util: support intermediate certs when use TLS (#39016)

pingcap · Nov 9, 2022 · 5426727 · 5426727
1 parent 4aa89a6
commit 5426727
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/util/security.go b/util/security.go
@@ -231,9 +231,21 @@ func NewTLSConfig(opts ...TLSConfigOption) (*tls.Config, error) {
 			return err
 		}
 
+		intermediates := x509.NewCertPool()
+		for _, certBytes := range rawCerts[1:] {
+			c, err2 := x509.ParseCertificate(certBytes)
+			if err2 != nil {
+				return err2
+			}
+			intermediates.AddCert(c)
+		}
+
 		certPoolMu.RLock()
 		defer certPoolMu.RUnlock()
-		if _, err = cert.Verify(x509.VerifyOptions{Roots: certPool}); err != nil {
+		if _, err = cert.Verify(x509.VerifyOptions{
+			Roots:         certPool,
+			Intermediates: intermediates,
+		}); err != nil {
 			return errors.Wrap(err, "can't verify certificate, maybe different CA is used")
 		}
 		return nil