From 98a4fcb9e34ae50411bc01e8a9392187b3848a5d Mon Sep 17 00:00:00 2001
From: secwall <secwall@yandex-team.ru>
Date: Fri, 5 Apr 2024 16:21:23 +0200
Subject: [PATCH] Fix non-local tls cert validation

---
 internal/redis/node.go       | 2 +-
 internal/redis/senticache.go | 2 +-
 internal/redis/tls.go        | 6 ++++--
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/internal/redis/node.go b/internal/redis/node.go
index 91b881e..bd30083 100644
--- a/internal/redis/node.go
+++ b/internal/redis/node.go
@@ -65,7 +65,7 @@ func NewNode(config *config.Config, logger *slog.Logger, fqdn string) (*Node, er
 		Protocol:        2,
 	}
 	if config.Redis.UseTLS {
-		tlsConf, err := getTLSConfig(config, config.Redis.TLSCAPath)
+		tlsConf, err := getTLSConfig(config, config.Redis.TLSCAPath, host)
 		if err != nil {
 			return nil, err
 		}
diff --git a/internal/redis/senticache.go b/internal/redis/senticache.go
index 65d4ed3..222432a 100644
--- a/internal/redis/senticache.go
+++ b/internal/redis/senticache.go
@@ -78,7 +78,7 @@ func NewSentiCacheNode(config *config.Config, logger *slog.Logger) (*SentiCacheN
 		Protocol:        2,
 	}
 	if config.SentinelMode.UseTLS {
-		tlsConf, err := getTLSConfig(config, config.SentinelMode.TLSCAPath)
+		tlsConf, err := getTLSConfig(config, config.SentinelMode.TLSCAPath, localhost)
 		if err != nil {
 			return nil, err
 		}
diff --git a/internal/redis/tls.go b/internal/redis/tls.go
index 34045a0..7d35c93 100644
--- a/internal/redis/tls.go
+++ b/internal/redis/tls.go
@@ -9,9 +9,11 @@ import (
 	"github.com/yandex/rdsync/internal/config"
 )
 
-func getTLSConfig(config *config.Config, CAPath string) (*tls.Config, error) {
+func getTLSConfig(config *config.Config, CAPath, host string) (*tls.Config, error) {
 	c := &tls.Config{}
-	c.ServerName = config.Hostname
+	if host == localhost {
+		c.ServerName = config.Hostname
+	}
 	if CAPath != "" {
 		cert, err := os.ReadFile(CAPath)
 		if err != nil {