH/Ke1tW6x3kGlW+hLENC1YRgGM3STYuT
+QctW2EKgQJPB+nGkkp4joa1Dc+ShdKWCfXryXoVpi8ljQxaiqY8kQ8Tp/FsDjK2t
+HtGyPG00XfIrp9wPaqlgHa8UTEdp4gSjPxu2pF9TkkSdpny5I+j7fTroyQ2Pk+mP
+K8EaBj0jqxC7GiOlHETttDmn84oOzDxKZXV9Z9O1+r/TmERB49+p7M6Ab3ooEDUk
+0VmZi/axhQIDAQABo1MwUTAdBgNVHQ4EFgQU0ew0XSAHAYVSt4ncqBEWecMHZ2Aw
+HwYDVR0jBBgwFoAU0ew0XSAHAYVSt4ncqBEWecMHZ2AwDwYDVR0TAQH/BAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAQEAU0CAPpenSBavJnJ0Dh6d8BxuvHu6Mcg3xQoE
+cMeITxRieTz2nEj1Z/j9EENERy72C5s+kDl+RaI5kEjm/bAjH2gfELbtXA4SkyZq
+2JhZ4hgMjqAPMx/mb+dGOjh5gu8kh2DJKOBOFiP9TVuBpofkhABkk93OLHGOgfDY
+jCifQFqee7sHJbOU3wpACXaydSQXUihP9JLqVNAP5DQzoFDPu8mtst0gP8EOoltu
+UWEvdLyMFzJbAGv1EMIalgUuaCV34r+OLs0mg/c04YsqRXzH1YDMpQZjbfneMBJT
+hYUQdXjPLKvaHPaj1TErbQC1yn74sP04OMXjhJnfdLumOZn3EQ==
+-----END CERTIFICATE-----

openssl/server/cert.conf

@@ -0,0 +1,8 @@
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = localhost
+

openssl/server/csr.conf

@@ -0,0 +1,24 @@
+[ req ]
+default_bits = 2048
+prompt = no
+default_md = sha256
+req_extensions = req_ext
+distinguished_name = dn
+
+[ dn ]
+C = MY
+ST = Kuala Lumpur
+L = Kuala Lumpur
+O = EchoVault
+OU = EchoVault Dev
+CN = localhost
+
+[ req_ext ]
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = localhost
+DNS.2 = localhost
+IP.1 = 192.168.1.5
+IP.2 = 192.168.1.6
+

openssl/server/rootCA.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDUTCCAjmgAwIBAgIURMg03pNcrEiIHkO9F2NXqAPLoh0wDQYJKoZIhvcNAQEL
+BQAwODESMBAGA1UEAwwJbG9jYWxob3N0MQswCQYDVQQGEwJNWTEVMBMGA1UEBwwM
+S3VhbGEgTHVtcHVyMB4XDTI0MDIwMjIxMTkwNFoXDTM0MDEzMDIxMTkwNFowODES
+MBAGA1UEAwwJbG9jYWxob3N0MQswCQYDVQQGEwJNWTEVMBMGA1UEBwwMS3VhbGEg
+THVtcHVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv9WYvOmd7jLl
+5Vry3M4C6ebwhGou1i4Eum6k9W0712mjWeOjrmruADV86hW18U+1ZYox1lVIWeDk
+R3v/YB0D72Wr2NFWqjNrpkwJRd/ztRDXhMXI7q3MzQgoRxysR3qbV4lHYYnsm1FY
+mh5CO1uBJCMouKh4zJ2vTmBJ2TeAwyC6bYfqKpW3xPmUD+qB21e0XNaKJ6rgQynX
+/AML27h9m4v50hQHg8ju2hliCUXYwO1Z79XYLwXxskJH/fI+cz0pVzUS/44p5FCF
+5AWY/pwz0IuAtaXZ56rPupZaIiEmdgg9zdArNBdnOzdV6a5LlSkllbG0EuXmXbOW
+Y9JTzopaKwIDAQABo1MwUTAdBgNVHQ4EFgQUPtIcTECRJBgs8kTcH6IwcZ/XV0Uw
+HwYDVR0jBBgwFoAUPtIcTECRJBgs8kTcH6IwcZ/XV0UwDwYDVR0TAQH/BAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAQEAEOjEVYpL/jroupSijqC0ynWE7CBaQT65c+A/
+DQdw2Igyy3oyi2hKCB01nYRhHSClFm6bT7HjBJ2pua7Kvi7j/YzJKu5DvF8nvHa3
+v3E6EGsHPjIhfZkMZNgKR6nTcCX2DgCdKICLA//oBzuVauSIUtwYs6uw68SuIzV7
+UUeJOKTs6BN5CLoa0yoWxdoIpAjr9UQIhIgrIiaB45enmiFhLsz/N+tOH5f28Omc
+5ER/dgCRgIYVWO9A2emlstrEujr2ct0M+xQrmN+xZWhjdGpT6vJwTn6Tva9f17+t
+IOws1mhm1SciG4hlpQl6d90HxU82Aol6/spxv+jKrDAhkGM+aw==
+-----END CERTIFICATE-----

