2016-05-13 06:48:53 +03:00
|
|
|
// Copyright 2015 The etcd Authors
|
2015-01-25 06:19:16 +03:00
|
|
|
//
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
//
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
//
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
// limitations under the License.
|
2014-10-18 02:41:22 +04:00
|
|
|
|
2014-09-23 03:35:00 +04:00
|
|
|
package transport
|
|
|
|
|
|
|
|
import (
|
2016-02-09 22:49:29 +03:00
|
|
|
"crypto/ecdsa"
|
|
|
|
"crypto/elliptic"
|
|
|
|
"crypto/rand"
|
2014-09-23 03:48:12 +04:00
|
|
|
"crypto/tls"
|
|
|
|
"crypto/x509"
|
2016-02-09 22:49:29 +03:00
|
|
|
"crypto/x509/pkix"
|
2014-09-23 03:48:12 +04:00
|
|
|
"encoding/pem"
|
2017-09-22 12:22:09 +03:00
|
|
|
"errors"
|
2014-09-23 03:48:12 +04:00
|
|
|
"fmt"
|
2016-02-09 22:49:29 +03:00
|
|
|
"math/big"
|
2014-09-23 03:35:00 +04:00
|
|
|
"net"
|
2016-02-09 22:49:29 +03:00
|
|
|
"os"
|
2017-03-16 05:31:10 +03:00
|
|
|
"path/filepath"
|
2017-04-13 20:48:06 +03:00
|
|
|
"strings"
|
2014-09-23 19:43:20 +04:00
|
|
|
"time"
|
2016-03-31 19:45:45 +03:00
|
|
|
|
2019-05-29 00:59:02 +03:00
|
|
|
"go.etcd.io/etcd/pkg/tlsutil"
|
2018-04-02 23:37:07 +03:00
|
|
|
|
|
|
|
"go.uber.org/zap"
|
2014-09-23 03:35:00 +04:00
|
|
|
)
|
|
|
|
|
2018-04-02 23:37:07 +03:00
|
|
|
// NewListener creates a new listner.
|
2017-04-07 07:01:33 +03:00
|
|
|
func NewListener(addr, scheme string, tlsinfo *TLSInfo) (l net.Listener, err error) {
|
2016-07-20 02:47:14 +03:00
|
|
|
if l, err = newListener(addr, scheme); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2018-05-10 01:06:11 +03:00
|
|
|
return wrapTLS(scheme, tlsinfo, l)
|
2016-07-20 02:47:14 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
func newListener(addr string, scheme string) (net.Listener, error) {
|
2016-06-25 01:55:06 +03:00
|
|
|
if scheme == "unix" || scheme == "unixs" {
|
2016-01-06 23:09:05 +03:00
|
|
|
// unix sockets via unix://laddr
|
2016-07-20 02:47:14 +03:00
|
|
|
return NewUnixListener(addr)
|
2016-01-06 23:09:05 +03:00
|
|
|
}
|
2016-07-20 02:47:14 +03:00
|
|
|
return net.Listen("tcp", addr)
|
|
|
|
}
|
2016-01-06 23:09:05 +03:00
|
|
|
|
2018-05-10 01:06:11 +03:00
|
|
|
func wrapTLS(scheme string, tlsinfo *TLSInfo, l net.Listener) (net.Listener, error) {
|
2016-07-20 02:47:14 +03:00
|
|
|
if scheme != "https" && scheme != "unixs" {
|
|
|
|
return l, nil
|
2014-09-23 03:48:12 +04:00
|
|
|
}
|
2019-06-11 18:28:01 +03:00
|
|
|
if tlsinfo != nil && tlsinfo.SkipClientSANVerify {
|
2019-03-05 16:23:41 +03:00
|
|
|
return NewTLSListener(l, tlsinfo)
|
|
|
|
}
|
2017-06-16 04:25:00 +03:00
|
|
|
return newTLSListener(l, tlsinfo, checkSAN)
|
2014-09-23 03:48:12 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
type TLSInfo struct {
|
2019-06-11 18:28:01 +03:00
|
|
|
CertFile string
|
|
|
|
KeyFile string
|
|
|
|
TrustedCAFile string
|
|
|
|
ClientCertAuth bool
|
|
|
|
CRLFile string
|
|
|
|
InsecureSkipVerify bool
|
|
|
|
SkipClientSANVerify bool
|
2014-09-24 00:38:57 +04:00
|
|
|
|
2016-08-02 20:40:20 +03:00
|
|
|
// ServerName ensures the cert matches the given host in case of discovery / virtual hosting
|
|
|
|
ServerName string
|
|
|
|
|
2017-05-18 22:09:22 +03:00
|
|
|
// HandshakeFailure is optionally called when a connection fails to handshake. The
|
2017-04-07 07:01:33 +03:00
|
|
|
// connection will be closed immediately afterwards.
|
|
|
|
HandshakeFailure func(*tls.Conn, error)
|
|
|
|
|
2018-06-04 16:47:33 +03:00
|
|
|
// CipherSuites is a list of supported cipher suites.
|
|
|
|
// If empty, Go auto-populates it by default.
|
|
|
|
// Note that cipher suites are prioritized in the given order.
|
|
|
|
CipherSuites []uint16
|
|
|
|
|
2016-02-09 22:49:29 +03:00
|
|
|
selfCert bool
|
|
|
|
|
2014-09-24 00:38:57 +04:00
|
|
|
// parseFunc exists to simplify testing. Typically, parseFunc
|
|
|
|
// should be left nil. In that case, tls.X509KeyPair will be used.
|
|
|
|
parseFunc func([]byte, []byte) (tls.Certificate, error)
|
2017-09-22 12:22:09 +03:00
|
|
|
|
|
|
|
// AllowedCN is a CN which must be provided by a client.
|
|
|
|
AllowedCN string
|
2018-04-02 23:37:07 +03:00
|
|
|
|
2019-07-03 03:41:37 +03:00
|
|
|
// AllowedHostname is an IP address or hostname that must match the TLS
|
2019-04-04 20:53:13 +03:00
|
|
|
// certificate provided by a client.
|
2019-07-03 03:41:37 +03:00
|
|
|
AllowedHostname string
|
2019-04-04 20:53:13 +03:00
|
|
|
|
2018-04-02 23:37:07 +03:00
|
|
|
// Logger logs TLS errors.
|
|
|
|
// If nil, all logs are discarded.
|
|
|
|
Logger *zap.Logger
|
2018-12-22 18:21:53 +03:00
|
|
|
|
|
|
|
// EmptyCN indicates that the cert must have empty CN.
|
|
|
|
// If true, ClientConfig() will return an error for a cert with non empty CN.
