From b0aa51d7ef6e4f1d0c52d107bf2c5c125fdb2214 Mon Sep 17 00:00:00 2001
From: Konstantin Lebedev <9497591+kmlebedev@users.noreply.github.com>
Date: Fri, 24 Jun 2022 00:29:23 +0500
Subject: [PATCH] enable require client cert

---
 weed/security/tls.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/weed/security/tls.go b/weed/security/tls.go
index 99df9b9c3..a26f64b42 100644
--- a/weed/security/tls.go
+++ b/weed/security/tls.go
@@ -64,12 +64,12 @@ func LoadServerTLS(config *util.ViperProxy, component string) (grpc.ServerOption
 		RootOptions: advancedtls.RootCertificateOptions{
 			RootProvider: serverRootProvider,
 		},
-		RequireClientCert: false,
+		RequireClientCert: true,
 		VerifyPeer: func(params *advancedtls.VerificationFuncParams) (*advancedtls.VerificationResults, error) {
 			glog.V(0).Infof("Client common name: %s.\n", params.Leaf.Subject.CommonName)
 			return &advancedtls.VerificationResults{}, nil
 		},
-		VType: advancedtls.SkipVerification,
+		VType: advancedtls.CertVerification,
 	}
 	ta, err := advancedtls.NewServerCreds(options)
 	if err != nil {
@@ -134,7 +134,7 @@ func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption {
 		RootOptions: advancedtls.RootCertificateOptions{
 			RootProvider: clientRootProvider,
 		},
-		VType: advancedtls.SkipVerification,
+		VType: advancedtls.CertVerification,
 	}
 	ta, err := advancedtls.NewClientCreds(options)
 	if err != nil {