Merge pull request #1142 from bcwaldon/TLS

TLS: peer server/transport and proxy transport

etcdserver/etcdhttp/peers.go

@@ -23,14 +23,14 @@ func addScheme(addr string) string {
 	return fmt.Sprintf("http://%s", addr)
 }
 
-// Pick chooses a random address from a given Peer's addresses, and returns it as
-// an addressible URI. If the given peer does not exist, an empty string is returned.
+// Pick returns a random address from a given Peer's addresses. If the
+// given peer does not exist, an empty string is returned.
 func (ps Peers) Pick(id int64) string {
 	addrs := ps[id]
 	if len(addrs) == 0 {
 		return ""
 	}
-	return addScheme(addrs[rand.Intn(len(addrs))])
+	return addrs[rand.Intn(len(addrs))]
 }
 
 // Set parses command line sets of names to IPs formatted like:
@@ -85,21 +85,41 @@ func (ps Peers) Endpoints() []string {
 	return endpoints
 }
 
-func Sender(p Peers) func(msgs []raftpb.Message) {
+// Addrs returns a list of all peer addresses. The returned list is sorted
+// in ascending lexicographical order.
+func (ps Peers) Addrs() []string {
+	addrs := make([]string, 0)
+	for _, paddrs := range ps {
+		for _, paddr := range paddrs {
+			addrs = append(addrs, paddr)
+		}
+	}
+	sort.Strings(addrs)
+	return addrs
+}
+
+func Sender(t *http.Transport, p Peers) func(msgs []raftpb.Message) {
+	c := &http.Client{Transport: t}
+
+	scheme := "http"
+	if t.TLSClientConfig != nil {
+		scheme = "https"
+	}
+
 	return func(msgs []raftpb.Message) {
 		for _, m := range msgs {
 			// TODO: reuse go routines
 			// limit the number of outgoing connections for the same receiver
-			go send(p, m)
+			go send(c, scheme, p, m)
 		}
 	}
 }
 
-func send(p Peers, m raftpb.Message) {
+func send(c *http.Client, scheme string, p Peers, m raftpb.Message) {
 	// TODO (xiangli): reasonable retry logic
 	for i := 0; i < 3; i++ {
-		url := p.Pick(m.To)
-		if url == "" {
+		addr := p.Pick(m.To)
+		if addr == "" {
 			// TODO: unknown peer id.. what do we do? I
 			// don't think his should ever happen, need to
 			// look into this further.
@@ -107,7 +127,7 @@ func send(p Peers, m raftpb.Message) {
 			return
 		}
 
-		url += raftPrefix
+		url := fmt.Sprintf("%s://%s%s", scheme, addr, raftPrefix)
 
 		// TODO: don't block. we should be able to have 1000s
 		// of messages out at a time.
@@ -116,16 +136,15 @@ func send(p Peers, m raftpb.Message) {
 			log.Println("etcdhttp: dropping message:", err)
 			return // drop bad message
 		}
-		if httpPost(url, data) {
+		if httpPost(c, url, data) {
 			return // success
 		}
 		// TODO: backoff
 	}
 }
 
-func httpPost(url string, data []byte) bool {
-	// TODO: set timeouts
-	resp, err := http.Post(url, "application/protobuf", bytes.NewBuffer(data))
+func httpPost(c *http.Client, url string, data []byte) bool {
+	resp, err := c.Post(url, "application/protobuf", bytes.NewBuffer(data))
 	if err != nil {
 		elog.TODO()
 		return false