openssl/server/rootCA.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC/1Zi86Z3uMuXl
+WvLczgLp5vCEai7WLgS6bqT1bTvXaaNZ46Ouau4ANXzqFbXxT7VlijHWVUhZ4ORH
+e/9gHQPvZavY0VaqM2umTAlF3/O1ENeExcjurczNCChHHKxHeptXiUdhieybUVia
+HkI7W4EkIyi4qHjMna9OYEnZN4DDILpth+oqlbfE+ZQP6oHbV7Rc1oonquBDKdf8
+AwvbuH2bi/nSFAeDyO7aGWIJRdjA7Vnv1dgvBfGyQkf98j5zPSlXNRL/jinkUIXk
+BZj+nDPQi4C1pdnnqs+6lloiISZ2CD3N0Cs0F2c7N1XprkuVKSWVsbQS5eZds5Zj
+0lPOilorAgMBAAECggEACZi3W9f6ARUFwCwFEzuxFJ9rb8xaDHff362yTd7JjBSq
+SdBj+1E5F8SVO6abY/d/VRWNObIpfOmNse/HjjjVXhABgUazpa8N1xNdsWOrLucp
+SOiWDS6fnLAoR6ptCeRdygrBieUa84glvQv/dzW0J6kkm9w9ssq+ntadSyMGK3ys
++qO1rgKqSqRJR2lIN53AMqQQWRPdq4i5fwszXbdqemk87uXT1YmXDV0TVZtOIabJ
+Bs+EtNtBWgbgmEvqa1OYAFn/51/3r5/85Gg35JxNzATT+in7xaJNOtWGwHYkJoYy
+d+rTYX7HYvtqq/u1/W84IpRGhyA3JdyPkeMRQ1MzzQKBgQDfDpextw1T5grLAjKA
+v4dsBXmOqvcI2MxzBPFQv1GUEH2od1iwtpoavHFuonFhR8WGirzOfYl8dAlkJGxp
+Mrq7AYOkTDg4mg9xawWiU4ejLK1vaBZj0w3cijAtlufUrCFymZzkmKmxQr75Oa/H
+NMrLEbS5wP5FyxNVh15fislSZQKBgQDcKodn/NFCJ0WfG1b5bN4oN8vw+UUFLkl7
+AMaA58pCdLT2Vhq9fj7UMpKeRn34MuzRq2jMwhUE0YK/mtvxf+nADe7xbHvtBviJ
+w4Xa4jFOrCx2+DeVCCchj4Zqizt1Q+GkCR0dlnUtV2WwFusxenizoC8FiGOGpIez
+fkW3Z/zpTwKBgQCK05U8KXblEdcD1MFD+nC5nYqzbdrEqdJNf/UFUZ3fbogW0vjj
+OzMcks5yki3I4xegDjdGuUFZsQqrRjQnIUiw3VdmaX3QVKpp57cg+aYAu+zR2tGc
+nZ4R9fvYVATEC8HhhpPsfsuWpLkhenLZpBTXYJS/y8s1+xd0cwUcp893NQKBgQCQ
+tBsfC5l1w14M/ukhMp6pDFMsZIkqqIt/HrlZC/9xwkcWCO22Uf11dm/LO0WcFcx0
+2hYdTgqGijVHPb8FcS7vHblIUCb7WLONyEZ34GbL8HmhD+9oMl2Vv0F3UV+Y6S6q
+o5rRUYxeaqzZGZcng/lFBikhl8ziN81A+eNUcjJWHQKBgQCRXcYR19roZk8T4tCW
+QHlTyhxo9SJXd4GR1oNzAl2dEQb6pFsj3S4uxqLTA5ALD6UvRuYDmW7wbVzDmybW
+4veL4di6AZm4JP4/RXOytIFjFlWD32JdENI9LbNW1HyG5Xz67YVEupnrPtSgm4l+
+DsNjgbvS+ZyrJDhxfPaS1f4iLA==
+-----END PRIVATE KEY-----

