Documentation
¶
Overview ¶
Package tlsconfig provides primitives to retrieve secure-enough TLS configurations for both clients and servers.
As a reminder from https://golang.org/pkg/crypto/tls/#Config:
A Config structure is used to configure a TLS client or server. After one has been passed to a TLS function it must not be modified. A Config may be reused; the tls package will also not modify it.
Package tlsconfig provides primitives to retrieve secure-enough TLS configurations for both clients and servers.
Index ¶
- Variables
- func Client(options Options) (*tls.Config, error)
- func ClientDefault(ops ...func(*tls.Config)) *tls.Config
- func IsErrEncryptedKey(err error) booldeprecated
- func Server(options Options) (*tls.Config, error)
- func ServerDefault(ops ...func(*tls.Config)) *tls.Config
- func SystemCertPool() (*x509.CertPool, error)
- type Options
Constants ¶
This section is empty.
Variables ¶
var DefaultServerAcceptedCiphers = append(clientCipherSuites, acceptedCBCCiphers...)
DefaultServerAcceptedCiphers should be uses by code which already has a crypto/tls options struct but wants to use a commonly accepted set of TLS cipher suites, with known weak algorithms removed.
Functions ¶
func ClientDefault ¶
ClientDefault returns a secure-enough TLS configuration for the client TLS configuration.
func IsErrEncryptedKey
deprecated
added in
v0.3.0
IsErrEncryptedKey returns true if the 'err' is an error of incorrect password when trying to decrypt a TLS private key.
Deprecated: Use of encrypted TLS private keys has been deprecated, and will be removed in a future release. Golang has deprecated support for legacy PEM encryption (as specified in RFC 1423), as it is insecure by design (see https://go-review.googlesource.com/c/go/+/264159).
func ServerDefault ¶
ServerDefault returns a secure-enough TLS configuration for the server TLS configuration.
func SystemCertPool ¶ added in v0.3.0
SystemCertPool returns a copy of the system cert pool, returns an error if failed to load or empty pool on windows.
Types ¶
type Options ¶
type Options struct {
CAFile string
// If either CertFile or KeyFile is empty, Client() will not load them
// preventing the client from authenticating to the server.
// However, Server() requires them and will error out if they are empty.
CertFile string
KeyFile string
// client-only option
InsecureSkipVerify bool
// server-only option
ClientAuth tls.ClientAuthType
// If ExclusiveRootPools is set, then if a CA file is provided, the root pool used for TLS
// creds will include exclusively the roots in that CA file. If no CA file is provided,
// the system pool will be used.
ExclusiveRootPools bool
MinVersion uint16
// If Passphrase is set, it will be used to decrypt a TLS private key
// if the key is encrypted.
//
// Deprecated: Use of encrypted TLS private keys has been deprecated, and
// will be removed in a future release. Golang has deprecated support for
// legacy PEM encryption (as specified in RFC 1423), as it is insecure by
// design (see https://go-review.googlesource.com/c/go/+/264159).
Passphrase string
}
Options represents the information needed to create client and server TLS configurations.
Source Files