This change adds a new mechanism by which cluster members may identify each other whilst using X.509 based authentication. Specifically, it introduces a new config file option, net.tls.clusterAuthX509.attributes, that allows customers to specify X.509 subject DN attribute name/value pairs that connecting certificates must contain in order to be considered as peer cluster members. It can be used to customize the default behavior, which checks that the DC, O, and OU attributes between the connecting certificate and the server's member certificate are the same.

Description of Linked Ticket

Today, servers determine whether a connecting client is a peer server node either via keyfile authentication or X.509. If X.509 authentication is enabled on the server and the connecting client's certificate has a subject name DN sharing the same O, OU, and DC attributes as the server's certificate, then the connecting client is considered as a peer server node.

In an effort to make this more customizable, we will add a configuration file option that will take priority over this default policy. The option will specify a set of subject name DN attributes and values that the server will check for in the connecting client's certificate. If they match, then the client will be treated as a peer server node.