etcdserver/etcdhttp/peers_test.go

@@ -16,24 +16,28 @@ func TestPeers(t *testing.T) {
 		in      string
 		wids    []int64
 		wep     []string
+		waddrs  []string
 		wstring string
 	}{
 		{
 			"1=1.1.1.1",
 			[]int64{1},
 			[]string{"http://1.1.1.1"},
+			[]string{"1.1.1.1"},
 			"1=1.1.1.1",
 		},
 		{
 			"2=2.2.2.2",
 			[]int64{2},
 			[]string{"http://2.2.2.2"},
+			[]string{"2.2.2.2"},
 			"2=2.2.2.2",
 		},
 		{
 			"1=1.1.1.1&1=1.1.1.2&2=2.2.2.2",
 			[]int64{1, 2},
 			[]string{"http://1.1.1.1", "http://1.1.1.2", "http://2.2.2.2"},
+			[]string{"1.1.1.1", "1.1.1.2", "2.2.2.2"},
 			"1=1.1.1.1&1=1.1.1.2&2=2.2.2.2",
 		},
 		{
@@ -41,6 +45,7 @@ func TestPeers(t *testing.T) {
 			[]int64{1, 2, 3, 4},
 			[]string{"http://1.1.1.1", "http://1.1.1.2", "http://2.2.2.2",
 				"http://3.3.3.3", "http://4.4.4.4"},
+			[]string{"1.1.1.1", "1.1.1.2", "2.2.2.2", "3.3.3.3", "4.4.4.4"},
 			"1=1.1.1.1&1=1.1.1.2&2=2.2.2.2&3=3.3.3.3&4=4.4.4.4",
 		},
 	}
@@ -59,6 +64,10 @@ func TestPeers(t *testing.T) {
 		if !reflect.DeepEqual(ep, tt.wep) {
 			t.Errorf("#%d: Endpoints=%#v, want %#v", i, ep, tt.wep)
 		}
+		addrs := p.Addrs()
+		if !reflect.DeepEqual(addrs, tt.waddrs) {
+			t.Errorf("#%d: addrs=%#v, want %#v", i, ep, tt.waddrs)
+		}
 		s := p.String()
 		if s != tt.wstring {
 			t.Errorf("#%d: string=%q, want %q", i, s, tt.wstring)
@@ -95,13 +104,13 @@ func TestPeersPick(t *testing.T) {
 		3: []string{},
 	}
 	ids := map[string]bool{
-		"http://abc": true,
-		"http://def": true,
-		"http://ghi": true,
-		"http://jkl": true,
-		"http://mno": true,
-		"http://pqr": true,
-		"http://stu": true,
+		"abc": true,
+		"def": true,
+		"ghi": true,
+		"jkl": true,
+		"mno": true,
+		"pqr": true,
+		"stu": true,
 	}
 	for i := 0; i < 1000; i++ {
 		a := ps.Pick(1)
@@ -110,8 +119,8 @@ func TestPeersPick(t *testing.T) {
 			break
 		}
 	}
-	if b := ps.Pick(2); b != "http://xyz" {
-		t.Errorf("id=%q, want %q", b, "http://xyz")
+	if b := ps.Pick(2); b != "xyz" {
+		t.Errorf("id=%q, want %q", b, "xyz")
 	}
 	if c := ps.Pick(3); c != "" {
 		t.Errorf("id=%q, want \"\"", c)
@@ -148,7 +157,7 @@ func TestHttpPost(t *testing.T) {
 	}
 	for i, tt := range tests {
 		ts := httptest.NewServer(tt.h)
-		if g := httpPost(ts.URL, []byte("adsf")); g != tt.w {
+		if g := httpPost(http.DefaultClient, ts.URL, []byte("adsf")); g != tt.w {
 			t.Errorf("#%d: httpPost()=%t, want %t", i, g, tt.w)
 		}
 		if tr.Method != "POST" {
@@ -161,7 +170,7 @@ func TestHttpPost(t *testing.T) {
 		ts.Close()
 	}
 
-	if httpPost("garbage url", []byte("data")) {
+	if httpPost(http.DefaultClient, "garbage url", []byte("data")) {
 		t.Errorf("httpPost with bad URL returned true unexpectedly!")
 	}
 }
@@ -215,7 +224,7 @@ func TestSend(t *testing.T) {
 		ps := Peers{
 			42: []string{strings.TrimPrefix(ts.URL, "http://")},
 		}
-		send(ps, tt.m)
+		send(http.DefaultClient, "http", ps, tt.m)
 
 		if !tt.ok {
 			if tr != nil {

main.go

@@ -51,6 +51,7 @@ var (
 	}
 
 	clientTLSInfo = transport.TLSInfo{}
+	peerTLSInfo   = transport.TLSInfo{}
 )
 
 func init() {
@@ -65,6 +66,10 @@ func init() {
 	flag.StringVar(&clientTLSInfo.CAFile, "ca-file", "", "Path to the client server TLS CA file.")
 	flag.StringVar(&clientTLSInfo.CertFile, "cert-file", "", "Path to the client server TLS cert file.")
 	flag.StringVar(&clientTLSInfo.KeyFile, "key-file", "", "Path to the client server TLS key file.")
+
+	flag.StringVar(&peerTLSInfo.CAFile, "peer-ca-file", "", "Path to the peer server TLS CA file.")
+	flag.StringVar(&peerTLSInfo.CertFile, "peer-cert-file", "", "Path to the peer server TLS cert file.")
+	flag.StringVar(&peerTLSInfo.KeyFile, "peer-key-file", "", "Path to the peer server TLS key file.")
 }
 
 func main() {
@@ -151,6 +156,11 @@ func startEtcd() {
 		n = raft.RestartNode(id, peers.IDs(), 10, 1, snapshot, st, ents)
 	}
 
+	pt, err := transport.NewTransport(peerTLSInfo)
+	if err != nil {
+		log.Fatal(err)
+	}
+
 	s := &etcdserver.EtcdServer{
 		Store: st,
 		Node:  n,
@@ -158,7 +168,7 @@ func startEtcd() {
 			*wal.WAL
 			*snap.Snapshotter
 		}{w, snapshotter},
-		Send:       etcdhttp.Sender(*peers),
+		Send:       etcdhttp.Sender(pt, *peers),
 		Ticker:     time.Tick(100 * time.Millisecond),
 		SyncTicker: time.Tick(500 * time.Millisecond),
 		SnapCount:  *snapCount,
@@ -174,7 +184,7 @@ func startEtcd() {
 		Info:    cors,
 	}
 
-	l, err := transport.NewListener(*paddr, transport.TLSInfo{})
+	l, err := transport.NewListener(*paddr, peerTLSInfo)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -202,10 +212,16 @@ func startEtcd() {
 
 // startProxy launches an HTTP proxy for client communication which proxies to other etcd nodes.
 func startProxy() {
-	ph, err := proxy.NewHandler((*peers).Endpoints())
+	pt, err := transport.NewTransport(clientTLSInfo)
 	if err != nil {
 		log.Fatal(err)
 	}
+
+	ph, err := proxy.NewHandler(pt, (*peers).Addrs())
+	if err != nil {
+		log.Fatal(err)
+	}
+
 	ph = &CORSHandler{
 		Handler: ph,
 		Info:    cors,

proxy/director.go

@@ -2,7 +2,6 @@ package proxy
 
 import (
 	"errors"
-	"fmt"
 	"log"
 	"net/url"
 	"sync"
@@ -15,27 +14,15 @@ const (
 	endpointFailureWait = 5 * time.Second
 )
 
-func newDirector(urls []string) (*director, error) {
-	if len(urls) == 0 {
-		return nil, errors.New("one or more endpoints required")
+func newDirector(scheme string, addrs []string) (*director, error) {
+	if len(addrs) == 0 {
+		return nil, errors.New("one or more upstream addresses required")
 	}
 
-	endpoints := make([]*endpoint, len(urls))
-	for i, v := range urls {
-		u, err := url.Parse(v)
-		if err != nil {
-			return nil, fmt.Errorf("invalid endpoint %q: %v", v, err)
-		}
-
-		if u.Scheme == "" {
-			return nil, fmt.Errorf("invalid endpoint %q: scheme required", v)
-		}
-
-		if u.Host == "" {
-			return nil, fmt.Errorf("invalid endpoint %q: host empty", v)
-		}
-
-		endpoints[i] = newEndpoint(*u)
+	endpoints := make([]*endpoint, len(addrs))
+	for i, addr := range addrs {
+		u := url.URL{Scheme: scheme, Host: addr}
+		endpoints[i] = newEndpoint(u)
 	}
 
 	d := director{ep: endpoints}

proxy/director_test.go

@@ -6,29 +6,49 @@ import (
 	"testing"
 )
 
-func TestNewDirectorEndpointValidation(t *testing.T) {
+func TestNewDirectorScheme(t *testing.T) {
 	tests := []struct {
-		good      bool
-		endpoints []string
+		scheme string
+		addrs  []string
+		want   []string
 	}{
-		{true, []string{"http://192.0.2.8"}},
-		{true, []string{"http://192.0.2.8:8001"}},
-		{true, []string{"http://example.com"}},
-		{true, []string{"http://example.com:8001"}},
-		{true, []string{"http://192.0.2.8:8001", "http://example.com:8002"}},
+		{
+			scheme: "http",
+			addrs:  []string{"192.0.2.8:4002", "example.com:8080"},
+			want:   []string{"http://192.0.2.8:4002", "http://example.com:8080"},
+		},
+		{
+			scheme: "https",
+			addrs:  []string{"192.0.2.8:4002", "example.com:8080"},
+			want:   []string{"https://192.0.2.8:4002", "https://example.com:8080"},
+		},
 
-		{false, []string{"://"}},
-		{false, []string{"http://"}},
-		{false, []string{"192.0.2.8"}},
-		{false, []string{"192.0.2.8:8001"}},
-		{false, []string{""}},
-		{false, []string{}},
+		// accept addrs without a port
+		{
+			scheme: "http",
+			addrs:  []string{"192.0.2.8"},
+			want:   []string{"http://192.0.2.8"},
+		},
+
+		// accept addrs even if they are garbage
+		{
+			scheme: "http",
+			addrs:  []string{"."},
+			want:   []string{"http://."},
+		},
 	}
 
 	for i, tt := range tests {
-		_, err := newDirector(tt.endpoints)
-		if tt.good != (err == nil) {
-			t.Errorf("#%d: expected success = %t, got err = %v", i, tt.good, err)
+		got, err := newDirector(tt.scheme, tt.addrs)
+		if err != nil {
+			t.Errorf("#%d: newDirectory returned unexpected error: %v", i, err)
+		}
+
+		for ii, wep := range tt.want {
+			gep := got.ep[ii].URL.String()
+			if !reflect.DeepEqual(wep, gep) {
+				t.Errorf("#%d: want endpoints[%d] = %#v, got = %#v", i, ii, wep, gep)
+			}
 		}
 	}
 }

proxy/proxy.go

@@ -1,32 +1,23 @@
 package proxy
 
 import (
-	"net"
 	"net/http"
-	"time"
 )
 
-const (
-	dialTimeout           = 30 * time.Second
-	responseHeaderTimeout = 30 * time.Second
-)
+func NewHandler(t *http.Transport, addrs []string) (http.Handler, error) {
+	scheme := "http"
+	if t.TLSClientConfig != nil {
+		scheme = "https"
+	}
 
-func NewHandler(endpoints []string) (http.Handler, error) {
-	d, err := newDirector(endpoints)
+	d, err := newDirector(scheme, addrs)
 	if err != nil {
 		return nil, err
 	}
 
-	tr := http.Transport{
-		Dial: func(network, address string) (net.Conn, error) {
-			return net.DialTimeout(network, address, dialTimeout)
-		},
-		ResponseHeaderTimeout: responseHeaderTimeout,
-	}
-
 	rp := reverseProxy{
 		director:  d,
-		transport: &tr,
+		transport: t,
 	}
 
 	return &rp, nil

transport/listener.go

@@ -7,6 +7,8 @@ import (
 	"fmt"
 	"io/ioutil"
 	"net"
+	"net/http"
+	"time"
 )
 
 func NewListener(addr string, info TLSInfo) (net.Listener, error) {
@@ -27,6 +29,27 @@ func NewListener(addr string, info TLSInfo) (net.Listener, error) {
 	return l, nil
 }
 
