tlsutil

package
v1.4.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 4, 2019 License: MPL-2.0 Imports: 8 Imported by: 513

Documentation

Index

Constants

This section is empty.

Variables

View Source
var TLSLookup = map[string]uint16{
	"tls10": tls.VersionTLS10,
	"tls11": tls.VersionTLS11,
	"tls12": tls.VersionTLS12,
}

TLSLookup maps the tls_min_version configuration to the internal value

Functions

func ParseCiphers added in v0.8.2

func ParseCiphers(cipherStr string) ([]uint16, error)

ParseCiphers parse ciphersuites from the comma-separated string into recognized slice

Types

type Config

type Config struct {
	// VerifyIncoming is used to verify the authenticity of incoming connections.
	// This means that TCP requests are forbidden, only allowing for TLS. TLS connections
	// must match a provided certificate authority. This can be used to force client auth.
	VerifyIncoming bool

	// VerifyIncomingRPC is used to verify the authenticity of incoming RPC connections.
	// This means that TCP requests are forbidden, only allowing for TLS. TLS connections
	// must match a provided certificate authority. This can be used to force client auth.
	VerifyIncomingRPC bool

	// VerifyIncomingHTTPS is used to verify the authenticity of incoming HTTPS connections.
	// This means that TCP requests are forbidden, only allowing for TLS. TLS connections
	// must match a provided certificate authority. This can be used to force client auth.
	VerifyIncomingHTTPS bool

	// VerifyOutgoing is used to verify the authenticity of outgoing connections.
	// This means that TLS requests are used, and TCP requests are not made. TLS connections
	// must match a provided certificate authority. This is used to verify authenticity of
	// server nodes.
	VerifyOutgoing bool

	// VerifyServerHostname is used to enable hostname verification of servers. This
	// ensures that the certificate presented is valid for server.<datacenter>.<domain>.
	// This prevents a compromised client from being restarted as a server, and then
	// intercepting request traffic as well as being added as a raft peer. This should be
	// enabled by default with VerifyOutgoing, but for legacy reasons we cannot break
	// existing clients.
	VerifyServerHostname bool

	// UseTLS is used to enable outgoing TLS connections to Consul servers.
	UseTLS bool

	// CAFile is a path to a certificate authority file. This is used with VerifyIncoming
	// or VerifyOutgoing to verify the TLS connection.
	CAFile string

	// CAPath is a path to a directory containing certificate authority files. This is used
	// with VerifyIncoming or VerifyOutgoing to verify the TLS connection.
	CAPath string

	// CertFile is used to provide a TLS certificate that is used for serving TLS connections.
	// Must be provided to serve TLS connections.
	CertFile string

	// KeyFile is used to provide a TLS key that is used for serving TLS connections.
	// Must be provided to serve TLS connections.
	KeyFile string

	// Node name is the name we use to advertise. Defaults to hostname.
	NodeName string

	// ServerName is used with the TLS certificate to ensure the name we
	// provide matches the certificate
	ServerName string

	// Domain is the Consul TLD being used. Defaults to "consul."
	Domain string

	// TLSMinVersion is the minimum accepted TLS version that can be used.
	TLSMinVersion string

	// CipherSuites is the list of TLS cipher suites to use.
	CipherSuites []uint16

	// PreferServerCipherSuites specifies whether to prefer the server's ciphersuite
	// over the client ciphersuites.
	PreferServerCipherSuites bool

	// EnableAgentTLSForChecks is used to apply the agent's TLS settings in
	// order to configure the HTTP client used for health checks. Enabling
	// this allows HTTP checks to present a client certificate and verify
	// the server using the same TLS configuration as the agent (CA, cert,
	// and key).
	EnableAgentTLSForChecks bool
}

Config used to create tls.Config

func (*Config) KeyPair

func (c *Config) KeyPair() (*tls.Certificate, error)

KeyPair is used to open and parse a certificate and key file

type Configurator added in v1.4.3

type Configurator struct {
	sync.Mutex
	// contains filtered or unexported fields
}

Configurator holds a Config and is responsible for generating all the *tls.Config necessary for Consul. Except the one in the api package.

func NewConfigurator added in v1.4.3

func NewConfigurator(config *Config) *Configurator

NewConfigurator creates a new Configurator and sets the provided configuration. Todo (Hans): should config be a value instead a pointer to avoid side effects?

func (*Configurator) AddCheck added in v1.4.3

func (c *Configurator) AddCheck(id string, skipVerify bool)

AddCheck adds a check to the internal check map together with the skipVerify value, which is used when generating a *tls.Config for this check.

func (*Configurator) IncomingHTTPSConfig added in v1.4.3

func (c *Configurator) IncomingHTTPSConfig() (*tls.Config, error)

IncomingHTTPSConfig generates a *tls.Config for incoming HTTPS connections.

func (*Configurator) IncomingRPCConfig added in v1.4.3

func (c *Configurator) IncomingRPCConfig() (*tls.Config, error)

IncomingRPCConfig generates a *tls.Config for incoming RPC connections.

func (*Configurator) OutgoingRPCConfig added in v1.4.3

func (c *Configurator) OutgoingRPCConfig() (*tls.Config, error)

OutgoingRPCConfig generates a *tls.Config for outgoing RPC connections. If there is a CA or VerifyOutgoing is set, a *tls.Config will be provided, otherwise we assume that no TLS should be used.

func (*Configurator) OutgoingRPCWrapper added in v1.4.3

func (c *Configurator) OutgoingRPCWrapper() (DCWrapper, error)

OutgoingRPCWrapper wraps the result of OutgoingRPCConfig in a DCWrapper. It decides if verify server hostname should be used.

func (*Configurator) OutgoingTLSConfigForCheck added in v1.4.3

func (c *Configurator) OutgoingTLSConfigForCheck(id string) (*tls.Config, error)

IncomingTLSConfig generates a *tls.Config for outgoing TLS connections for checks. This function is seperated because there is an extra flag to consider for checks. EnableAgentTLSForChecks and InsecureSkipVerify has to be checked for checks.

func (*Configurator) RemoveCheck added in v1.4.3

func (c *Configurator) RemoveCheck(id string)

RemoveCheck removes a check from the internal check map.

func (*Configurator) Update added in v1.4.3

func (c *Configurator) Update(config *Config)

Update updates the internal configuration which is used to generate *tls.Config.

type DCWrapper added in v0.5.1

type DCWrapper func(dc string, conn net.Conn) (net.Conn, error)

DCWrapper is a function that is used to wrap a non-TLS connection and returns an appropriate TLS connection or error. This takes a datacenter as an argument.

type Wrapper added in v0.5.1

type Wrapper func(conn net.Conn) (net.Conn, error)

Wrapper is a variant of DCWrapper, where the DC is provided as a constant value. This is usually done by currying DCWrapper.

func SpecificDC added in v0.5.1

func SpecificDC(dc string, tlsWrap DCWrapper) Wrapper

SpecificDC is used to invoke a static datacenter and turns a DCWrapper into a Wrapper type.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL