Remove unused TLS mux parameters

CHANGELOG.md

@@ -3,6 +3,7 @@
 - [PR #2206](https://github.com/rqlite/rqlite/pull/2206): Add convenience WriteOne() to Queue.
 - [PR #2204](https://github.com/rqlite/rqlite/pull/2204): Add byte-marshalling for CDC Events.
 - [PR #2205](https://github.com/rqlite/rqlite/pull/2205): Improve CDC Protobuf naming.
+- [PR #2208](https://github.com/rqlite/rqlite/pull/2208): Remove unused parameters from TLS mux functions.
 
 ## v8.43.2 (August 6th 2025)
 ### Implementation changes and bug fixes

cluster/service_mux_test.go

@@ -105,7 +105,7 @@ func mustNewTLSMux(t *testing.T) (net.Listener, *tcp.Mux) {
 	cert := x509.CertExampleDotComFile(t.TempDir())
 	key := x509.KeyExampleDotComFile(t.TempDir())
 
-	mux, err := tcp.NewTLSMux(ln, nil, cert, key, "", true, false)
+	mux, err := tcp.NewTLSMux(ln, nil, cert, key)
 	if err != nil {
 		panic(fmt.Sprintf("failed to create TLS mux: %s", err))
 	}

cmd/rqlited/main.go

@@ -422,8 +422,11 @@ func startNodeMux(cfg *Config, ln net.Listener) (*tcp.Mux, error) {
 			b.WriteString(", mutual TLS disabled")
 		}
 		log.Println(b.String())
-		mux, err = tcp.NewTLSMux(ln, adv, cfg.NodeX509Cert, cfg.NodeX509Key, cfg.NodeX509CACert,
-			cfg.NoNodeVerify, cfg.NodeVerifyClient)
+		if cfg.NodeVerifyClient {
+			mux, err = tcp.NewMutualTLSMux(ln, adv, cfg.NodeX509Cert, cfg.NodeX509Key, cfg.NodeX509CACert)
+		} else {
+			mux, err = tcp.NewTLSMux(ln, adv, cfg.NodeX509Cert, cfg.NodeX509Key)
+		}
 	} else {
 		mux, err = tcp.NewMux(ln, adv)
 	}

system_test/helpers.go

@@ -902,7 +902,7 @@ func mustNewOpenTLSMux(certFile, keyPath, addr string) *tcp.Mux {
 	}
 
 	var mux *tcp.Mux
-	mux, err = tcp.NewTLSMux(ln, nil, certFile, keyPath, "", true, false)
+	mux, err = tcp.NewTLSMux(ln, nil, certFile, keyPath)
 	if err != nil {
 		panic(fmt.Sprintf("failed to create node-to-node mux: %s", err.Error()))
 	}

tcp/mux.go

@@ -106,15 +106,15 @@ func NewMux(ln net.Listener, adv net.Addr) (*Mux, error) {
 }
 
 // NewTLSMux returns a new instance of Mux for ln, and encrypts all traffic
-// using TLS. If adv is nil, then the addr of ln is used. If insecure is true,
-// then the server will not verify the client's certificate. If mutual is true,
-// then the server will require the client to present a trusted certificate.
-func NewTLSMux(ln net.Listener, adv net.Addr, cert, key, caCert string, insecure, mutual bool) (*Mux, error) {
-	return newTLSMux(ln, adv, cert, key, caCert, false)
+// using TLS. If adv is nil, then the addr of ln is used. The server will not
+// require clients to present a valid certificate since mutual TLS is not enabled.
+func NewTLSMux(ln net.Listener, adv net.Addr, cert, key string) (*Mux, error) {
+	return newTLSMux(ln, adv, cert, key, "", false)
 }
 
 // NewMutualTLSMux returns a new instance of Mux for ln, and encrypts all traffic
-// using TLS. The server will also verify the client's certificate.
+// using TLS. The server will also require clients to present a valid certificate.
+// If caCert is not empty, that CA certificate will be added to the pool of CAs.
 func NewMutualTLSMux(ln net.Listener, adv net.Addr, cert, key, caCert string) (*Mux, error) {
 	return newTLSMux(ln, adv, cert, key, caCert, true)
 }

tcp/mux_test.go

@@ -179,7 +179,7 @@ func TestTLSMux(t *testing.T) {
 	key := x509.KeyExampleDotComFile("")
 	defer os.Remove(key)
 