|
|
|
|
EmptyCN bool
|
2014-09-23 03:48:12 +04:00
|
|
|
}
|
|
|
|
|
2014-11-13 07:11:04 +03:00
|
|
|
func (info TLSInfo) String() string {
|
2018-03-21 01:15:41 +03:00
|
|
|
return fmt.Sprintf("cert = %s, key = %s, trusted-ca = %s, client-cert-auth = %v, crl-file = %s", info.CertFile, info.KeyFile, info.TrustedCAFile, info.ClientCertAuth, info.CRLFile)
|
2014-11-13 07:11:04 +03:00
|
|
|
}
|
|
|
|
|
2014-09-23 03:48:12 +04:00
|
|
|
func (info TLSInfo) Empty() bool {
|
|
|
|
return info.CertFile == "" && info.KeyFile == ""
|
|
|
|
}
|
|
|
|
|
2019-04-26 16:04:40 +03:00
|
|
|
func SelfCert(lg *zap.Logger, dirpath string, hosts []string, additionalUsages ...x509.ExtKeyUsage) (info TLSInfo, err error) {
|
2017-02-20 04:24:10 +03:00
|
|
|
if err = os.MkdirAll(dirpath, 0700); err != nil {
|
2016-02-09 22:49:29 +03:00
|
|
|
return
|
|
|
|
}
|
2018-04-02 23:37:07 +03:00
|
|
|
info.Logger = lg
|
2016-02-09 22:49:29 +03:00
|
|
|
|
2017-03-16 05:31:10 +03:00
|
|
|
certPath := filepath.Join(dirpath, "cert.pem")
|
|
|
|
keyPath := filepath.Join(dirpath, "key.pem")
|
2016-02-09 22:49:29 +03:00
|
|
|
_, errcert := os.Stat(certPath)
|
|
|
|
_, errkey := os.Stat(keyPath)
|
|
|
|
if errcert == nil && errkey == nil {
|
|
|
|
info.CertFile = certPath
|
|
|
|
info.KeyFile = keyPath
|
|
|
|
info.selfCert = true
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
|
|
|
|
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
|
|
|
|
if err != nil {
|
2018-04-16 20:11:45 +03:00
|
|
|
if info.Logger != nil {
|
|
|
|
info.Logger.Warn(
|
|
|
|
"cannot generate random number",
|
|
|
|
zap.Error(err),
|
|
|
|
)
|
|
|
|
}
|
2016-02-09 22:49:29 +03:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
tmpl := x509.Certificate{
|
|
|
|
SerialNumber: serialNumber,
|
|
|
|
Subject: pkix.Name{Organization: []string{"etcd"}},
|
|
|
|
NotBefore: time.Now(),
|
|
|
|
NotAfter: time.Now().Add(365 * (24 * time.Hour)),
|
|
|
|
|
|
|
|
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
|
2019-04-26 16:04:40 +03:00
|
|
|
ExtKeyUsage: append([]x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, additionalUsages...),
|
2016-02-09 22:49:29 +03:00
|
|
|
BasicConstraintsValid: true,
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, host := range hosts {
|
2017-04-04 19:38:30 +03:00
|
|
|
h, _, _ := net.SplitHostPort(host)
|
|
|
|
if ip := net.ParseIP(h); ip != nil {
|
2016-02-09 22:49:29 +03:00
|
|
|
tmpl.IPAddresses = append(tmpl.IPAddresses, ip)
|
|
|
|
} else {
|
2017-04-04 19:38:30 +03:00
|
|
|
tmpl.DNSNames = append(tmpl.DNSNames, h)
|
2016-02-09 22:49:29 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
priv, err := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
|
|
|
|
if err != nil {
|
2018-04-16 20:11:45 +03:00
|
|
|
if info.Logger != nil {
|
|
|
|
info.Logger.Warn(
|
|
|
|
"cannot generate ECDSA key",
|
|
|
|
zap.Error(err),
|
|
|
|
)
|
|
|
|
}
|
2016-02-09 22:49:29 +03:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
derBytes, err := x509.CreateCertificate(rand.Reader, &tmpl, &tmpl, &priv.PublicKey, priv)
|
|
|
|
if err != nil {
|
2018-04-16 20:11:45 +03:00
|
|
|
if info.Logger != nil {
|
|
|
|
info.Logger.Warn(
|
|
|
|
"cannot generate x509 certificate",
|
|
|
|
zap.Error(err),
|
|
|
|
)
|
|
|
|
}
|
2016-02-09 22:49:29 +03:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
certOut, err := os.Create(certPath)
|
|
|
|
if err != nil {
|
2018-04-02 23:37:07 +03:00
|
|
|
info.Logger.Warn(
|
|
|
|
"cannot cert file",
|
|
|
|
zap.String("path", certPath),
|
|
|
|
zap.Error(err),
|
|
|
|
)
|
2016-02-09 22:49:29 +03:00
