Documentation ¶
Index ¶
- Constants
- func LoadClientConfig(config *config.TLSConfig) (*tls.Config, error)
- func LoadDefaultConfig(certFile, keyFile, caFile string) (*tls.Config, error)
- func LoadServerConfig(config *config.TLSConfig) (*tls.Config, error)
- func SetTLSOptions(cfg *tls.Config, opts *config.TLSOptions)
- func WrapTLSClient(conn net.Conn, tlsConfig *tls.Config, timeout time.Duration) (net.Conn, error)
- type CipherSuite
- type Version
Constants ¶
const ( VersionTLS10 = "VersionTLS10" VersionTLS11 = "VersionTLS11" VersionTLS12 = "VersionTLS12" VersionTLS13 = "VersionTLS13" )
const ( // TLS 1.0 - 1.2 cipher suites. TLS_RSA_WITH_RC4_128_SHA = "TLS_RSA_WITH_RC4_128_SHA" TLS_RSA_WITH_3DES_EDE_CBC_SHA = "TLS_RSA_WITH_3DES_EDE_CBC_SHA" TLS_RSA_WITH_AES_128_CBC_SHA = "TLS_RSA_WITH_AES_128_CBC_SHA" TLS_RSA_WITH_AES_256_CBC_SHA = "TLS_RSA_WITH_AES_256_CBC_SHA" TLS_RSA_WITH_AES_128_CBC_SHA256 = "TLS_RSA_WITH_AES_128_CBC_SHA256" TLS_RSA_WITH_AES_128_GCM_SHA256 = "TLS_RSA_WITH_AES_128_GCM_SHA256" TLS_RSA_WITH_AES_256_GCM_SHA384 = "TLS_RSA_WITH_AES_256_GCM_SHA384" TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA" TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" TLS_ECDHE_RSA_WITH_RC4_128_SHA = "TLS_ECDHE_RSA_WITH_RC4_128_SHA" TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA" TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" // TLS 1.3 cipher suites. TLS_AES_128_GCM_SHA256 = "TLS_AES_128_GCM_SHA256" TLS_AES_256_GCM_SHA384 = "TLS_AES_256_GCM_SHA384" TLS_CHACHA20_POLY1305_SHA256 = "TLS_CHACHA20_POLY1305_SHA256" // TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator // that the client is doing version fallback. See RFC 7507. TLS_FALLBACK_SCSV = "TLS_FALLBACK_SCSV" )
Cipher suites from https://pkg.go.dev/crypto/tls#pkg-constants
Variables ¶
This section is empty.
Functions ¶
func LoadClientConfig ¶
LoadClientConfig loads the certificate from cert & key files and CA file.
func LoadDefaultConfig ¶
LoadDefaultConfig loads the certificate from cert & key files and optional CA file.
func LoadServerConfig ¶
LoadServerConfig loads the certificate from cert & key files and client CA file.
func SetTLSOptions ¶
func SetTLSOptions(cfg *tls.Config, opts *config.TLSOptions)
func WrapTLSClient ¶
Wrap a net.Conn into a client tls connection, performing any additional verification as needed.
As of go 1.3, crypto/tls only supports either doing no certificate verification, or doing full verification including of the peer's DNS name. For consul, we want to validate that the certificate is signed by a known CA, but because consul doesn't use DNS names for node names, we don't verify the certificate DNS names. Since go 1.3 no longer supports this mode of operation, we have to do it manually.
This code is taken from consul: https://github.com/hashicorp/consul/blob/master/tlsutil/config.go
Types ¶
type CipherSuite ¶ added in v0.1.17
type CipherSuite uint16
func (CipherSuite) String ¶ added in v0.1.17
func (cs CipherSuite) String() string