-	mux, err := NewTLSMux(tcpListener, nil, cert, key, "", true, false)
+	mux, err := NewTLSMux(tcpListener, nil, cert, key)
 	if err != nil {
 		t.Fatalf("failed to create mux: %s", err.Error())
 	}
@@ -193,6 +193,7 @@ func TestTLSMux(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+	defer conn.Close()
 
 	state := conn.ConnectionState()
 	if !state.HandshakeComplete {
@@ -217,6 +218,7 @@ func TestTLSMux(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+	defer conn.Close()
 
 	state = conn.ConnectionState()
 	if !state.HandshakeComplete {
@@ -230,12 +232,53 @@ func TestTLSMux(t *testing.T) {
 func TestTLSMux_Fail(t *testing.T) {
 	tcpListener := mustTCPListener("127.0.0.1:0")
 	defer tcpListener.Close()
-	_, err := NewTLSMux(tcpListener, nil, "xxxx", "yyyy", "", true, false)
+	_, err := NewTLSMux(tcpListener, nil, "xxxx", "yyyy")
 	if err == nil {
 		t.Fatalf("created mux unexpectedly with bad resources")
 	}
 }
 
+func TestMutualTLSMux(t *testing.T) {
+	tcpListener := mustTCPListener("127.0.0.1:0")
+	defer tcpListener.Close()
+
+	cert := x509.CertExampleDotComFile("")
+	defer os.Remove(cert)
+	key := x509.KeyExampleDotComFile("")
+	defer os.Remove(key)
+	caCert := x509.CertMyCAFile("")
+	defer os.Remove(caCert)
+
+	mux, err := NewMutualTLSMux(tcpListener, nil, cert, key, caCert)
+	if err != nil {
+		t.Fatalf("failed to create mutual TLS mux: %s", err.Error())
+	}
+	defer mux.Close()
+	go mux.Serve()
+
+	if mux.tlsConfig.ClientAuth != tls.RequireAndVerifyClientCert {
+		t.Fatalf("expected RequireAndVerifyClientCert, got %v", mux.tlsConfig.ClientAuth)
+	}
+
+	conn, err := tls.Dial("tcp", tcpListener.Addr().String(), &tls.Config{
+		InsecureSkipVerify: true,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer conn.Close()
+
+	// Ensure mutual TLS is being enforced.
+	var b [1]byte
+	_, err = conn.Read(b[:])
+	if err == nil {
+		t.Fatalf("expected error reading from mux enforcing mutual TLS, got nil")
+	}
+	if !strings.Contains(err.Error(), "certificate required") {
+		t.Fatalf("expected error to reference missing client certificate, got %s", err.Error())
+	}
+}
+
 type mockAddr struct {
 	Nwk  string
 	Addr string

testdata/x509/resources.go

@@ -32,6 +32,20 @@ func KeyExample2DotComFile(dir string) string {
 	return mustWriteToFile(dir, keyExample2DotCom)
 }
 
+// CertMyCAFile returns the path to a temporary file, in directory dir, containing
+// a cert for MyCA. It is up to the caller to remove the file when finished. If
+// dir is the empty string then the default directory for temporary files is used.
+func CertMyCAFile(dir string) string {
+	return mustWriteToFile(dir, certMyCA)
+}
+
+// KeyMyCAFile returns the path to a temporary file, in directory dir, containing
+// a key for MyCA. It is up to the caller to remove the file when finished. If
+// dir is the empty string then the default directory for temporary files is used.
+func KeyMyCAFile(dir string) string {
+	return mustWriteToFile(dir, keyMyCA)
+}
+
 func mustWriteToFile(dir, content string) string {
 	b := []byte(content)
 