|
|
|
return
|
|
|
|
}
|
|
|
|
pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
|
|
|
|
certOut.Close()
|
2018-04-16 20:11:45 +03:00
|
|
|
if info.Logger != nil {
|
|
|
|
info.Logger.Info("created cert file", zap.String("path", certPath))
|
|
|
|
}
|
2016-02-09 22:49:29 +03:00
|
|
|
|
|
|
|
b, err := x509.MarshalECPrivateKey(priv)
|
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
keyOut, err := os.OpenFile(keyPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
|
|
|
|
if err != nil {
|
2018-04-16 20:11:45 +03:00
|
|
|
if info.Logger != nil {
|
|
|
|
info.Logger.Warn(
|
|
|
|
"cannot key file",
|
|
|
|
zap.String("path", keyPath),
|
|
|
|
zap.Error(err),
|
|
|
|
)
|
|
|
|
}
|
2016-02-09 22:49:29 +03:00
|
|
|
return
|
|
|
|
}
|
|
|
|
pem.Encode(keyOut, &pem.Block{Type: "EC PRIVATE KEY", Bytes: b})
|
|
|
|
keyOut.Close()
|
2018-04-16 20:11:45 +03:00
|
|
|
if info.Logger != nil {
|
|
|
|
info.Logger.Info("created key file", zap.String("path", keyPath))
|
|
|
|
}
|
2018-04-02 23:37:07 +03:00
|
|
|
return SelfCert(lg, dirpath, hosts)
|
2016-02-09 22:49:29 +03:00
|
|
|
}
|
|
|
|
|
2018-04-13 23:53:34 +03:00
|
|
|
// baseConfig is called on initial TLS handshake start.
|
|
|
|
//
|
|
|
|
// Previously,
|
|
|
|
// 1. Server has non-empty (*tls.Config).Certificates on client hello
|
|
|
|
// 2. Server calls (*tls.Config).GetCertificate iff:
|
|
|
|
// - Server's (*tls.Config).Certificates is not empty, or
|
|
|
|
// - Client supplies SNI; non-empty (*tls.ClientHelloInfo).ServerName
|
|
|
|
//
|
|
|
|
// When (*tls.Config).Certificates is always populated on initial handshake,
|
|
|
|
// client is expected to provide a valid matching SNI to pass the TLS
|
|
|
|
// verification, thus trigger server (*tls.Config).GetCertificate to reload
|
|
|
|
// TLS assets. However, a cert whose SAN field does not include domain names
|
|
|
|
// but only IP addresses, has empty (*tls.ClientHelloInfo).ServerName, thus
|
|
|
|
// it was never able to trigger TLS reload on initial handshake; first
|
|
|
|
// ceritifcate object was being used, never being updated.
|
|
|
|
//
|
|
|
|
// Now, (*tls.Config).Certificates is created empty on initial TLS client
|
|
|
|
// handshake, in order to trigger (*tls.Config).GetCertificate and populate
|
|
|
|
// rest of the certificates on every new TLS connection, even when client
|
|
|
|
// SNI is empty (e.g. cert only includes IPs).
|
2014-09-23 19:54:24 +04:00
|
|
|
func (info TLSInfo) baseConfig() (*tls.Config, error) {
|
2014-09-23 03:48:12 +04:00
|
|
|
if info.KeyFile == "" || info.CertFile == "" {
|
|
|
|
return nil, fmt.Errorf("KeyFile and CertFile must both be present[key: %v, cert: %v]", info.KeyFile, info.CertFile)
|
|
|
|
}
|
2018-04-02 23:37:07 +03:00
|
|
|
if info.Logger == nil {
|
|
|
|
info.Logger = zap.NewNop()
|
|
|
|
}
|
2014-09-23 03:48:12 +04:00
|
|
|
|
2018-04-06 22:27:08 +03:00
|
|
|
_, err := tlsutil.NewCert(info.CertFile, info.KeyFile, info.parseFunc)
|
2014-09-23 03:48:12 +04:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2014-10-15 23:08:59 +04:00
|
|
|
cfg := &tls.Config{
|
2018-04-06 22:27:08 +03:00
|
|
|
MinVersion: tls.VersionTLS12,
|
|
|
|
ServerName: info.ServerName,
|
2014-10-15 23:08:59 +04:00
|
|
|
}
|
2017-09-22 12:22:09 +03:00
|
|
|
|
2018-06-04 16:47:33 +03:00
|
|
|
if len(info.CipherSuites) > 0 {
|
|
|
|
cfg.CipherSuites = info.CipherSuites
|
|
|
|
}
|
|
|
|
|
2019-04-04 20:53:13 +03:00
|
|
|
// Client certificates may be verified by either an exact match on the CN,
|
|
|
|
// or a more general check of the CN and SANs.
