| 166 | } |
| 167 | |
| 168 | func (c *tlsCreds) ServerHandshake(rawConn net.Conn) (net.Conn, AuthInfo, error) { |
| 169 | conn := tls.Server(rawConn, c.config) |
| 170 | if err := conn.Handshake(); err != nil { |
| 171 | conn.Close() |
| 172 | return nil, nil, err |
| 173 | } |
| 174 | cs := conn.ConnectionState() |
| 175 | // The negotiated application protocol can be empty only if the client doesn't |
| 176 | // support ALPN. In such cases, we can close the connection since ALPN is required |
| 177 | // for using HTTP/2 over TLS. |
| 178 | if cs.NegotiatedProtocol == "" { |
| 179 | if envconfig.EnforceALPNEnabled { |
| 180 | conn.Close() |
| 181 | return nil, nil, fmt.Errorf("credentials: cannot check peer: missing selected ALPN property. %s", alpnFailureHelpMessage) |
| 182 | } else if logger.V(2) { |
| 183 | logger.Info("Allowing TLS connection from client with ALPN disabled. TLS connections with ALPN disabled will be disallowed in future grpc-go releases") |
| 184 | } |
| 185 | } |
| 186 | tlsInfo := TLSInfo{ |
| 187 | State: cs, |
| 188 | CommonAuthInfo: CommonAuthInfo{ |
| 189 | SecurityLevel: PrivacyAndIntegrity, |
| 190 | }, |
| 191 | } |
| 192 | id := credinternal.SPIFFEIDFromState(conn.ConnectionState()) |
| 193 | if id != nil { |
| 194 | tlsInfo.SPIFFEID = id |
| 195 | } |
| 196 | return credinternal.WrapSyscallConn(rawConn, conn), tlsInfo, nil |
| 197 | } |
| 198 | |
| 199 | func (c *tlsCreds) Clone() TransportCredentials { |
| 200 | return NewTLS(c.config) |