@@ -194,3 +208,86 @@ xL6SNC89BNBLv/b0lF56wZLJFxNUpGXhXubKkVs2R1RXD1g8jBLxxYDDojRjWNKS
 g9XUfUSm7eCstxigUwWFO6KVeoSD/D6dfWZr9SPY9rjR1LC0ZiC/nyZ98G2NG/FR
 QgBvCKLHjbZEXIu034vg9i+R4rsTsA==
 -----END PRIVATE KEY-----`
+
+const certMyCA = `-----BEGIN CERTIFICATE-----
+MIIFATCCAumgAwIBAgIUWdSOeSdBWWpL5VMDbmypWFlso2kwDQYJKoZIhvcNAQEL
+BQAwEDEOMAwGA1UEAwwFTXkgQ0EwHhcNMjUwODA4MTQzOTIxWhcNMzUwODA2MTQz
+OTIxWjAQMQ4wDAYDVQQDDAVNeSBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
+AgoCggIBAJki0vLOrwvfqszCPDWqonjqd5MN3R6G44jmHCLR/VhFHejk/BMaBElC
+6uFvrFDIf5EvphDnC4kmIEVHYS/iWY8VayTLjl3nXJItXCjqUtPDAcbEhkssNxJm
+N2PrtljGL0gRhUzPaCz0c4F+Z48WXmmcxMHOsmaHvKX9NvexvkK6OLOGsT3RhTE5
+EilHJeASkEY15MHJyubvT5vndNHisM7EG+5XmgdlEID3ZSj7HC5guneP9GQzPxsB
+8ac2UfjuPRKr+sGBGKPxzwOS+0MqUL5Qr0ArOxViwY4VUjLmaDv0e24yhxx9wv8U
+C3I0K3LSH1uniHnHfvj2sxp6p2x9YEZ8j6LB012/bVongtGRC1Lifrmt9+V3Jrvg
+YjxkCVFDksFP3+6POooTsyUR/GkDsI8pJ6ozhK1zhF+iZ7Qx3kkpSdLY6n/mc2TS
+gFGCqv9+i/IjGhJML4sNXakr2Gg57Yi74Qzi70tqUDlVKSQPvy3zBKU1+5I1FqAC
+nF4Lg9u82sXoS/GDh/KvD00IrusTmJJtF36cTFrFIxYgNHXIvgdL4Z856tF58nOQ
+Y7n2xNkZ2rtkCxsi9mwrEzpqN/6oI+HGgOfAZgoVi5fqVHM5r3Adjh8shndynPJ2
+d0a1ynWWm7qYOmv7vvJzjN06ffFo3j1G40fz3ZHI4X1ZTKaMbcfJAgMBAAGjUzBR
+MB0GA1UdDgQWBBQuhJuIW4kDYOwbifxQGgDP4RCQJTAfBgNVHSMEGDAWgBQuhJuI
+W4kDYOwbifxQGgDP4RCQJTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA
+A4ICAQBsa1DPa5JMGKkoIiW9bXOvphp4CptsLyZrS7Wr2AvbY8UI8baZM4nQFEJJ
+Im+Ki9fPoewPKAwb3yv9SLMkfqkSyfO06vgv/8G6ZeA7E1iL9HybM7DMtMn7/sZr
+BDiZreArMhkCTtgkFFa1dUkoYeliQwQUZE22IZp/ekeb7dB44mGNlego2O4exJ57
+RTRTdRI7oBhSe9Q4pum0phASY+DTLw9s44cHq9ZDner2lFHLxRUBu+JKn6IrYwNP
+HlLrRwpAIVBTaJjYTaFTEwMbMtssY206INVvGAps7nhnVSE/OcHGVj/SMJpg/2Qg
+xoEEKJWzXAYwnqLSzDwg3KJAu4UdxsN3S/5GddqvUds2VDu1R1XgYZkve/ZZDHKN
+kP6FUIyi1daHUUJKDguj3Aepws/s7XlCeqwGELPObmY3rCWKv7Y7TBSPHMafndmq
