tls

package

v0.2.9 Latest Latest Go to latest Published: Oct 19, 2024 License: MIT Imports: 16 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/go-gost/x

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func GenerateCertificate(serverName string, validity time.Duration, caCert *x509.Certificate, ...) (*x509.Certificate, error)
func LoadClientConfig(config *config.TLSConfig) (*tls.Config, error)
func LoadDefaultConfig(certFile, keyFile, caFile string) (*tls.Config, error)
func LoadServerConfig(config *config.TLSConfig) (*tls.Config, error)
func SetTLSOptions(cfg *tls.Config, opts *config.TLSOptions)
func WrapTLSClient(conn net.Conn, tlsConfig *tls.Config, timeout time.Duration) (net.Conn, error)
type CertPool
- func NewMemoryCertPool() CertPool
type CipherSuite
- func (cs CipherSuite) String() string
type Version
- func (ver Version) String() string

Constants ¶

View Source

const (
	VersionTLS10 = "VersionTLS10"
	VersionTLS11 = "VersionTLS11"
	VersionTLS12 = "VersionTLS12"
	VersionTLS13 = "VersionTLS13"
)

View Source

const (
	// TLS 1.0 - 1.2 cipher suites.
	TLS_RSA_WITH_RC4_128_SHA                      = "TLS_RSA_WITH_RC4_128_SHA"
	TLS_RSA_WITH_3DES_EDE_CBC_SHA                 = "TLS_RSA_WITH_3DES_EDE_CBC_SHA"
	TLS_RSA_WITH_AES_128_CBC_SHA                  = "TLS_RSA_WITH_AES_128_CBC_SHA"
	TLS_RSA_WITH_AES_256_CBC_SHA                  = "TLS_RSA_WITH_AES_256_CBC_SHA"
	TLS_RSA_WITH_AES_128_CBC_SHA256               = "TLS_RSA_WITH_AES_128_CBC_SHA256"
	TLS_RSA_WITH_AES_128_GCM_SHA256               = "TLS_RSA_WITH_AES_128_GCM_SHA256"
	TLS_RSA_WITH_AES_256_GCM_SHA384               = "TLS_RSA_WITH_AES_256_GCM_SHA384"
	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA              = "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA"
	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA          = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"
	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA          = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
	TLS_ECDHE_RSA_WITH_RC4_128_SHA                = "TLS_ECDHE_RSA_WITH_RC4_128_SHA"
	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA           = "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"
	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA            = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA            = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256       = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"
	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256         = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256         = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256       = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384         = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384       = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   = "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"

	// TLS 1.3 cipher suites.
	TLS_AES_128_GCM_SHA256       = "TLS_AES_128_GCM_SHA256"
	TLS_AES_256_GCM_SHA384       = "TLS_AES_256_GCM_SHA384"
	TLS_CHACHA20_POLY1305_SHA256 = "TLS_CHACHA20_POLY1305_SHA256"

	// TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator
	// that the client is doing version fallback. See RFC 7507.
	TLS_FALLBACK_SCSV = "TLS_FALLBACK_SCSV"
)

Cipher suites from https://pkg.go.dev/crypto/tls#pkg-constants

Variables ¶

View Source

var (
	ErrCertNotFound = errors.New("certificate not found")
)

Functions ¶

func GenerateCertificate ¶ added in v0.2.0

func GenerateCertificate(serverName string, validity time.Duration, caCert *x509.Certificate, caKey crypto.PrivateKey) (*x509.Certificate, error)

func LoadClientConfig ¶

func LoadClientConfig(config *config.TLSConfig) (*tls.Config, error)

LoadClientConfig loads the certificate from cert & key files and CA file.

func LoadDefaultConfig ¶

func LoadDefaultConfig(certFile, keyFile, caFile string) (*tls.Config, error)

LoadDefaultConfig loads the certificate from cert & key files and optional CA file.

func LoadServerConfig ¶

func LoadServerConfig(config *config.TLSConfig) (*tls.Config, error)

LoadServerConfig loads the certificate from cert & key files and client CA file.

func SetTLSOptions ¶

func SetTLSOptions(cfg *tls.Config, opts *config.TLSOptions)

func WrapTLSClient ¶

func WrapTLSClient(conn net.Conn, tlsConfig *tls.Config, timeout time.Duration) (net.Conn, error)

Wrap a net.Conn into a client tls connection, performing any additional verification as needed.

As of go 1.3, crypto/tls only supports either doing no certificate verification, or doing full verification including of the peer's DNS name. For consul, we want to validate that the certificate is signed by a known CA, but because consul doesn't use DNS names for node names, we don't verify the certificate DNS names. Since go 1.3 no longer supports this mode of operation, we have to do it manually.

This code is taken from consul: https://github.com/hashicorp/consul/blob/master/tlsutil/config.go

Types ¶

type CertPool ¶ added in v0.2.0

type CertPool interface {
	Get(serverName string) (*x509.Certificate, error)
	Put(serverName string, cert *x509.Certificate)
}

func NewMemoryCertPool ¶ added in v0.2.0

func NewMemoryCertPool() CertPool

type CipherSuite ¶ added in v0.1.17

type CipherSuite uint16

func (CipherSuite) String ¶ added in v0.1.17

func (cs CipherSuite) String() string

type Version ¶ added in v0.1.17

type Version uint16

func (Version) String ¶ added in v0.1.17

func (ver Version) String() string

Source Files ¶

View all Source files

tls.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL