Documentation ¶
Index ¶
- func CipherString(ciphers []uint16) (string, error)
- func GenerateCA(opts CAOpts) (string, string, error)
- func GenerateCert(opts CertOpts) (string, string, error)
- func GeneratePrivateKey() (crypto.Signer, string, error)
- func GenerateSerialNumber() (*big.Int, error)
- func LoadCAs(caFile, caPath string) ([]string, error)
- func ParseCiphers(cipherStr string) ([]uint16, error)
- func ParseSigner(pemValue string) (crypto.Signer, error)
- func Verify(caString, certString, dns string) error
- type ALPNWrapper
- type CAOpts
- type CertOpts
- type Config
- type Configurator
- func (c *Configurator) AuthorizeServerConn(dc string, conn *tls.Conn) error
- func (c *Configurator) AutoEncryptCert() *x509.Certificate
- func (c *Configurator) Base() Config
- func (c *Configurator) Cert() *tls.Certificate
- func (c *Configurator) IncomingALPNRPCConfig(alpnProtos []string) *tls.Config
- func (c *Configurator) IncomingHTTPSConfig() *tls.Config
- func (c *Configurator) IncomingInsecureRPCConfig() *tls.Config
- func (c *Configurator) IncomingRPCConfig() *tls.Config
- func (c *Configurator) IncomingXDSConfig() *tls.Config
- func (c *Configurator) ManualCAPems() []string
- func (c *Configurator) MutualTLSCapable() bool
- func (c *Configurator) OutgoingALPNRPCWrapper() ALPNWrapper
- func (c *Configurator) OutgoingRPCConfig() *tls.Config
- func (c *Configurator) OutgoingRPCWrapper() DCWrapper
- func (c *Configurator) OutgoingTLSConfigForCheck(skipVerify bool, serverName string) *tls.Config
- func (c *Configurator) ServerSNI(dc, nodeName string) string
- func (c *Configurator) Update(config Config) error
- func (c *Configurator) UpdateAreaPeerDatacenterUseTLS(peerDatacenter string, useTLS bool)
- func (c *Configurator) UpdateAutoTLS(manualCAPems, connectCAPems []string, pub, priv string, ...) error
- func (c *Configurator) UpdateAutoTLSCA(connectCAPems []string) error
- func (c *Configurator) UpdateAutoTLSCert(pub, priv string) error
- func (c *Configurator) UseTLS(dc string) bool
- func (c *Configurator) VerifyIncomingRPC() bool
- func (c *Configurator) VerifyServerHostname() bool
- type DCWrapper
- type Wrapper
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func CipherString ¶ added in v1.8.1
CipherString performs the inverse operation of ParseCiphers
func GenerateCA ¶ added in v1.5.2
GenerateCA generates a new CA for agent TLS (not to be confused with Connect TLS)
func GenerateCert ¶ added in v1.5.2
GenerateCert generates a new certificate for agent TLS (not to be confused with Connect TLS)
func GeneratePrivateKey ¶ added in v1.5.2
GeneratePrivateKey generates a new ecdsa private key
func GenerateSerialNumber ¶ added in v1.5.2
GenerateSerialNumber returns random bigint generated with crypto/rand
func ParseCiphers ¶ added in v0.8.2
ParseCiphers parse ciphersuites from the comma-separated string into recognized slice
func ParseSigner ¶ added in v1.5.2
ParseSigner parses a crypto.Signer from a PEM-encoded key. The private key is expected to be the first block in the PEM value.
Types ¶
type ALPNWrapper ¶ added in v1.8.0
ALPNWrapper is a function that is used to wrap a non-TLS connection and returns an appropriate TLS connection or error. This taks a datacenter and node name as argument to configure the desired SNI value and the desired next proto for configuring ALPN.