openssl/server/rootCA.srl

@@ -0,0 +1 @@
+02CE9392E93C0EB4D8E6C8F16A169D02A5671540

openssl/server/server1.crt

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDsTCCApmgAwIBAgIUAs6Tkuk8DrTY5sjxahadAqVnFT8wDQYJKoZIhvcNAQEL
+BQAwODESMBAGA1UEAwwJbG9jYWxob3N0MQswCQYDVQQGEwJNWTEVMBMGA1UEBwwM
+S3VhbGEgTHVtcHVyMB4XDTI0MDIwMjIxMzQzM1oXDTM0MDEzMDIxMzQzM1owezEL
+MAkGA1UEBhMCTVkxFTATBgNVBAgMDEt1YWxhIEx1bXB1cjEVMBMGA1UEBwwMS3Vh
+bGEgTHVtcHVyMRIwEAYDVQQKDAlFY2hvVmF1bHQxFjAUBgNVBAsMDUVjaG9WYXVs
+dCBEZXYxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALhjjr04IVgFWX7JHOzQHR7XCePb4T/HmSn5lQBP9d4jAq0yIAxl
+mLr7qR3/FPVE2zZIvgz4AWPf5RAJBFCFHquMZuTAREAR20tApDwYraL2Lsdwe70C
+6zLmJ64/7wIJWN03H0CUoe++7w4CXSoGi7Y2FmoGOno3yacfZNJAEekPTW2Kl6sG
+WpsV2sjGqP8uFXP8SU3RuoJs9z/YSZm04/UxTv3wYycK1Qt+JhgyjDeXQ73casrT
+IRUoKFXdf+YNjZBSWEhKU6kkapQbXMSfROGU/HgCqVKvi7z5ykog5ycjxAT1TDH8
+uSssajGEknlnAebFBmvKIyX9Rxzw2ebkd3MCAwEAAaNwMG4wHwYDVR0jBBgwFoAU
+PtIcTECRJBgs8kTcH6IwcZ/XV0UwCQYDVR0TBAIwADALBgNVHQ8EBAMCBPAwFAYD
+VR0RBA0wC4IJbG9jYWxob3N0MB0GA1UdDgQWBBTdq3Qkdmu6R21tCyLk7NO/KcSW
+cjANBgkqhkiG9w0BAQsFAAOCAQEAiGPLaZgFzKdhVTgxcRzOsav7YDwz4yUy1sC5
+XYKIQJMPJ5hcNA3YfByuSvAWa8myu1LAB2RXMrprSzrBILjBWYdRSFWkOqbPGH88
+kC1FLHvFR4L9ncP4XddDtY9YX+oGC2nZT5rYTH+nikm/TxPhOutDgUuKWOKoFag0
+olW2XHgcKnG92SoSAtp1mBBYrXN8d3ZQKB84ubb4PDiqvD/TyLqfljn9bv2zSZd/
+ZtoGLYzRcJLyrQGOQM05++8vsVg1tcGpoDvij2h2A6GNX7z/wrY/v0WNaRaowmJT
++wyvtpvwYxS1CFYkt5GdDSZB66SYw73onHsOTLDK7YjV/jt2tw==
+-----END CERTIFICATE-----

