| 314 | } |
| 315 | |
| 316 | func (o *Options) serverConfig() (*tls.Config, error) { |
| 317 | if o.RequireClientCert && o.VerificationType == SkipVerification && o.AdditionalPeerVerification == nil { |
| 318 | return nil, fmt.Errorf("server needs to provide custom verification mechanism if choose to skip default verification, but require client certificate(s)") |
| 319 | } |
| 320 | // If the MinTLSVersion isn't set, default to 1.2 |
| 321 | if o.MinTLSVersion == 0 { |
| 322 | o.MinTLSVersion = tls.VersionTLS12 |
| 323 | } |
| 324 | // If the MaxTLSVersion isn't set, default to 1.3 |
| 325 | if o.MaxTLSVersion == 0 { |
| 326 | o.MaxTLSVersion = tls.VersionTLS13 |
| 327 | } |
| 328 | // Make sure users didn't specify more than one fields in |
| 329 | // RootCertificateOptions and IdentityCertificateOptions. |
| 330 | if num := o.RootOptions.nonNilFieldCount(); num > 1 { |
| 331 | return nil, fmt.Errorf("at most one field in RootCertificateOptions could be specified") |
| 332 | } |
| 333 | if num := o.IdentityOptions.nonNilFieldCount(); num > 1 { |
| 334 | return nil, fmt.Errorf("at most one field in IdentityCertificateOptions could be specified") |
| 335 | } |
| 336 | if o.IdentityOptions.GetIdentityCertificatesForClient != nil { |
| 337 | return nil, fmt.Errorf("GetIdentityCertificatesForClient cannot be specified on the server side") |
| 338 | } |
| 339 | if o.MinTLSVersion > o.MaxTLSVersion { |
| 340 | return nil, fmt.Errorf("the minimum TLS version is larger than the maximum TLS version") |
| 341 | } |
| 342 | clientAuth := tls.NoClientCert |
| 343 | if o.RequireClientCert { |
| 344 | // We have to set clientAuth to RequireAnyClientCert to force underlying |
| 345 | // TLS package to use the verification function we built from |
| 346 | // buildVerifyFunc. |
| 347 | clientAuth = tls.RequireAnyClientCert |
| 348 | } |
| 349 | config := &tls.Config{ |
| 350 | ClientAuth: clientAuth, |
| 351 | MinVersion: o.MinTLSVersion, |
| 352 | MaxVersion: o.MaxTLSVersion, |
| 353 | CipherSuites: o.CipherSuites, |
| 354 | } |
| 355 | // Propagate root-certificate-related fields in tls.Config. |
| 356 | switch { |
| 357 | case o.RootOptions.RootCertificates != nil: |
| 358 | config.ClientCAs = o.RootOptions.RootCertificates |
| 359 | case o.RootOptions.GetRootCertificates != nil: |
| 360 | // In cases when users provide GetRootCertificates callback, since this |
| 361 | // callback is not contained in tls.Config, we have nothing to set here. |
| 362 | // We will invoke the callback in ServerHandshake. |
| 363 | case o.RootOptions.RootProvider != nil: |
| 364 | o.RootOptions.GetRootCertificates = func(*ConnectionInfo) (*RootCertificates, error) { |
| 365 | km, err := o.RootOptions.RootProvider.KeyMaterial(context.Background()) |
| 366 | if err != nil { |
| 367 | return nil, err |
| 368 | } |
| 369 | return &RootCertificates{TrustCerts: km.Roots}, nil |
| 370 | } |
| 371 | default: |
| 372 | // No root certificate options specified by user. Use the certificates |
| 373 | // stored in system default path as the last resort. |