+func NewTransport(info TLSInfo) (*http.Transport, error) {
+	t := &http.Transport{
+		// timeouts taken from http.DefaultTransport
+		Dial: (&net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+		}).Dial,
+		TLSHandshakeTimeout: 10 * time.Second,
+	}
+
+	if !info.Empty() {
+		tlsCfg, err := info.ClientConfig()
+		if err != nil {
+			return nil, err
+		}
+		t.TLSClientConfig = tlsCfg
+	}
+
+	return t, nil
+}
+
 type TLSInfo struct {
 	CertFile string
 	KeyFile  string
@@ -37,21 +60,27 @@ func (info TLSInfo) Empty() bool {
 	return info.CertFile == "" && info.KeyFile == ""
 }
 
-// Generates a tls.Config object for a server from the given files.
-func (info TLSInfo) ServerConfig() (*tls.Config, error) {
-	// Both the key and cert must be present.
+func (info TLSInfo) baseConfig() (*tls.Config, error) {
 	if info.KeyFile == "" || info.CertFile == "" {
 		return nil, fmt.Errorf("KeyFile and CertFile must both be present[key: %v, cert: %v]", info.KeyFile, info.CertFile)
 	}
 
-	var cfg tls.Config
-
 	tlsCert, err := tls.LoadX509KeyPair(info.CertFile, info.KeyFile)
 	if err != nil {
 		return nil, err
 	}
 
+	var cfg tls.Config
 	cfg.Certificates = []tls.Certificate{tlsCert}
+	return &cfg, nil
+}
+
+// ServerConfig generates a tls.Config object for use by an HTTP server
+func (info TLSInfo) ServerConfig() (*tls.Config, error) {
+	cfg, err := info.baseConfig()
+	if err != nil {
+		return nil, err
+	}
 
 	if info.CAFile != "" {
 		cfg.ClientAuth = tls.RequireAndVerifyClientCert
@@ -59,14 +88,31 @@ func (info TLSInfo) ServerConfig() (*tls.Config, error) {
 		if err != nil {
 			return nil, err
 		}
-
-		cfg.RootCAs = cp
 		cfg.ClientCAs = cp
 	} else {
 		cfg.ClientAuth = tls.NoClientCert
 	}
 
-	return &cfg, nil
+	return cfg, nil
+}
+
+// ClientConfig generates a tls.Config object for use by an HTTP client
+func (info TLSInfo) ClientConfig() (*tls.Config, error) {
+	cfg, err := info.baseConfig()
+	if err != nil {
+		return nil, err
+	}
+
+	if info.CAFile != "" {
+		cp, err := newCertPool(info.CAFile)
+		if err != nil {
+			return nil, err
+		}
+
+		cfg.RootCAs = cp
+	}
+
+	return cfg, nil
 }
 
