MakeTLSClientConfig returns a tls.Config usable by a client to a backend. If there is no custom TLS configuration, a nil config may be returned.
(ctx caddy.Context)
| 590 | // MakeTLSClientConfig returns a tls.Config usable by a client to a backend. |
| 591 | // If there is no custom TLS configuration, a nil config may be returned. |
| 592 | func (t *TLSConfig) makeTLSClientConfig(ctx caddy.Context) (*tls.Config, error) { |
| 593 | repl, ok := ctx.Value(caddy.ReplacerCtxKey).(*caddy.Replacer) |
| 594 | if !ok || repl == nil { |
| 595 | repl = caddy.NewReplacer() |
| 596 | } |
| 597 | cfg := new(tls.Config) |
| 598 | |
| 599 | if t.CARaw != nil { |
| 600 | caRaw, err := ctx.LoadModule(t, "CARaw") |
| 601 | if err != nil { |
| 602 | return nil, err |
| 603 | } |
| 604 | ca := caRaw.(CA) |
| 605 | cfg.RootCAs = ca.CertPool() |
| 606 | } |
| 607 | |
| 608 | // Renegotiation |
| 609 | switch t.Renegotiation { |
| 610 | case "never", "": |
| 611 | cfg.Renegotiation = tls.RenegotiateNever |
| 612 | case "once": |
| 613 | cfg.Renegotiation = tls.RenegotiateOnceAsClient |
| 614 | case "freely": |
| 615 | cfg.Renegotiation = tls.RenegotiateFreelyAsClient |
| 616 | default: |
| 617 | return nil, fmt.Errorf("invalid TLS renegotiation level: %v", t.Renegotiation) |
| 618 | } |
| 619 | |
| 620 | // override for the server name used verify the TLS handshake |
| 621 | cfg.ServerName = repl.ReplaceKnown(cfg.ServerName, "") |
| 622 | |
| 623 | // throw all security out the window |
| 624 | cfg.InsecureSkipVerify = t.InsecureSkipVerify |
| 625 | |
| 626 | // only return a config if it's not empty |
| 627 | if reflect.DeepEqual(cfg, new(tls.Config)) { |
| 628 | return nil, nil |
| 629 | } |
| 630 | |
| 631 | return cfg, nil |
| 632 | } |
| 633 | |
| 634 | // The HTTPCertPool fetches the trusted root certificates from HTTP(S) |
| 635 | // endpoints. The TLS connection properties can be customized, including custom |
no test coverage detected