TLSConfigFor returns a tls.Config that will provide the transport level security defined by the provided Config. Will return nil if no transport level security is requested.
(c *Config)
| 53 | // TLSConfigFor returns a tls.Config that will provide the transport level security defined |
| 54 | // by the provided Config. Will return nil if no transport level security is requested. |
| 55 | func TLSConfigFor(c *Config) (*tls.Config, error) { |
| 56 | if !(c.HasCA() || c.HasCertAuth() || c.HasCertCallback() || c.TLS.Insecure || len(c.TLS.ServerName) > 0) { |
| 57 | return nil, nil |
| 58 | } |
| 59 | if c.HasCA() && c.TLS.Insecure { |
| 60 | return nil, fmt.Errorf("specifying a root certificates file with the insecure flag is not allowed") |
| 61 | } |
| 62 | if err := loadTLSFiles(c); err != nil { |
| 63 | return nil, err |
| 64 | } |
| 65 | |
| 66 | tlsConfig := &tls.Config{ |
| 67 | // Can't use SSLv3 because of POODLE and BEAST |
| 68 | // Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher |
| 69 | // Can't use TLSv1.1 because of RC4 cipher usage |
| 70 | MinVersion: tls.VersionTLS12, |
| 71 | InsecureSkipVerify: c.TLS.Insecure, |
| 72 | ServerName: c.TLS.ServerName, |
| 73 | } |
| 74 | |
| 75 | if c.HasCA() { |
| 76 | tlsConfig.RootCAs = rootCertPool(c.TLS.CAData) |
| 77 | } |
| 78 | |
| 79 | var staticCert *tls.Certificate |
| 80 | if c.HasCertAuth() { |
| 81 | // If key/cert were provided, verify them before setting up |
| 82 | // tlsConfig.GetClientCertificate. |
| 83 | cert, err := tls.X509KeyPair(c.TLS.CertData, c.TLS.KeyData) |
| 84 | if err != nil { |
| 85 | return nil, err |
| 86 | } |
| 87 | staticCert = &cert |
| 88 | } |
| 89 | |
| 90 | if c.HasCertAuth() || c.HasCertCallback() { |
| 91 | tlsConfig.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) { |
| 92 | // Note: static key/cert data always take precedence over cert |
| 93 | // callback. |
| 94 | if staticCert != nil { |
| 95 | return staticCert, nil |
| 96 | } |
| 97 | if c.HasCertCallback() { |
| 98 | cert, err := c.TLS.GetCert() |
| 99 | if err != nil { |
| 100 | return nil, err |
| 101 | } |
| 102 | // GetCert may return empty value, meaning no cert. |
| 103 | if cert != nil { |
| 104 | return cert, nil |
| 105 | } |
| 106 | } |
| 107 | |
| 108 | // Both c.TLS.CertData/KeyData were unset and GetCert didn't return |
| 109 | // anything. Return an empty tls.Certificate, no client cert will |
| 110 | // be sent to the server. |
| 111 | return &tls.Certificate{}, nil |
| 112 | } |