 // newCertPool creates x509 certPool with provided CA file

transport/listener_test.go

@@ -0,0 +1,314 @@
+package transport
+
+import (
+	"crypto/tls"
+	"io/ioutil"
+	"os"
+	"testing"
+)
+
+var (
+	TLSCA = []byte(`-----BEGIN CERTIFICATE-----
+MIIFNDCCAx6gAwIBAgIBATALBgkqhkiG9w0BAQUwLTEMMAoGA1UEBhMDVVNBMRAw
+DgYDVQQKEwdldGNkLWNhMQswCQYDVQQLEwJDQTAeFw0xNDAzMTMwMjA5MDlaFw0y
+NDAzMTMwMjA5MDlaMC0xDDAKBgNVBAYTA1VTQTEQMA4GA1UEChMHZXRjZC1jYTEL
+MAkGA1UECxMCQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDdlBlw
+Jiakc4C1UpMUvQ+2fttyBMfMLivQgj51atpKd8qIBvpZwz1wtpzdRG0hSYMF0IUk
+MfBqyg+T5tt2Lfs3Gx3cYKS7G0HTfmABC7GdG8gNvEVNl/efxqvhis7p7hur765e
+J+N2GR4oOOP5Wa8O5flv10cp3ZJLhAguc2CONLzfh/iAYAItFgktGHXJ/AnUhhaj
+KWdKlK9Cv71YsRPOiB1hCV+LKfNSqrXPMvQ4sarz3yECIBhpV/KfskJoDyeNMaJd
+gabX/S7gUCd2FvuOpGWdSIsDwyJf0tnYmQX5XIQwBZJib/IFMmmoVNYc1bFtYvRH
+j0g0Ax4tHeXU/0mglqEcaTuMejnx8jlxZAM8Z94wHLfKbtaP0zFwMXkaM4nmfZqh
+vLZwowDGMv9M0VRFEhLGYIc3xQ8G2u8cFAGw1UqTxKhwAdRmrcFaQ38sk4kziy0u
+AkpGavS7PKcFjjB/fdDFO/kwGQOthX/oTn9nP3BT+IK2h1A6ATMPI4lVnhb5/KBt
+9M/fGgbiU+I9QT0Ilz/LlrcCuzyRXREvIZvoUL77Id+JT3qQxqPn/XMKLN4WEFII
+112MFGqCD85JZzNoC4RkZd8kFlR4YJWsS4WqJlWprESr5cCDuLviK+31cnIRF4fJ
+mz0gPsVgY7GFEan3JJnL8oRUVzdTPKfPt0atsQIDAQABo2MwYTAOBgNVHQ8BAf8E
+BAMCAAQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUnVlVvktY+zlLpG43nTpG
+AWmUkrYwHwYDVR0jBBgwFoAUnVlVvktY+zlLpG43nTpGAWmUkrYwCwYJKoZIhvcN
+AQEFA4ICAQAqIcPFux3V4h1N0aGM4fCS/iT50TzDnRb5hwILKbmyA6LFnH4YF7PZ
+aA0utDNo1XSRDMpR38HWk0weh5Sfx6f2danaKZHAsea8oVEtdrz16ZMOvoh0CPIM
+/hn0CGQOoXDADDNFASuExhhpoyYkDqTVTCQ/zbhZg1mjBljJ+BBzlSgeoE4rUDpn
+nuDcmD9LtjpsVQL+J662rd51xV4Z6a7aZLvN9GfO8tYkfCGCD9+fGh1Cpz0IL7qw
+VRie+p/XpjoHemswnRhYJ4wn10a1UkVSR++wld6Gvjb9ikyr9xVyU5yrRM55pP2J
+VguhzjhTIDE1eDfIMMxv3Qj8+BdVQwtKFD+zQYQcbcjsvjTErlS7oCbM2DVlPnRT
+QaCM0q0yorfzc4hmml5P95ngz2xlohavgNMhsYIlcWyq3NVbm7mIXz2pjqa16Iit
+vL7WX6OVupv/EOMRx5cVcLqqEaYJmAlNd/CCD8ihDQCwoJ6DJhczPRexrVp+iZHK
+SnIUONdXb/g8ungXUGL1jGNQrWuq49clpI5sLWNjMDMFAQo0qu5bLkOIMlK/evCt
+gctOjXDvGXCk5h6Adf14q9zDGFdLoxw0/aciUSn9IekdzYPmkYUTifuzkVRsPKzS
+nmI4dQvz0rHIh4FBUKWWrJhRWhrv9ty/YFuJXVUHeAwr5nz6RFZ4wQ==
+-----END CERTIFICATE-----`)
+	TLSKey = []byte(`-----BEGIN RSA PRIVATE KEY-----
+MIIJKAIBAAKCAgEAyNxL6iay1rJz24wE/BDYjEcgSDYYWn7m4uTW/oJRM5GwtpL9
+s15FZKZAbmw0cMod3qJkm3cCmJN8s/iKKU++d7XibnkaTD6vQMq//j2ZeGNbRtOC
+nI3zrzpbOsz7A3x85bkfExO9OSH+cMGbtwXcMc3bcfU9ETsyBIEbdAMbnHuapIPd
+yFjcTqyK/uCwsWH06b6U1zttJc9CLkDZtTqaPT1aFp+z13Tprgs0htoVtQ3Cqksk
+D+yJKZQSUtBIaKLyLF2r0pDyibLL0I+92RSAVYCoV7h5jzXa8qWkJArcbKm1XTjp
+aIyLamE0wwImncEUFpGIAzkkAhiYj6mFScfqx+DJc8UOp/cdqiHJ3pXzK/lRQxHN
+WLx7tVyzIOW9SJg+gobrWFtEYRSdwkFXUEdouJCfE9Q0iWCyEjDg2bsdXGWlKEi/
+xJKwuf/DzlmZj/JyVzugOMK2Qxxd9P6lqaPk+T77AOnAAX19Y5HE8TwVxitajmfK
+06E8aayds3N87mTcUoDN9p843D1IJ+efTIHZdB0eHOCXk2RrHm1psTFppM//wVeH
+lGhh6gqc0UB392CMcrLwwtl3+M9gJZPAJS0V6e/5LGrXcQLcnPsvPjFgnOjdGGyP
+c47/nswgakfprtT+U29B3mzxc93TnSKYgt5FPEMjBGoMPLucZYmbOAMcHTcCAwEA
+AQKCAgBS1vCESKOXgo/f61ae8v+skyUQQyc2I4Jr739wBiUhRKQCGIuDr4ylHyAR