type Config ¶
type Config struct { // VerifyIncoming is used to verify the authenticity of incoming // connections. This means that TCP requests are forbidden, only // allowing for TLS. TLS connections must match a provided certificate // authority. This can be used to force client auth. VerifyIncoming bool // VerifyIncomingRPC is used to verify the authenticity of incoming RPC // connections. This means that TCP requests are forbidden, only // allowing for TLS. TLS connections must match a provided certificate // authority. This can be used to force client auth. VerifyIncomingRPC bool // VerifyIncomingHTTPS is used to verify the authenticity of incoming // HTTPS connections. This means that TCP requests are forbidden, only // allowing for TLS. TLS connections must match a provided certificate // authority. This can be used to force client auth. VerifyIncomingHTTPS bool // VerifyOutgoing is used to verify the authenticity of outgoing // connections. This means that TLS requests are used, and TCP // requests are not made. TLS connections must match a provided // certificate authority. This is used to verify authenticity of server // nodes. VerifyOutgoing bool // VerifyServerHostname is used to enable hostname verification of // servers. This ensures that the certificate presented is valid for // server.<datacenter>.<domain>. This prevents a compromised client // from being restarted as a server, and then intercepting request // traffic as well as being added as a raft peer. This should be // enabled by default with VerifyOutgoing, but for legacy reasons we // cannot break existing clients. VerifyServerHostname bool // CAFile is a path to a certificate authority file. This is used with // VerifyIncoming or VerifyOutgoing to verify the TLS connection. CAFile string // CAPath is a path to a directory containing certificate authority // files. This is used with VerifyIncoming or VerifyOutgoing to verify // the TLS connection. CAPath string // CertFile is used to provide a TLS certificate that is used for // serving TLS connections. Must be provided to serve TLS connections. CertFile string // KeyFile is used to provide a TLS key that is used for serving TLS // connections. Must be provided to serve TLS connections. KeyFile string // Node name is the name we use to advertise. Defaults to hostname. NodeName string // ServerName is used with the TLS certificate to ensure the name we // provide matches the certificate ServerName string // Domain is the Consul TLD being used. Defaults to "consul." Domain string // TLSMinVersion is the minimum accepted TLS version that can be used. TLSMinVersion string // CipherSuites is the list of TLS cipher suites to use. CipherSuites []uint16 // PreferServerCipherSuites specifies whether to prefer the server's // ciphersuite over the client ciphersuites. PreferServerCipherSuites bool // EnableAgentTLSForChecks is used to apply the agent's TLS settings in // order to configure the HTTP client used for health checks. Enabling // this allows HTTP checks to present a client certificate and verify // the server using the same TLS configuration as the agent (CA, cert, // and key). EnableAgentTLSForChecks bool // AutoTLS opts the agent into provisioning agent // TLS certificates. AutoTLS bool }
Config used to create tls.Config
type Configurator ¶ added in v1.4.3
type Configurator struct {
// contains filtered or unexported fields
}
Configurator provides tls.Config and net.Dial wrappers to enable TLS for clients and servers, for both HTTPS and RPC requests. Configurator receives an initial TLS configuration from agent configuration, and receives updates from config reloads, auto-encrypt, and auto-config.
func NewConfigurator ¶ added in v1.4.3
func NewConfigurator(config Config, logger hclog.Logger) (*Configurator, error)
NewConfigurator creates a new Configurator and sets the provided configuration.
func (*Configurator) AuthorizeServerConn ¶ added in v1.8.15
func (c *Configurator) AuthorizeServerConn(dc string, conn *tls.Conn) error
AuthorizeServerConn is used to validate that the connection is being established by a Consul server in the same datacenter.
The identity of the connection is checked by verifying that the certificate presented is signed by the Agent TLS CA, and has a DNSName that matches the local ServerSNI name.
Note this check is only performed if VerifyServerHostname is enabled, otherwise it does no authorization.
func (*Configurator) AutoEncryptCert ¶ added in v1.11.0
func (c *Configurator) AutoEncryptCert() *x509.Certificate
AutoEncryptCert returns the TLS certificate received from auto-encrypt.
func (*Configurator) Base ¶ added in v1.5.2
func (c *Configurator) Base() Config
func (*Configurator) Cert ¶ added in v1.7.0
func (c *Configurator) Cert() *tls.Certificate
This function acquires a read lock because it reads from the config.
func (*Configurator) IncomingALPNRPCConfig ¶ added in v1.8.0
func (c *Configurator) IncomingALPNRPCConfig(alpnProtos []string) *tls.Config
IncomingALPNRPCConfig generates a *tls.Config for incoming RPC connections directly using TLS with ALPN instead of the older byte-prefixed protocol.
func (*Configurator) IncomingHTTPSConfig ¶ added in v1.4.3
func (c *Configurator) IncomingHTTPSConfig() *tls.Config
IncomingHTTPSConfig generates a *tls.Config for incoming HTTPS connections.
func (*Configurator) IncomingInsecureRPCConfig ¶ added in v1.5.2
func (c *Configurator) IncomingInsecureRPCConfig() *tls.Config
IncomingInsecureRPCConfig means that it doesn't verify incoming even thought it might have been configured. This is only supposed to be used by the servers for the insecure RPC server. At the time of writing only the AutoEncrypt.Sign call is supported on that server. And it might be the only usecase ever.
func (*Configurator) IncomingRPCConfig ¶ added in v1.4.3
func (c *Configurator) IncomingRPCConfig() *tls.Config
IncomingRPCConfig generates a *tls.Config for incoming RPC connections.