|
|
|
|
var verifyCertificate func(*x509.Certificate) bool
|
2017-09-22 12:22:09 +03:00
|
|
|
if info.AllowedCN != "" {
|
2019-07-03 03:41:37 +03:00
|
|
|
if info.AllowedHostname != "" {
|
|
|
|
return nil, fmt.Errorf("AllowedCN and AllowedHostname are mutually exclusive (cn=%q, hostname=%q)", info.AllowedCN, info.AllowedHostname)
|
2019-04-04 20:53:13 +03:00
|
|
|
}
|
|
|
|
verifyCertificate = func(cert *x509.Certificate) bool {
|
|
|
|
return info.AllowedCN == cert.Subject.CommonName
|
|
|
|
}
|
|
|
|
}
|
2019-07-03 03:41:37 +03:00
|
|
|
if info.AllowedHostname != "" {
|
2019-04-04 20:53:13 +03:00
|
|
|
verifyCertificate = func(cert *x509.Certificate) bool {
|
2019-07-03 03:41:37 +03:00
|
|
|
return cert.VerifyHostname(info.AllowedHostname) == nil
|
2019-04-04 20:53:13 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
if verifyCertificate != nil {
|
2017-09-22 12:22:09 +03:00
|
|
|
cfg.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
|
|
|
|
for _, chains := range verifiedChains {
|
|
|
|
if len(chains) != 0 {
|
2019-04-04 20:53:13 +03:00
|
|
|
if verifyCertificate(chains[0]) {
|
2017-09-22 12:22:09 +03:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2019-04-04 20:53:13 +03:00
|
|
|
return errors.New("client certificate authentication failed")
|
2017-09-22 12:22:09 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-04-20 18:04:18 +03:00
|
|
|
// this only reloads certs when there's a client request
|
|
|
|
// TODO: support server-side refresh (e.g. inotify, SIGHUP), caching
|
2018-04-02 23:37:07 +03:00
|
|
|
cfg.GetCertificate = func(clientHello *tls.ClientHelloInfo) (cert *tls.Certificate, err error) {
|
|
|
|
cert, err = tlsutil.NewCert(info.CertFile, info.KeyFile, info.parseFunc)
|
|
|
|
if os.IsNotExist(err) {
|
2018-04-16 20:11:45 +03:00
|
|
|
if info.Logger != nil {
|
|
|
|
info.Logger.Warn(
|
|
|
|
"failed to find peer cert files",
|
|
|
|
zap.String("cert-file", info.CertFile),
|
|
|
|
zap.String("key-file", info.KeyFile),
|
|
|
|
zap.Error(err),
|
|
|
|
)
|
|
|
|
}
|
2018-04-02 23:37:07 +03:00
|
|
|
} else if err != nil {
|
2018-04-16 20:11:45 +03:00
|
|
|
if info.Logger != nil {
|
|
|
|
info.Logger.Warn(
|
|
|
|
"failed to create peer certificate",
|
|
|
|
zap.String("cert-file", info.CertFile),
|
|
|
|
zap.String("key-file", info.KeyFile),
|
|
|
|
zap.Error(err),
|
|
|
|
)
|
|
|
|
}
|
2018-04-02 23:37:07 +03:00
|
|
|
}
|
|
|
|
return cert, err
|
2017-04-20 18:04:18 +03:00
|
|
|
}
|
2018-04-02 23:37:07 +03:00
|
|
|
cfg.GetClientCertificate = func(unused *tls.CertificateRequestInfo) (cert *tls.Certificate, err error) {