+qpTSM7mv+X/O0n2CmcljnEy3Dwl568zQTSf4bB3xde1LGPKzwR6DDnaexLjM+x9n
+F+UqoewM/pV/U7PF3WxH6sGi8UrIS6OG02L1OVm+m9TLuwBnQF8eHLiaiXOLCwRk
+bBzTe5f70zslrX+tiVY9J0fiw6GbQjNmg0UzxicePcbTGxy6yEsR2t2rp51GRahs
++TPz28hPXe6gcGFnQxNmF/JvllH7cY18aDvSQZ7kVkZlCwmv0ypWoUM6eESDgkW1
+a6yrgVccm7bhxW5BYw2AqqSrMkV0oMcCUjh2rYvex7w6dM374Ok3DD/dXjTHLNV5
++0tHMxXUiCKwe7hVEg+iGD4E1jap5n5c4RzpEtAXsGEK5WUBksHi9qOBv+lubjZn
+Kcfbos+BbnmUCU3MmU48EZwyFQIu9djkLXfJV2Cbbg9HmkrIOYgi4tFjoBKeQLE4
+6GCucMWnNfMO7Kq/z7c+7sfWOAA55pu0Ojel8VH6US+Y/1mEuSUhQudrJn8GxAmc
+4t+C2Ie1Q1bK3iJbd0NUqtlwd9xI9wQgCbaxfQceUmBBjuTUu3YFctZ7Jia7h18I
+gZ3wsKfySDhW29XTFvnT3FUpc+AN9Pv4sB7uobm6qOBV8/AdKQKCAQEA1zwIuJki
+bSgXxsD4cfKgQsyIk0eMj8bDOlf/A8AFursXliH3rRASoixXNgzWrMhaEIE2BeeT
+InE13YCUjNCKoz8oZJqKYpjh3o/diZf1vCo6m/YUSR+4amynWE4FEAa58Og2WCJ3
+Nx8/IMpmch2VZ+hSQuNr5uvpH84+eZADQ1GB6ypzqxb5HjIEeryLJecDQGe4ophd
+JCo3loezq/K0XJQI8GTBe2GQPjXSmLMZKksyZoWEXAaC1Q+sdJWZvBpm3GfVQbXu
+q7wyqTMknVIlEOy0sHxstsbayysSFFQ/fcgKjyQb8f4efOkyQg8mH5vQOZghbHJ+
+7I8wVSSBt+bE2wKCAQEA7udRoo2NIoIpJH+2+SPqJJVq1gw/FHMM4oXNZp+AAjR1
+hTWcIzIXleMyDATl5ZFzZIY1U2JMifS5u2R7fDZEu9vfZk4e6BJUJn+5/ahjYFU8
+m8WV4rFWR6XN0SZxPb43Mn6OO7EoMqr8InRufiN4LwIqnPqDm2D9Fdijb9QFJ2UG
+QLKNnIkLTcUfx1RYP4T48CHkeZdxV8Cp49SzSSV8PbhIVBx32bm/yO6nLHoro7Wl
+YqXGW0wItf2BUA5a5eYNO0ezVkOkTp2aj/p9i+0rqbsYa480hzlnOzYI5F72Z8V2
+iPltUAeQn53Vg1azySa1x8/0Xp5nVsgQSh18CH3p1QKCAQBxZv4pVPXgkXlFjTLZ
+xr5Ns7pZ7x7OOiluuiJw9WGPazgYMDlxA8DtlXM11Tneu4lInOu73LGXOhLpa+/Y
+6Z/CN2qu5wX2wRpwy1gsQNaGl7FdryAtDvt5h1n8ms7sDL83gQHxGee6MUpvmnSz
+t4aawrtk5rJZbv7bdS1Rm2E8vNs47psXD/mdwTi++kxOYhNCgeO0N5cLkPrM4x71
+f+ErzguPrWaL/XGkdXNKZULjF8+sWLjOS9fvLlzs6E2h4D9F7addAeCIt5XxtDKc
+eUVyT2U8f7I/8zIgTccu0tzJBvcZSCs5K20g3zVNvPGXQd9KGS+zFfht51vN4HhA
+TuR1AoIBAGuQBKZeexP1bJa9VeF4dRxBldeHrgMEBeIbgi5ZU+YqPltaltEV5Z6b
+q1XUArpIsZ6p+mpvkKxwXgtsI1j6ihnW1g+Wzr2IOxEWYuQ9I3klB2PPIzvswj8B
+/NfVKhk1gl6esmVXzxR4/Yp5x6HNUHhBznPdKtITaf+jCXr5B9UD3DvW6IF5Bnje
+bv9tD0qSEQ71A4xnTiXHXfZxNsOROA4F4bLVGnUR97J9GRGic/GCgFMY9mT2p9lg
+qQ8lV3G5EW4GS01kqR6oQQXgLxSIFSeXUFhlIq5bfwoeuwQvaVuxgTwMqVXmAgyL
+oK1ApTPE1QWAsLLFORvOed8UxVqBbn0CggEBALfr/wheXCKLdzFzm03sO1i9qVz2
+vnpxzexXW3V/TtM6Dff2ojgkDC+CVximtAiLA/Wj60hXnQxw53g5VVT5rESx0J3c
+pq+azbi1eWzFeOrqJvKQhMfYc0nli7YuGnPkKzeepJJtWZHYkAjL4QZAn1jt0RqV
+DQmlGPGiOuGP8uh59c23pbjgh4eSJnvhOT2BFKhKZpBdTBYeiQiZBqIyme8rNTFr
+NmpBxtUr77tccVTrcWWhhViG36UNpetAP7b5QCHScIXZJXrEqyK5HaePqi5UMH8o
+alSz6s2REG/xP7x54574TvRG/3cIamv1AfZAOjin7BwhlSLhPl2eeh4Cgas=
+-----END RSA PRIVATE KEY-----`)
+	TLSCert = []byte(`-----BEGIN CERTIFICATE-----
+MIIFWzCCA0WgAwIBAgIBAjALBgkqhkiG9w0BAQUwLTEMMAoGA1UEBhMDVVNBMRAw
+DgYDVQQKEwdldGNkLWNhMQswCQYDVQQLEwJDQTAeFw0xNDAzMTMwMjA5MjJaFw0y
+NDAzMTMwMjA5MjJaMEUxDDAKBgNVBAYTA1VTQTEQMA4GA1UEChMHZXRjZC1jYTEP
+MA0GA1UECxMGc2VydmVyMRIwEAYDVQQDEwkxMjcuMC4wLjEwggIiMA0GCSqGSIb3
+DQEBAQUAA4ICDwAwggIKAoICAQDI3EvqJrLWsnPbjAT8ENiMRyBINhhafubi5Nb+
+glEzkbC2kv2zXkVkpkBubDRwyh3eomSbdwKYk3yz+IopT753teJueRpMPq9Ayr/+
+PZl4Y1tG04KcjfOvOls6zPsDfHzluR8TE705If5wwZu3Bdwxzdtx9T0ROzIEgRt0
+Axuce5qkg93IWNxOrIr+4LCxYfTpvpTXO20lz0IuQNm1Opo9PVoWn7PXdOmuCzSG
