(t *testing.T, mTLS bool)
| 37 | ) |
| 38 | |
| 39 | func makeClientTLSConfig(t *testing.T, mTLS bool) *tls.Config { |
| 40 | t.Helper() |
| 41 | |
| 42 | pemData, err := os.ReadFile(testdata.Path("x509/server_ca_cert.pem")) |
| 43 | if err != nil { |
| 44 | t.Fatal(err) |
| 45 | } |
| 46 | roots := x509.NewCertPool() |
| 47 | roots.AppendCertsFromPEM(pemData) |
| 48 | |
| 49 | var certs []tls.Certificate |
| 50 | if mTLS { |
| 51 | cert, err := tls.LoadX509KeyPair(testdata.Path("x509/client1_cert.pem"), testdata.Path("x509/client1_key.pem")) |
| 52 | if err != nil { |
| 53 | t.Fatal(err) |
| 54 | } |
| 55 | certs = append(certs, cert) |
| 56 | } |
| 57 | |
| 58 | return &tls.Config{ |
| 59 | Certificates: certs, |
| 60 | RootCAs: roots, |
| 61 | ServerName: "*.test.example.com", |
| 62 | // Setting this to true completely turns off the certificate validation |
| 63 | // on the client side. So, the client side handshake always seems to |
| 64 | // succeed. But if we want to turn this ON, we will need to generate |
| 65 | // certificates which work with localhost, or supply a custom |
| 66 | // verification function. So, the server credentials tests will rely |
| 67 | // solely on the success/failure of the server-side handshake. |
| 68 | InsecureSkipVerify: true, |
| 69 | NextProtos: []string{"h2"}, |
| 70 | } |
| 71 | } |
| 72 | |
| 73 | // Helper function to create a real TLS server credentials which is used as |
| 74 | // fallback credentials from multiple tests. |
no test coverage detected