func (*Configurator) IncomingXDSConfig ¶
func (c *Configurator) IncomingXDSConfig() *tls.Config
IncomingXDSConfig generates a *tls.Config for incoming xDS connections.
func (*Configurator) ManualCAPems ¶ added in v1.5.2
func (c *Configurator) ManualCAPems() []string
ManualCAPems returns the currently loaded CAs in PEM format.
func (*Configurator) MutualTLSCapable ¶ added in v1.8.0
func (c *Configurator) MutualTLSCapable() bool
MutualTLSCapable returns true if Configurator has a CA and a local TLS certificate configured.
func (*Configurator) OutgoingALPNRPCWrapper ¶ added in v1.8.0
func (c *Configurator) OutgoingALPNRPCWrapper() ALPNWrapper
OutgoingALPNRPCWrapper wraps the result of outgoingALPNRPCConfig in an ALPNWrapper. It configures all of the negotiation plumbing.
func (*Configurator) OutgoingRPCConfig ¶ added in v1.4.3
func (c *Configurator) OutgoingRPCConfig() *tls.Config
OutgoingRPCConfig generates a *tls.Config for outgoing RPC connections. If there is a CA or VerifyOutgoing is set, a *tls.Config will be provided, otherwise we assume that no TLS should be used.
func (*Configurator) OutgoingRPCWrapper ¶ added in v1.4.3
func (c *Configurator) OutgoingRPCWrapper() DCWrapper
OutgoingRPCWrapper wraps the result of OutgoingRPCConfig in a DCWrapper. It decides if verify server hostname should be used.
func (*Configurator) OutgoingTLSConfigForCheck ¶ added in v1.4.3
func (c *Configurator) OutgoingTLSConfigForCheck(skipVerify bool, serverName string) *tls.Config
OutgoingTLSConfigForCheck generates a *tls.Config for outgoing TLS connections for checks. This function is separated because there is an extra flag to consider for checks. EnableAgentTLSForChecks and InsecureSkipVerify has to be checked for checks.
func (*Configurator) ServerSNI ¶ added in v1.8.0
func (c *Configurator) ServerSNI(dc, nodeName string) string
func (*Configurator) Update ¶ added in v1.4.3
func (c *Configurator) Update(config Config) error
Update updates the internal configuration which is used to generate *tls.Config. This function acquires a write lock because it writes the new config.
func (*Configurator) UpdateAreaPeerDatacenterUseTLS ¶ added in v1.7.3
func (c *Configurator) UpdateAreaPeerDatacenterUseTLS(peerDatacenter string, useTLS bool)
func (*Configurator) UpdateAutoTLS ¶ added in v1.8.1
func (c *Configurator) UpdateAutoTLS(manualCAPems, connectCAPems []string, pub, priv string, verifyServerHostname bool) error
UpdateAutoTLS receives updates from Auto-Config, only expected to be called on client agents.
func (*Configurator) UpdateAutoTLSCA ¶ added in v1.8.1
func (c *Configurator) UpdateAutoTLSCA(connectCAPems []string) error
UpdateAutoTLSCA updates the autoEncrypt.caPems. This is supposed to be called from the server in order to be able to accept TLS connections with TLS certificates. Or it is being called on the client side when CA changes are detected.
func (*Configurator) UpdateAutoTLSCert ¶ added in v1.8.1
func (c *Configurator) UpdateAutoTLSCert(pub, priv string) error
UpdateAutoTLSCert receives the updated Auto-Encrypt certificate.
func (*Configurator) UseTLS ¶ added in v1.7.3
func (c *Configurator) UseTLS(dc string) bool
UseTLS returns true if the outgoing RPC requests have been explicitly configured to use TLS (via VerifyOutgoing or AutoTLS, and the target DC supports TLS.
func (*Configurator) VerifyIncomingRPC ¶ added in v1.5.2
func (c *Configurator) VerifyIncomingRPC() bool
VerifyIncomingRPC returns true if the configuration has enabled either VerifyIncoming, or VerifyIncomingRPC
func (*Configurator) VerifyServerHostname ¶ added in v1.5.2
func (c *Configurator) VerifyServerHostname() bool
This function acquires a read lock because it reads from the config.
type DCWrapper ¶ added in v0.5.1
DCWrapper is a function that is used to wrap a non-TLS connection and returns an appropriate TLS connection or error. This takes a datacenter as an argument.
type Wrapper ¶ added in v0.5.1
Wrapper is a variant of DCWrapper, where the DC is provided as a constant value. This is usually done by currying DCWrapper.
func SpecificDC ¶ added in v0.5.1
SpecificDC is used to invoke a static datacenter and turns a DCWrapper into a Wrapper type.