Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
var TLSLookup = map[string]uint16{ "tls10": tls.VersionTLS10, "tls11": tls.VersionTLS11, "tls12": tls.VersionTLS12, }
TLSLookup maps the tls_min_version configuration to the internal value
Functions ¶
func ParseCiphers ¶ added in v0.8.2
ParseCiphers parse ciphersuites from the comma-separated string into recognized slice
Types ¶
type Config ¶
type Config struct {
// VerifyIncoming is used to verify the authenticity of incoming connections.
// This means that TCP requests are forbidden, only allowing for TLS. TLS connections
// must match a provided certificate authority. This can be used to force client auth.
VerifyIncoming bool
// VerifyOutgoing is used to verify the authenticity of outgoing connections.
// This means that TLS requests are used, and TCP requests are not made. TLS connections
// must match a provided certificate authority. This is used to verify authenticity of
// server nodes.
VerifyOutgoing bool
// VerifyServerHostname is used to enable hostname verification of servers. This
// ensures that the certificate presented is valid for server.<datacenter>.<domain>.
// This prevents a compromised client from being restarted as a server, and then
// intercepting request traffic as well as being added as a raft peer. This should be
// enabled by default with VerifyOutgoing, but for legacy reasons we cannot break
// existing clients.
VerifyServerHostname bool
// UseTLS is used to enable outgoing TLS connections to Consul servers.
UseTLS bool
// CAFile is a path to a certificate authority file. This is used with VerifyIncoming
// or VerifyOutgoing to verify the TLS connection.
CAFile string
// CAPath is a path to a directory containing certificate authority files. This is used
// with VerifyIncoming or VerifyOutgoing to verify the TLS connection.
CAPath string
// CertFile is used to provide a TLS certificate that is used for serving TLS connections.
// Must be provided to serve TLS connections.
CertFile string
// KeyFile is used to provide a TLS key that is used for serving TLS connections.
// Must be provided to serve TLS connections.
KeyFile string
// Node name is the name we use to advertise. Defaults to hostname.
NodeName string
// ServerName is used with the TLS certificate to ensure the name we
// provide matches the certificate
ServerName string
// Domain is the Consul TLD being used. Defaults to "consul."
Domain string
// TLSMinVersion is the minimum accepted TLS version that can be used.
TLSMinVersion string
// CipherSuites is the list of TLS cipher suites to use.
CipherSuites []uint16
// PreferServerCipherSuites specifies whether to prefer the server's ciphersuite
// over the client ciphersuites.
PreferServerCipherSuites bool
}
Config used to create tls.Config
func (*Config) AppendCA ¶
AppendCA opens and parses the CA file and adds the certificates to the provided CertPool.
func (*Config) IncomingTLSConfig ¶
IncomingTLSConfig generates a TLS configuration for incoming requests
func (*Config) KeyPair ¶
func (c *Config) KeyPair() (*tls.Certificate, error)
KeyPair is used to open and parse a certificate and key file
func (*Config) OutgoingTLSConfig ¶
OutgoingTLSConfig generates a TLS configuration for outgoing requests. It will return a nil config if this configuration should not use TLS for outgoing connections.
func (*Config) OutgoingTLSWrapper ¶ added in v0.5.1
OutgoingTLSWrapper returns a a DCWrapper based on the OutgoingTLS configuration. If hostname verification is on, the wrapper will properly generate the dynamic server name for verification.
type DCWrapper ¶ added in v0.5.1
DCWrapper is a function that is used to wrap a non-TLS connection and returns an appropriate TLS connection or error. This takes a datacenter as an argument.
type Wrapper ¶ added in v0.5.1
Wrapper is a variant of DCWrapper, where the DC is provided as a constant value. This is usually done by currying DCWrapper.
func SpecificDC ¶ added in v0.5.1
SpecificDC is used to invoke a static datacenter and turns a DCWrapper into a Wrapper type.
Source Files