|
|
|
|
cert, err = tlsutil.NewCert(info.CertFile, info.KeyFile, info.parseFunc)
|
|
|
|
if os.IsNotExist(err) {
|
2018-04-16 20:11:45 +03:00
|
|
|
if info.Logger != nil {
|
|
|
|
info.Logger.Warn(
|
|
|
|
"failed to find client cert files",
|
|
|
|
zap.String("cert-file", info.CertFile),
|
|
|
|
zap.String("key-file", info.KeyFile),
|
|
|
|
zap.Error(err),
|
|
|
|
)
|
|
|
|
}
|
2018-04-02 23:37:07 +03:00
|
|
|
} else if err != nil {
|
2018-04-16 20:11:45 +03:00
|
|
|
if info.Logger != nil {
|
|
|
|
info.Logger.Warn(
|
|
|
|
"failed to create client certificate",
|
|
|
|
zap.String("cert-file", info.CertFile),
|
|
|
|
zap.String("key-file", info.KeyFile),
|
|
|
|
zap.Error(err),
|
|
|
|
)
|
|
|
|
}
|
2018-04-02 23:37:07 +03:00
|
|
|
}
|
|
|
|
return cert, err
|
2017-04-20 18:04:18 +03:00
|
|
|
}
|
2014-10-15 23:08:59 +04:00
|
|
|
return cfg, nil
|
2014-09-23 19:54:24 +04:00
|
|
|
}
|
|
|
|
|
2015-03-13 08:26:46 +03:00
|
|
|
// cafiles returns a list of CA file paths.
|
|
|
|
func (info TLSInfo) cafiles() []string {
|
|
|
|
cs := make([]string, 0)
|
|
|
|
if info.TrustedCAFile != "" {
|
|
|
|
cs = append(cs, info.TrustedCAFile)
|
|
|
|
}
|
|
|
|
return cs
|
|
|
|
}
|
|
|
|
|
|
|
|
// ServerConfig generates a tls.Config object for use by an HTTP server.
|
2014-09-23 19:54:24 +04:00
|
|
|
func (info TLSInfo) ServerConfig() (*tls.Config, error) {
|
|
|
|
cfg, err := info.baseConfig()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2014-09-23 03:48:12 +04:00
|
|
|
|
2015-03-13 08:26:46 +03:00
|
|
|
cfg.ClientAuth = tls.NoClientCert
|
2018-03-21 01:15:41 +03:00
|
|
|
if info.TrustedCAFile != "" || info.ClientCertAuth {
|
2014-09-23 03:48:12 +04:00
|
|
|
cfg.ClientAuth = tls.RequireAndVerifyClientCert
|
2015-03-13 08:26:46 +03:00
|
|
|
}
|
|
|
|
|
2018-03-21 01:15:41 +03:00
|
|
|
cs := info.cafiles()
|
|
|
|
if len(cs) > 0 {
|
|
|
|
cp, err := tlsutil.NewCertPool(cs)
|
2014-09-23 03:48:12 +04:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
cfg.ClientCAs = cp
|
|
|
|
}
|
|
|
|
|
2016-09-18 11:33:53 +03:00
|
|
|
// "h2" NextProtos is necessary for enabling HTTP2 for go's HTTP server
|
|
|
|
cfg.NextProtos = []string{"h2"}
|
|
|
|
|
2019-09-06 21:38:03 +03:00
|
|
|
// go1.13 enables TLS 1.3 by default
|
|
|
|
// and in TLS 1.3, cipher suites are not configurable
|
|
|
|
// setting Max TLS version to TLS 1.2 for go 1.13
|
|
|
|
cfg.MaxVersion = tls.VersionTLS12
|
|
|
|
|
2014-09-23 19:54:24 +04:00
|
|
|
return cfg, nil
|
|
|
|
}
|
|
|
|
|
2015-03-13 08:26:46 +03:00
|
|
|
// ClientConfig generates a tls.Config object for use by an HTTP client.