+2hW1DcKqSyQP7IkplBJS0EhoovIsXavSkPKJssvQj73ZFIBVgKhXuHmPNdrypaQk
+CtxsqbVdOOlojItqYTTDAiadwRQWkYgDOSQCGJiPqYVJx+rH4MlzxQ6n9x2qIcne
+lfMr+VFDEc1YvHu1XLMg5b1ImD6ChutYW0RhFJ3CQVdQR2i4kJ8T1DSJYLISMODZ
+ux1cZaUoSL/EkrC5/8POWZmP8nJXO6A4wrZDHF30/qWpo+T5PvsA6cABfX1jkcTx
+PBXGK1qOZ8rToTxprJ2zc3zuZNxSgM32nzjcPUgn559Mgdl0HR4c4JeTZGsebWmx
+MWmkz//BV4eUaGHqCpzRQHf3YIxysvDC2Xf4z2Alk8AlLRXp7/ksatdxAtyc+y8+
+MWCc6N0YbI9zjv+ezCBqR+mu1P5Tb0HebPFz3dOdIpiC3kU8QyMEagw8u5xliZs4
+AxwdNwIDAQABo3IwcDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYD
+VR0OBBYEFD6UrVN8uolWz6et79jVeZetjd4XMB8GA1UdIwQYMBaAFJ1ZVb5LWPs5
+S6RuN506RgFplJK2MA8GA1UdEQQIMAaHBH8AAAEwCwYJKoZIhvcNAQEFA4ICAQCo
+sKn1Rjx0tIVWAZAZB4lCWvkQDp/txnb5zzQUlKhIW2o98IklASmOYYyZbE2PXlda
+/n8TwKIzWgIoNh5AcgLWhtASrnZdGFXY88n5jGk6CVZ1+Dl+IX99h+r+YHQzf1jU
+BjGrZHGv3pPjwhFGDS99lM/TEBk/eLI2Kx5laL+nWMTwa8M1OwSIh6ZxYPVlWUqb
+rurk5l/YqW+UkYIXIQhe6LwtB7tBjr6nDIWBfHQ7uN8IdB8VIAF6lejr22VmERTW
+j+zJ5eTzuQN1f0s930mEm8pW7KgGxlEqrUlSJtxlMFCv6ZHZk1Y4yEiOCBKlPNme
+X3B+lhj//PH3gLNm3+ZRr5ena3k+wL9Dd3d3GDCIx0ERQyrGS/rJpqNPI+8ZQlG0
+nrFlm7aP6UznESQnJoSFbydiD0EZ4hXSdmDdXQkTklRpeXfMcrYBGN7JrGZOZ2T2
+WtXBMx2bgPeEH50KRrwUMFe122bchh0Fr+hGvNK2Q9/gRyQPiYHq6vSF4GzorzLb
+aDuWA9JRH8/c0z8tMvJ7KjmmmIxd39WWGZqiBrGQR7utOJjpQl+HCsDIQM6yZ/Bu
+RpwKj2yBz0OQg4tWbtqUuFkRMTkCR6vo3PadgO1VWokM7UFUXlScnYswcM5EwnzJ
+/IsYJ2s1V706QVUzAGIbi3+wYi3enk7JfYoGIqa2oA==
+-----END CERTIFICATE-----`)
+)
+
+func createTempFile(b []byte) (string, error) {
+	f, err := ioutil.TempFile("", "etcd-test-tls-")
+	if err != nil {
+		return "", err
+	}
+	defer f.Close()
+
+	if _, err = f.Write(b); err != nil {
+		return "", err
+	}
+
+	return f.Name(), nil
+}
+
+func TestNewTransportTLSInfo(t *testing.T) {
+	fCA, err := createTempFile(TLSCA)
+	if err != nil {
+		t.Fatalf("Unable to prepare TLS CA tmpfile: %v", err)
+	}
+	defer os.Remove(fCA)
+
+	fCert, err := createTempFile(TLSCert)
+	if err != nil {
+		t.Fatalf("Unable to prepare TLS cert tmpfile: %v", err)
+	}
+	defer os.Remove(fCert)
+
+	fKey, err := createTempFile(TLSKey)
+	if err != nil {
+		t.Fatalf("Unable to prepare TLS key tmpfile: %v", err)
+	}
+	defer os.Remove(fKey)
+
+	tests := []struct {
+		info                TLSInfo
+		wantTLSClientConfig bool
+	}{
+		{
+			info:                TLSInfo{},
+			wantTLSClientConfig: false,
+		},
+		{
+			info: TLSInfo{
+				CertFile: fCert,
+				KeyFile:  fKey,
+			},
+			wantTLSClientConfig: true,
+		},
+		{
+			info: TLSInfo{
+				CertFile: fCert,
+				KeyFile:  fKey,
+				CAFile:   fCA,
+			},
+			wantTLSClientConfig: true,
+		},
+	}
+
+	for i, tt := range tests {
+		trans, err := NewTransport(tt.info)
+		if err != nil {
+			t.Fatalf("Received unexpected error from NewTransport: %v", err)
+		}
+
+		gotTLSClientConfig := trans.TLSClientConfig != nil
+		if tt.wantTLSClientConfig != gotTLSClientConfig {
+			t.Fatalf("%#d: wantTLSClientConfig=%t but gotTLSClientConfig=%t", i, tt.wantTLSClientConfig, gotTLSClientConfig)
+		}
+	}
+}
+
+func TestTLSInfoEmpty(t *testing.T) {
