6 years ago · 149e5dc291
--- a/CHANGELOG-3.4.md
+++ b/CHANGELOG-3.4.md
@@ -67,6 +67,7 @@ See [code changes](https://github.com/etcd-io/etcd/compare/v3.3.0...v3.4.0) and
 
															 - Add [`Verify` function to perform corruption check on WAL contents](https://github.com/etcd-io/etcd/pull/10603).
														
 
															 - Improve [heartbeat send failure logging](https://github.com/etcd-io/etcd/pull/10663).
														
 
															 - Support [users with no password](https://github.com/etcd-io/etcd/pull/9817) for reducing security risk introduced by leaked password. The users can only be authenticated with CommonName based auth.
														
 
															+- Add flag `--experimental-peer-skip-client-san-verification` to [skip verification of peer client address](https://github.com/etcd-io/etcd/pull/10524)
														
 
															 ### Breaking Changes
														
--- a/Documentation/op-guide/configuration.md
+++ b/Documentation/op-guide/configuration.md
@@ -457,3 +457,12 @@ Follow the instructions when using these flags.
 
															 [tuning]: ../tuning.md#time-parameters
														
 
															 [sample-config-file]: ../../etcd.conf.yml.sample
														
 
															 [recovery]: recovery.md#disaster-recovery
														
 
															+
														
 
															+### --experimental-peer-skip-client-san-verification
														
 
															++ Skip verification of SAN field in client certificate for peer connections. This can be helpful e.g. if
														
 
															+cluster members run in different networks behind a NAT.
														
 
															+
														
 
															+  In this case make sure to use peer certificates based on
														
 
															+a private certificate authority using `--peer-cert-file`, `--peer-key-file`, `--peer-trusted-ca-file`
														
 
															++ default: false
														
 
															++ env variable: ETCD_EXPERIMENTAL_PEER_SKIP_CLIENT_SAN_VERIFICATION
														
--- a/etcdmain/config.go
+++ b/etcdmain/config.go
@@ -213,7 +213,7 @@ func newConfig() *config {
 
															 	fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedCN, "peer-cert-allowed-cn", "", "Allowed CN for inter peer authentication.")
														
 
															 	fs.StringVar(&cfg.ec.PeerTLSInfo.AllowedHostname, "peer-cert-allowed-hostname", "", "Allowed TLS hostname for inter peer authentication.")
														
 
															 	fs.Var(flags.NewStringsValue(""), "cipher-suites", "Comma-separated list of supported TLS cipher suites between client/server and peers (empty will be auto-populated by Go).")
														
 
															-	fs.BoolVar(&cfg.ec.PeerTLSInfo.SkipClientSANVerify, "peer-skip-client-san-verification", false, "Skip verification of SAN field in client certificate for peer connections.")
														
 
															+	fs.BoolVar(&cfg.ec.PeerTLSInfo.SkipClientSANVerify, "experimental-peer-skip-client-san-verification", false, "Skip verification of SAN field in client certificate for peer connections.")
														
 
															 	fs.Var(
														
 
															 		flags.NewUniqueURLsWithExceptions("*", "*"),