|
|
|
|
func (info TLSInfo) ClientConfig() (*tls.Config, error) {
|
|
|
|
var cfg *tls.Config
|
|
|
|
var err error
|
|
|
|
|
2014-11-06 23:10:04 +03:00
|
|
|
if !info.Empty() {
|
|
|
|
cfg, err = info.baseConfig()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
} else {
|
2016-08-02 20:40:20 +03:00
|
|
|
cfg = &tls.Config{ServerName: info.ServerName}
|
2014-09-23 19:54:24 +04:00
|
|
|
}
|
2017-07-18 23:36:42 +03:00
|
|
|
cfg.InsecureSkipVerify = info.InsecureSkipVerify
|
2014-09-23 19:54:24 +04:00
|
|
|
|
2018-03-21 01:15:41 +03:00
|
|
|
cs := info.cafiles()
|
|
|
|
if len(cs) > 0 {
|
|
|
|
cfg.RootCAs, err = tlsutil.NewCertPool(cs)
|
2014-09-23 19:54:24 +04:00
|
|
|
if err != nil {
|
2015-03-13 08:26:46 +03:00
|
|
|
return nil, err
|
2014-09-23 19:54:24 +04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-02-09 22:49:29 +03:00
|
|
|
if info.selfCert {
|
|
|
|
cfg.InsecureSkipVerify = true
|
|
|
|
}
|
2018-12-22 18:21:53 +03:00
|
|
|
|
|
|
|
if info.EmptyCN {
|
|
|
|
hasNonEmptyCN := false
|
|
|
|
cn := ""
|
|
|
|
tlsutil.NewCert(info.CertFile, info.KeyFile, func(certPEMBlock []byte, keyPEMBlock []byte) (tls.Certificate, error) {
|
|
|
|
var block *pem.Block
|
|
|
|
block, _ = pem.Decode(certPEMBlock)
|
|
|
|
cert, err := x509.ParseCertificate(block.Bytes)
|
|
|
|
if err != nil {
|
|
|
|
return tls.Certificate{}, err
|
|
|
|
}
|
|
|
|
if len(cert.Subject.CommonName) != 0 {
|
|
|
|
hasNonEmptyCN = true
|
|
|
|
cn = cert.Subject.CommonName
|
|
|
|
}
|
|
|
|
return tls.X509KeyPair(certPEMBlock, keyPEMBlock)
|
|
|
|
})
|
|
|
|
if hasNonEmptyCN {
|
|
|
|
return nil, fmt.Errorf("cert has non empty Common Name (%s)", cn)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-09-06 21:38:03 +03:00
|
|
|
// go1.13 enables TLS 1.3 by default
|
|
|
|
// and in TLS 1.3, cipher suites are not configurable
|
|
|
|
// setting Max TLS version to TLS 1.2 for go 1.13
|
|
|
|
cfg.MaxVersion = tls.VersionTLS12
|
|
|
|
|
2015-03-13 08:26:46 +03:00
|
|
|
return cfg, nil
|
2014-09-23 03:48:12 +04:00
|
|
|
}
|
2016-06-22 21:43:24 +03:00
|
|
|
|
2017-04-13 20:48:06 +03:00
|
|
|
// IsClosedConnError returns true if the error is from closing listener, cmux.
|
|
|
|
// copied from golang.org/x/net/http2/http2.go
|
|
|
|
func IsClosedConnError(err error) bool {
|
|
|
|
// 'use of closed network connection' (Go <=1.8)
|
|
|
|
// 'use of closed file or network connection' (Go >1.8, internal/poll.ErrClosing)
|
|
|
|
// 'mux: listener closed' (cmux.ErrListenerClosed)
|
|
|
|
return err != nil && strings.Contains(err.Error(), "closed")
|
|
|
|
}
|