openssl/server/server1.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC4Y469OCFYBVl+
+yRzs0B0e1wnj2+E/x5kp+ZUAT/XeIwKtMiAMZZi6+6kd/xT1RNs2SL4M+AFj3+UQ
+CQRQhR6rjGbkwERAEdtLQKQ8GK2i9i7HcHu9Ausy5ieuP+8CCVjdNx9AlKHvvu8O
+Al0qBou2NhZqBjp6N8mnH2TSQBHpD01tiperBlqbFdrIxqj/LhVz/ElN0bqCbPc/
+2EmZtOP1MU798GMnCtULfiYYMow3l0O93GrK0yEVKChV3X/mDY2QUlhISlOpJGqU
+G1zEn0ThlPx4AqlSr4u8+cpKIOcnI8QE9Uwx/LkrLGoxhJJ5ZwHmxQZryiMl/Ucc
+8Nnm5HdzAgMBAAECggEANi9zk+F50v8HdL2vFVx3Ikf5LQ/BmteSCAbDJatZymSp
+dbIkPuBgSJqJ8Tmzs/v/G223A+KhrfLuwo6TyQHFqI4C8rgZlmZo9i1R1iM+a4RC
+7PL+OeYwre16vbcmCogqqB95vKWxDN4kLA6/yAjSZ8JvRcr8xku8o7MTEsInQUBw
+sqgsXaibn0Hjo3yI+jo/PEEEkJQpsMgdJoooMxtgx1BFP6lFXI4syf70Jyw97Xfg
+wz0Cs0fYLZ+bwvsV6dBG6jD6M43L/1rc2Pl61EU9cUlgGSLZupp1QRhECYbCe7Lc
+clhPWhXOGs2F1KcgORZo5vfxRM8H0TZ3MbWvGv0LkQKBgQDuuTGltLYWMTLWsfDG
+ebr5GMkyBFwGJMLphJniC8FvGEE1sFEIl0RL3BrLo1TbN69B0eu8khTcEUo+1Jmd
+V21SsyH7my7/myrXkzQBVq1zXDV7HdF59PRAANVeLgut1F0TcjH3sCNCrEyu2/hW
+y1BIm+78qAe3jIGdQNrDEeI7+QKBgQDFu7aTv0vZtA1TzJuhiZgLYAV5Ozomj/c0
+QfWDEQHakWViX3emF4LixjHdCkt8axzeYECfVIfUrJCLc+iDizUK/dYxoMjeIopM
+1awWq7bAHTcvHkHKBKf71vkPeiSrbuloZHEiJmiKabeesydwFuenvcBvSF/mwE6A
+5zodQbZxywKBgBRFW4bjonad9OAwOe7QlWTjiuoZXqsS4g4sOVjtgJ5rY9YoQ6lE
+FwOODCRwmRsITnR7W9YmXWkWesR9DxJCQ0E7fs47rjD8PxYRJOBcONxL3yq2LHx7
+pWXt7DBUHp/DIaguETokFcpqkRRkD2FnYEjaHOANcKJQZw0wXaMk2J4ZAoGBAKX+
+PHpx6BIdleaYaLpGUQ6TkGTCdMG0r/j9ukZKO70pu+vGayJSsH0BlxCRuOb84KJK
+OVXIV7MRHtMC/dmYPnI4v9yvtpDMfD+eTLZHdsZ2gEIc62vVVtQTFsiIaEpGdMk/
+ML5TcgVoVE505ZGymMx3fhmtr1x+aijKdD3lUWzbAoGAcb3yQ6CG1p3H0hhfya6P
+xH+sw8I9jkPVkFsIBmogSO06pDf9Y5rn793LMDcF3ReKh0KYdxa2bc+H+PX5fd0X
+b5Va1OrBKeRdAJpDLcWAwP2j0fMn6BxfOagPpi6MolwjFYxdGpmnSXA4qUkzQy8+
+MD8i0N36qGHSFas73MgXfIE=
+-----END PRIVATE KEY-----

openssl/server/server2.crt

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDsTCCApmgAwIBAgIUAs6Tkuk8DrTY5sjxahadAqVnFUAwDQYJKoZIhvcNAQEL
+BQAwODESMBAGA1UEAwwJbG9jYWxob3N0MQswCQYDVQQGEwJNWTEVMBMGA1UEBwwM
+S3VhbGEgTHVtcHVyMB4XDTI0MDIwMjIxMzkxN1oXDTM0MDEzMDIxMzkxN1owezEL
+MAkGA1UEBhMCTVkxFTATBgNVBAgMDEt1YWxhIEx1bXB1cjEVMBMGA1UEBwwMS3Vh
+bGEgTHVtcHVyMRIwEAYDVQQKDAlFY2hvVmF1bHQxFjAUBgNVBAsMDUVjaG9WYXVs
+dCBEZXYxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALcFy9FDehITe6wbqUSt4LiOvPWuxDwLJiqpxsCF8pBGAjIQd5Q9
+WZr4LERS3nLrT/0zRoMHwNLmrNQkkzX5HOe63Ue14VKBsuWlDtvdqFB6xXaqXTLa
+YjEmL0Hnw1RVq4mgR0zgOF0Jg0AIbYejrGnIP6OBuy41+FZSmRhH9W2D15xMX9Lp
+v+xcRUcy2irBUsZduS5a//aBapMk4d57P9ql2UyCka9H5TNi8wNc2UEyJX2Ctfy0
+AG1RNSxRa5wiMuCK13s6dt8GZNb06hOJ4RbC4jJGRMRsnVX3ycdnRec5nbQ2U1qm
+EpwZCgrTG3IwABk33E2nzlPEFSc9CK8cqlkCAwEAAaNwMG4wHwYDVR0jBBgwFoAU
+PtIcTECRJBgs8kTcH6IwcZ/XV0UwCQYDVR0TBAIwADALBgNVHQ8EBAMCBPAwFAYD
+VR0RBA0wC4IJbG9jYWxob3N0MB0GA1UdDgQWBBQNv4nVf+SHAq9hztQYiAMekFZy
+0TANBgkqhkiG9w0BAQsFAAOCAQEAdskk1zhea1Dk22fJPfDSiV/EiNfD5HV+Q0hT
+xzmkByOcdPt0dgo8tCSGGn921rLhYN+J7dJkht9Rvo356A6QyDsTfPF/GHT4GTdg
+fzbIuJZSKyRGWPQcFN/ta+zjMeyk+4OLfcj78ChGE3FwNb5aEAouip1Ocdrp/x/9
+VyxDtFxQdrhlcUOphw+IW1NKZj+5jlRr+AWd9Vv/i+KOrlS1F4bdn2QpJX0cg1cN
+c6v/0XQkbvxuwPAled32ALaL8praIFxItzE0Rrj6jEyNMieeUqYjjSB68DE55VpX
+VF7fSSLbJjvtlmpz4LYGlNPMZvA9nZbJnKiTeUmuPCB7rXYNrA==
+-----END CERTIFICATE-----