+TKKq7u873ismVdQYp6KJ4lApNFIN5dmm28nFLmxii9Q7lbwlPsq1p1W6AhDLFNdi
+6eT/17pRxZ37rEXEfOIKZf3ZBc6DuZmMs/HLiPlE8tU4kcFBR++hNEmSPeDepP3F
+ZHrVZiE433Be0VCKa8Ew3gDB9e4XVWvd2Sny02F4VsV16x4gFfqqASxHDjXSVwrQ
+f3KZus/PhFncv3YcyqZhQbIKNrLsiLg6bCoFo6TGw0r4e3AeeA==
+-----END CERTIFICATE-----`
+
+const keyMyCA = `-----BEGIN PRIVATE KEY-----
+MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQCZItLyzq8L36rM
+wjw1qqJ46neTDd0ehuOI5hwi0f1YRR3o5PwTGgRJQurhb6xQyH+RL6YQ5wuJJiBF
+R2Ev4lmPFWsky45d51ySLVwo6lLTwwHGxIZLLDcSZjdj67ZYxi9IEYVMz2gs9HOB
+fmePFl5pnMTBzrJmh7yl/Tb3sb5CujizhrE90YUxORIpRyXgEpBGNeTBycrm70+b
+53TR4rDOxBvuV5oHZRCA92Uo+xwuYLp3j/RkMz8bAfGnNlH47j0Sq/rBgRij8c8D
+kvtDKlC+UK9AKzsVYsGOFVIy5mg79HtuMoccfcL/FAtyNCty0h9bp4h5x3749rMa
+eqdsfWBGfI+iwdNdv21aJ4LRkQtS4n65rffldya74GI8ZAlRQ5LBT9/ujzqKE7Ml
+EfxpA7CPKSeqM4Stc4Rfome0Md5JKUnS2Op/5nNk0oBRgqr/fovyIxoSTC+LDV2p
+K9hoOe2Iu+EM4u9LalA5VSkkD78t8wSlNfuSNRagApxeC4PbvNrF6Evxg4fyrw9N
+CK7rE5iSbRd+nExaxSMWIDR1yL4HS+GfOerRefJzkGO59sTZGdq7ZAsbIvZsKxM6
+ajf+qCPhxoDnwGYKFYuX6lRzOa9wHY4fLIZ3cpzydndGtcp1lpu6mDpr+77yc4zd
+On3xaN49RuNH892RyOF9WUymjG3HyQIDAQABAoICAHavR8EJsR9JvY2uqI2Lbxq5
+1ezyHMMxFh4fAgV2rJyCDPlYp4mCa3oAVBxeubVuf3gd7t5Aw28LTo2DEe7Txkef
++QdugCuFSfi9ESVg3sri43iTDeYrIY+wCxP1NsE88J4xfheW1A2rc+4T8t0yIABI
+kTIIKbpPT0Vyp+x3JJeAzrtNFAduYIVSzyGQ0+kDWjAgSuhqpkgvh4q0a5TT1eaa
+lW83E9jRWmYp14xYenHzY/GQb4BNO4aKDiljb0q4EjtrcRASJu/BVIlXnEdk/2lR
+DVJ1bvhXLt4Y5jku2/BDvnoczRym179sYKalilsWQVl+0cZYeK8qPIu0LhhmX3tu
+wwmcng2zomXVpqvdtL9sT1d5Ia0ywhg3XI2ZFw01PJyyK1TLy7h8E6VmbWFStoND
+kqidRmTWHTM2GEwc1Wj5zsal55Zmr8hV5j+kYZkTeIQIvQi5FN7sZ/LhaguP5zHX
+HYMmb9vf1sFLxbVJTtPapf8U001ky7NYHNPf4ll72KvmPUAnYUP4VnMgR1uDwB83
+V3i4HiGEq8OPIgEbk5V+LhxR41WttqgogiP/o+z8MsrXdMGQhHhtKQfB1g63RA4o
+rHP1WcYmSDl4xFjxoZJTAGplEpkxjnQaMWJaGZGzhfeiAultOXrO02kfcR+icmC/