+	tests := []struct {
+		info TLSInfo
+		want bool
+	}{
+		{TLSInfo{}, true},
+		{TLSInfo{CAFile: "baz"}, true},
+		{TLSInfo{CertFile: "foo"}, false},
+		{TLSInfo{KeyFile: "bar"}, false},
+		{TLSInfo{CertFile: "foo", KeyFile: "bar"}, false},
+		{TLSInfo{CertFile: "foo", CAFile: "baz"}, false},
+		{TLSInfo{KeyFile: "bar", CAFile: "baz"}, false},
+		{TLSInfo{CertFile: "foo", KeyFile: "bar", CAFile: "baz"}, false},
+	}
+
+	for i, tt := range tests {
+		got := tt.info.Empty()
+		if tt.want != got {
+			t.Errorf("#%d: result of Empty() incorrect: want=%t got=%t", i, tt.want, got)
+		}
+	}
+}
+
+func TestTLSInfoMissingFields(t *testing.T) {
+	fCA, err := createTempFile(TLSCA)
+	if err != nil {
+		t.Fatalf("Unable to prepare TLS CA tmpfile: %v", err)
+	}
+	defer os.Remove(fCA)
+
+	fCert, err := createTempFile(TLSCert)
+	if err != nil {
+		t.Fatalf("Unable to prepare TLS cert tmpfile: %v", err)
+	}
+	defer os.Remove(fCert)
+
+	fKey, err := createTempFile(TLSKey)
+	if err != nil {
+		t.Fatalf("Unable to prepare TLS key tmpfile: %v", err)
+	}
+	defer os.Remove(fKey)
+
+	tests := []TLSInfo{
+		TLSInfo{},
+		TLSInfo{CAFile: fCA},
+		TLSInfo{CertFile: fCert},
+		TLSInfo{KeyFile: fKey},
+		TLSInfo{CertFile: fCert, CAFile: fCA},
+		TLSInfo{KeyFile: fKey, CAFile: fCA},
+	}
+
+	for i, info := range tests {
+		if _, err := info.ServerConfig(); err == nil {
+			t.Errorf("#%d: expected non-nil error from ServerConfig()", i)
+		}
+
+		if _, err = info.ClientConfig(); err == nil {
+			t.Errorf("#%d: expected non-nil error from ClientConfig()", i)
+		}
+	}
+}
+
+func TestTLSInfoConfigFuncs(t *testing.T) {
+	fCA, err := createTempFile(TLSCA)
+	if err != nil {
+		t.Fatalf("Unable to prepare TLS CA tmpfile: %v", err)
+	}
+	defer os.Remove(fCA)
+
+	fCert, err := createTempFile(TLSCert)
+	if err != nil {
+		t.Fatalf("Unable to prepare TLS cert tmpfile: %v", err)
+	}
+	defer os.Remove(fCert)
+
+	fKey, err := createTempFile(TLSKey)
+	if err != nil {
+		t.Fatalf("Unable to prepare TLS key tmpfile: %v", err)
+	}
+	defer os.Remove(fKey)
+
+	tests := []struct {
+		info       TLSInfo
+		clientAuth tls.ClientAuthType
+		wantCAs    bool
+	}{
+		{
+			info:       TLSInfo{CertFile: fCert, KeyFile: fKey},
+			clientAuth: tls.NoClientCert,
+			wantCAs:    false,
+		},
+
+		{
+			info:       TLSInfo{CertFile: fCert, KeyFile: fKey, CAFile: fCA},
+			clientAuth: tls.RequireAndVerifyClientCert,
+			wantCAs:    true,
+		},
+	}
+
+	for i, tt := range tests {
+		sCfg, err := tt.info.ServerConfig()
+		if err != nil {
+			t.Errorf("#%d: expected nil error from ServerConfig(), got non-nil: %v", i, err)
+		}
+
+		if tt.wantCAs != (sCfg.ClientCAs != nil) {
+			t.Errorf("%#d: wantCAs=%t but ClientCAs=%v", i, tt.wantCAs, sCfg.ClientCAs)
+		}
+
+		cCfg, err := tt.info.ClientConfig()
+		if err != nil {
+			t.Errorf("#%d: expected nil error from ClientConfig(), got non-nil: %v", i, err)
+		}
+
+		if tt.wantCAs != (cCfg.RootCAs != nil) {
+			t.Errorf("%#d: wantCAs=%t but RootCAs=%v", i, tt.wantCAs, sCfg.RootCAs)
+		}
+	}
+}