MCPcopy Index your code
hub / github.com/coder/coder / configureServerTLS

Function configureServerTLS

cli/server.go:1765–1849  ·  view source on GitHub ↗

configureServerTLS returns the TLS config used for the Coderd server connections to clients. A logger is passed in to allow printing warning messages that do not block startup.

(ctx context.Context, logger slog.Logger, tlsMinVersion, tlsClientAuth string, tlsCertFiles, tlsKeyFiles []string, tlsClientCAFile string, ciphers []string, allowInsecureCiphers bool)

Source from the content-addressed store, hash-verified

1763// connections to clients. A logger is passed in to allow printing warning
1764// messages that do not block startup.
1765func configureServerTLS(ctx context.Context, logger slog.Logger, tlsMinVersion, tlsClientAuth string, tlsCertFiles, tlsKeyFiles []string, tlsClientCAFile string, ciphers []string, allowInsecureCiphers bool) (*tls.Config, error) {
1766 tlsConfig := &tls.Config{
1767 MinVersion: tls.VersionTLS12,
1768 NextProtos: []string{"h2", "http/1.1"},
1769 }
1770 switch tlsMinVersion {
1771 case "tls10":
1772 tlsConfig.MinVersion = tls.VersionTLS10
1773 case "tls11":
1774 tlsConfig.MinVersion = tls.VersionTLS11
1775 case "tls12":
1776 tlsConfig.MinVersion = tls.VersionTLS12
1777 case "tls13":
1778 tlsConfig.MinVersion = tls.VersionTLS13
1779 default:
1780 return nil, xerrors.Errorf("unrecognized tls version: %q", tlsMinVersion)
1781 }
1782
1783 // A custom set of supported ciphers.
1784 if len(ciphers) > 0 {
1785 cipherIDs, err := configureCipherSuites(ctx, logger, ciphers, allowInsecureCiphers, tlsConfig.MinVersion, tls.VersionTLS13)
1786 if err != nil {
1787 return nil, err
1788 }
1789 tlsConfig.CipherSuites = cipherIDs
1790 } else {
1791 tlsConfig.CipherSuites = defaultCipherSuites
1792 }
1793
1794 switch tlsClientAuth {
1795 case "none":
1796 tlsConfig.ClientAuth = tls.NoClientCert
1797 case "request":
1798 tlsConfig.ClientAuth = tls.RequestClientCert
1799 case "require-any":
1800 tlsConfig.ClientAuth = tls.RequireAnyClientCert
1801 case "verify-if-given":
1802 tlsConfig.ClientAuth = tls.VerifyClientCertIfGiven
1803 case "require-and-verify":
1804 tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
1805 default:
1806 return nil, xerrors.Errorf("unrecognized tls client auth: %q", tlsClientAuth)
1807 }
1808
1809 certs, err := loadCertificates(tlsCertFiles, tlsKeyFiles)
1810 if err != nil {
1811 return nil, xerrors.Errorf("load certificates: %w", err)
1812 }
1813 if len(certs) == 0 {
1814 selfSignedCertificate, err := generateSelfSignedCertificate()
1815 if err != nil {
1816 return nil, xerrors.Errorf("generate self signed certificate: %w", err)
1817 }
1818 certs = append(certs, *selfSignedCertificate)
1819 }
1820
1821 tlsConfig.Certificates = certs
1822 tlsConfig.GetCertificate = func(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {

Callers 2

ConfigureHTTPServersFunction · 0.85
Test_configureServerTLSFunction · 0.85

Calls 5

configureCipherSuitesFunction · 0.85
loadCertificatesFunction · 0.85
configureCAPoolFunction · 0.85
ErrorfMethod · 0.45

Tested by 1

Test_configureServerTLSFunction · 0.68