+qjmNWz8Fholw8VXjDDklAoIBAQDLACRWKt1Xpd09mk2FNDYxt0nGCM4GFhxddQdz
+4+wyd/inpgVJQZyratISJtpj0qi02yCkeW2AgK4X7uHuiynZrxToMy4XDCNRwmFH
+VRSE4XxBxQSF9Ygsw7m2FWC0lr0IuJtEI585KbjHSv9nnmHCOF3sLFb2u0u5pCSl
+HNZECSkv9nTX/PGQVz8sp5qfWo9DO1FPSJtOAA0obcCStz/lixXGPkdWqRaz7n0O
+FCEN31OfhoGbPfGPSyuu4Rzgr4aKUMyZ12oZHw59vyp4WkE96ZKWxYQgo7RvUaC1
+D3zbXfX2YpKjCqUs+Dkrd19L7T3+t7NEIDoY1Dvukg/83ELTAoIBAQDBHei3nRlu
+82UGB36WAWmlobF0ZlkQ7y6xPGGhT6d7u67kt4j2S+KrAdyZCHpohxhlVyfjP44W
+fw1woQUUz/XrvKEJgcmZ3en72P2hUKilzR5SqvbkUBOdL6D/3rwXbTHuUk9wV13U
+ob27nIGR/I2/MhbRpHCu0f3ngQWPMhGP5DTN8J+MmEnI2/4UlfL7AVxCarWtTkrU
+RpyXhfOvTAoD9ogAFPOmvrDokAxrajNCuSsqJyRG1vYnBqz8RslHGbBDKlJpLt8M
+Co8nnaWp8wSaz9n1JFq0zlaDq2OMEsu1QqlFEWTuLtnSR7B8/RHhf7IQGDiH8HJm
+tLjQSYud7VFzAoIBAHGzI6cLnSvxX8iYO2EnTE9uTKjZ16M7ESobWVBE0c+2uJQV
+/hH46OpuCzlVf663l/ysW00kIfv+lwQarXrxgUBGuxwPRnpsNwAdMmVEtxhyPymL
+UyxAyMPh4Iumz6J2Z2ySEY0Jsq3Ou4sMa58666Bf9+NHNnI9l31j/Y5pZ212ABa4
+INu09gwVgfHd8lHc5C8Q80rH7Qy0JKqHRnwmnWhRDaIa0dQtIuUm5+5Rwe3GL01D
+hiZQfJL41H+/4G/MgDvKY76rE+b8KR6vSvdb/fzSbWN7P7UUXASZoLyo7xLjPteA
+gIdHeBqG8WZyFvMs7zNS6tp2fnPXs7W9I61KJTcCggEAHkn5oSrjvVIxiyOLyC1K
+i67zrUUMPSq2kRfeXDWpGDAUu0zKD49Rau7s0ZfR0yk1O1fTKsJiH8cnrX2j1WLU
+uHeqblpL63Ux6M1c4ntLKE4mrmKgPKkOmn3I67jcmXQH+9AvI3igf+QqZQ2kCOiq
+ts09ZP48qj7HaxMCczYwKPhrC83syFluYTGYBVSLerD47nXcLuVzuR2mG+HnmZv8
+iiiVpiWjHYkVKDTHreVHSvTN/1uKRg4bJ33Vje/wS9WMnsw5hsPSOgpB7727KQ+z
+rjBhiCB+lZMzYI12HJcqGjDtaabTxMPWaDPUS5ZJwquLmxihbTjaSJ+ZyRlv64I4
+XwKCAQBoYexvzN3czN8sEsFNZo5tFZygMSICpAC8lThuvvDqcA/viltNqzovxxCu
+tODBBCElZJgb1VhQk+R2qzL0Bsl00+kmZhU+6giN+PrY1lqcosY1r29E0W14S1Wj
+mTMM6u3U0Jfkgp8OZ3WVVvQVdmQkbUN4sk9Z7re9Cmlp6bzS2RV1/usoMceLTcVS
+/pnnVZ1u4V2Tt8IxwsQYbbE57t+QCMGv/ylE1SMAlXxdPUaBCuwCtmWs8SbAxNSa
+RWniZL1v+6JgYgK60L1Uj8PmdVjPWmvyvR29zcIBezPnxUPfdxuox59kdkXewHlY
+JWSva+1sRpG7RkUO5VbdhZ7CUKg1
+-----END PRIVATE KEY-----`