configureServerTLS returns the TLS config used for the Coderd server connections to clients. A logger is passed in to allow printing warning messages that do not block startup.
(ctx context.Context, logger slog.Logger, tlsMinVersion, tlsClientAuth string, tlsCertFiles, tlsKeyFiles []string, tlsClientCAFile string, ciphers []string, allowInsecureCiphers bool)
| 1763 | // connections to clients. A logger is passed in to allow printing warning |
| 1764 | // messages that do not block startup. |
| 1765 | func configureServerTLS(ctx context.Context, logger slog.Logger, tlsMinVersion, tlsClientAuth string, tlsCertFiles, tlsKeyFiles []string, tlsClientCAFile string, ciphers []string, allowInsecureCiphers bool) (*tls.Config, error) { |
| 1766 | tlsConfig := &tls.Config{ |
| 1767 | MinVersion: tls.VersionTLS12, |
| 1768 | NextProtos: []string{"h2", "http/1.1"}, |
| 1769 | } |
| 1770 | switch tlsMinVersion { |
| 1771 | case "tls10": |
| 1772 | tlsConfig.MinVersion = tls.VersionTLS10 |
| 1773 | case "tls11": |
| 1774 | tlsConfig.MinVersion = tls.VersionTLS11 |
| 1775 | case "tls12": |
| 1776 | tlsConfig.MinVersion = tls.VersionTLS12 |
| 1777 | case "tls13": |
| 1778 | tlsConfig.MinVersion = tls.VersionTLS13 |
| 1779 | default: |
| 1780 | return nil, xerrors.Errorf("unrecognized tls version: %q", tlsMinVersion) |
| 1781 | } |
| 1782 | |
| 1783 | // A custom set of supported ciphers. |
| 1784 | if len(ciphers) > 0 { |
| 1785 | cipherIDs, err := configureCipherSuites(ctx, logger, ciphers, allowInsecureCiphers, tlsConfig.MinVersion, tls.VersionTLS13) |
| 1786 | if err != nil { |
| 1787 | return nil, err |
| 1788 | } |
| 1789 | tlsConfig.CipherSuites = cipherIDs |
| 1790 | } else { |
| 1791 | tlsConfig.CipherSuites = defaultCipherSuites |
| 1792 | } |
| 1793 | |
| 1794 | switch tlsClientAuth { |
| 1795 | case "none": |
| 1796 | tlsConfig.ClientAuth = tls.NoClientCert |
| 1797 | case "request": |
| 1798 | tlsConfig.ClientAuth = tls.RequestClientCert |
| 1799 | case "require-any": |
| 1800 | tlsConfig.ClientAuth = tls.RequireAnyClientCert |
| 1801 | case "verify-if-given": |
| 1802 | tlsConfig.ClientAuth = tls.VerifyClientCertIfGiven |
| 1803 | case "require-and-verify": |
| 1804 | tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert |
| 1805 | default: |
| 1806 | return nil, xerrors.Errorf("unrecognized tls client auth: %q", tlsClientAuth) |
| 1807 | } |
| 1808 | |
| 1809 | certs, err := loadCertificates(tlsCertFiles, tlsKeyFiles) |
| 1810 | if err != nil { |
| 1811 | return nil, xerrors.Errorf("load certificates: %w", err) |
| 1812 | } |
| 1813 | if len(certs) == 0 { |
| 1814 | selfSignedCertificate, err := generateSelfSignedCertificate() |
| 1815 | if err != nil { |
| 1816 | return nil, xerrors.Errorf("generate self signed certificate: %w", err) |
| 1817 | } |
| 1818 | certs = append(certs, *selfSignedCertificate) |
| 1819 | } |
| 1820 | |
| 1821 | tlsConfig.Certificates = certs |
| 1822 | tlsConfig.GetCertificate = func(hi *tls.ClientHelloInfo) (*tls.Certificate, error) { |