openssl/server/server2.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC3BcvRQ3oSE3us
+G6lEreC4jrz1rsQ8CyYqqcbAhfKQRgIyEHeUPVma+CxEUt5y60/9M0aDB8DS5qzU
+JJM1+Rznut1HteFSgbLlpQ7b3ahQesV2ql0y2mIxJi9B58NUVauJoEdM4DhdCYNA
+CG2Ho6xpyD+jgbsuNfhWUpkYR/Vtg9ecTF/S6b/sXEVHMtoqwVLGXbkuWv/2gWqT
+JOHeez/apdlMgpGvR+UzYvMDXNlBMiV9grX8tABtUTUsUWucIjLgitd7OnbfBmTW
+9OoTieEWwuIyRkTEbJ1V98nHZ0XnOZ20NlNaphKcGQoK0xtyMAAZN9xNp85TxBUn
+PQivHKpZAgMBAAECggEAJAEfZeTk1D6B80sjwu+DyDrIQHqnfvpggT8R6tjO7YPg
+NbIYnBBvmrVcm/pDaY8SFsjqA6fYToTzle42CYWeopWXp15H27/JDjUo1abm0CI+
+y0fbesAMVgfhfxEVU3dg/fuKWzy2ydKvv76IsYjIx6yNnGBOjtouJukr1eN+DBNw
+3xw1vndn25uRLCvae5vHx2pAZykcmoN65tksS2RolulWttzXOyXLRVWw0mpzahqo
+/qHjGrX0InE7xQh3rHErQ+YnLiv43NeY5PupSLCGrXRhdRSwne/NU4FfFlwzXL5b
+7JreEPi2PcvudkEhOKK0aEn2YhURRblj93Lb0H+KCwKBgQDlHZorPVKWcezlQD8P
+2rpf27Lssqy6rFxXbgfrRXnj2r8BbSkiEFAM2wbyZODL9rAyNyAUhKz96F7WE74P
+jjHDHoGxj1CxxcleZPx8en+qyx58Yb8wLswwbX4J1o9dTgnU8DN/z1wEIiyMMN7z
+I2V5CQCr75eygmY1zjLg9W0WZwKBgQDMf5ufHGnGBtT8NrTpXnKaaY9AYJsp2G9U
+ck3HFGtdGvAS85UA8OfQBdEQNtkaVe79hmet9OdfH0i5I9RdnW90WndAOZa6tRfH
+k/Gcrjh6+sFrdF7ll29qEowvSBPFg1cRJzz2eZJepZChWeMrsq5FW7j3t0d4s2Zl
+o/tJkExBPwKBgBolea2Ljvw6PhWfclLl3DUKRm36qfmXp+YWWXMA97sIAJoyEeqg
+P/JnoHBTENBV85+XaOLOjUtglEoL8LmnuYgR2C0iNMxEzQknrySpeh5MlcsOAJqI
+DKdOJ38J7Exylm6lhssEJ/UUzU6mWRsYJAFfBKOacQ5fETj8shO4Dl3rAoGBAMhu
+wi7fAGURSSuyyvp4kcb6c2dbyHjpI6UXK1hWkSx+PJO2nnJ/rBVdvh0wRPXlCAsA
+8xmzEhtPZE3h6kGfDyBxkrQmPa/d0uLQBF3W/JC8uVsCgghxtse2SiQFdyt9oZa0
+aLIDUgzmJa2flmK8DMb6MX7J6olI/LHeWWsuvS6tAoGBAMPEzNiJwkH/0Wjl15hg
+ClBEtyen99iMRpztQoc3r/fbK3oIVaEis2Udka+vcfCXfIiDS4c2eOy4WWaTxquo
+T41o6EBMbOABJoWA7Zd+qJeXi9+dX7ZbePYu/vSL0lKkfiEIUIpTjzDSSmT2bGR3
+3zF/PPSNLhFoESouDSmzLxO1
+-----END PRIVATE KEY-----

src/server/server.go

@@ -86,12 +86,12 @@ func (server *Server) StartTCP(ctx context.Context) {
 
 		if conf.MTLS {
 			clientAuth = tls.RequireAndVerifyClientCert
-			for _, c := range conf.ClientCerts {
-				certFile, err := os.Open(c)
+			for _, c := range conf.ClientCAs {
+				ca, err := os.Open(c)
 				if err != nil {
 					log.Fatal(err)
 				}
-				certBytes, err := io.ReadAll(certFile)
+				certBytes, err := io.ReadAll(ca)
 				if err != nil {
 					log.Fatal(err)
 				}
@@ -105,6 +105,7 @@ func (server *Server) StartTCP(ctx context.Context) {
 			Certificates: certificates,
 			ClientAuth:   clientAuth,
 			ClientCAs:    clientCerts,
+			MinVersion:   tls.VersionTLS13,
 		})
 	}
 
@@ -137,20 +138,6 @@ func (server *Server) handleConnection(ctx context.Context, conn net.Conn) {
 			break
 		}
 
-		var netErr net.Error
-
-		if err != nil && errors.As(err, &netErr) && netErr.Timeout() {
-			// Connection timeout
-			log.Println(err)
-			break
-		}
-
-		if err != nil && errors.Is(err, tls.RecordHeaderError{}) {
-			// TLS verification error
-			log.Println(err)
-			break
-		}
-
 		if err != nil {
 			log.Println(err)
 			break

src/utils/config.go

@@ -17,7 +17,7 @@ type Config struct {
 	TLS                bool          `json:"tls" yaml:"tls"`
 	MTLS               bool          `json:"mtls" yaml:"mtls"`
 	CertKeyPairs       [][]string    `json:"certKeyPairs" yaml:"certKeyPairs"`
-	ClientCerts        []string      `json:"clientCerts" yaml:"clientCerts"`
+	ClientCAs          []string      `json:"ClientCAs" yaml:"ClientCAs"`
 	Port               uint16        `json:"port" yaml:"port"`
 	PluginDir          string        `json:"plugins" yaml:"plugins"`
 	ServerID           string        `json:"serverId" yaml:"serverId"`
@@ -40,21 +40,24 @@ type Config struct {
 
 func GetConfig() (Config, error) {
 	var certKeyPairs [][]string
-	var clientCerts []string
+	var clientCAs []string
 
 	flag.Func("certKeyPair",
 		"A pair of file paths representing the signed certificate and it's corresponding key separated by a comma.",
 		func(s string) error {
 			pair := strings.Split(strings.TrimSpace(s), ",")
+			for i := 0; i < len(pair); i++ {
+				pair[i] = strings.TrimSpace(pair[i])
+			}
 			if len(pair) != 2 {
-				return errors.New("certKeyPair must be 2 comma separated strings in the format")
+				return errors.New("certKeyPair must be 2 comma separated strings")
 			}
 			certKeyPairs = append(certKeyPairs, pair)
 			return nil
 		})
 
-	flag.Func("clientCert", "Certificate file used to verify the client. ", func(s string) error {
-		clientCerts = append(clientCerts, s)
+	flag.Func("clientCA", "Path to certificate authority used to verify client certificates.", func(s string) error {
+		clientCAs = append(clientCAs, s)
 		return nil
 	})
 
@@ -101,7 +104,7 @@ It is a plain text value by default but you can provide a SHA256 hash by adding
 
 	conf := Config{
 		CertKeyPairs:       certKeyPairs,
-		ClientCerts:        clientCerts,
+		ClientCAs:          clientCAs,
 		TLS:                *tls,
 		MTLS:               *mtls,
 		PluginDir:          *pluginDir,