ptls

package

v0.33.0 Latest Latest Go to latest Published: Aug 7, 2024 License: Apache-2.0 Imports: 20 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/vmware-tanzu/pinniped

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func Default(rootCAs *x509.CertPool) *tls.Config
func DefaultLDAP(rootCAs *x509.CertPool) *tls.Config
func LogAllProfiles(log plog.Logger)
func Merge(tlsConfigFunc ConfigFunc, tlsConfig *tls.Config)
func Secure(rootCAs *x509.CertPool) *tls.Config
func SecureServing(opts *options.SecureServingOptionsWithLoopback)
func SetUserConfiguredAllowedCipherSuitesForTLSOneDotTwo(userConfiguredAllowedCipherSuitesForTLSOneDotTwo []string) error
type ConfigFunc
type PrepareServerConfigFunc
- func DefaultRecommendedOptions(opts *options.RecommendedOptions, f RestConfigFunc) (PrepareServerConfigFunc, error)
- func SecureRecommendedOptions(opts *options.RecommendedOptions, f RestConfigFunc) (PrepareServerConfigFunc, error)
type RestConfigFunc
type SetAllowedCiphersFunc

Constants ¶

View Source

const SecureTLSConfigMinTLSVersion = tls.VersionTLS13

SecureTLSConfigMinTLSVersion is the minimum tls version in the format expected by tls.Config.

Variables ¶

This section is empty.

Functions ¶

func Default ¶

func Default(rootCAs *x509.CertPool) *tls.Config

Default TLS profile should be used by: A. servers whose clients are outside our control and who may reasonably wish to use TLS 1.2, and B. clients who need to interact with servers that might not support TLS 1.3. Note that this will behave differently when compiled in FIPS mode (see profiles_fips_strict.go). Default returns a tls.Config with a minimum of TLS1.2+ and a few ciphers that can be further constrained by configuration.

func DefaultLDAP ¶

func DefaultLDAP(rootCAs *x509.CertPool) *tls.Config

DefaultLDAP TLS profile should be used by clients who need to interact with potentially old LDAP servers that might not support TLS 1.3 and that might use older ciphers. Note that this will behave differently when compiled in FIPS mode (see profiles_fips_strict.go).

func LogAllProfiles ¶ added in v0.32.0

func LogAllProfiles(log plog.Logger)

func Merge ¶

func Merge(tlsConfigFunc ConfigFunc, tlsConfig *tls.Config)

func Secure ¶

func Secure(rootCAs *x509.CertPool) *tls.Config

Secure TLS profile should be used by: A. servers whose clients are entirely known by us and who may reasonably be told that they must use TLS 1.3, and B. clients who only need to interact with servers that are known by us to support TLS 1.3 (e.g. the Kubernetes API). Note that this will behave differently when compiled in FIPS mode (see profiles_fips_strict.go).

func SecureServing ¶ added in v0.31.0

func SecureServing(opts *options.SecureServingOptionsWithLoopback)

SecureServing modifies the given options to have the appropriate MinTLSVersion and CipherSuites. This function should only be used by the implementation of ptls.SecureRecommendedOptions, which is called to help configure our aggregated API servers. This exists only because it needs to behave differently in FIPS mode. This function is only public so we can integration test it in ptls_fips_test.go. Note that this will behave differently when compiled in FIPS mode (see profiles_fips_strict.go).

func SetUserConfiguredAllowedCipherSuitesForTLSOneDotTwo ¶ added in v0.32.0

func SetUserConfiguredAllowedCipherSuitesForTLSOneDotTwo(userConfiguredAllowedCipherSuitesForTLSOneDotTwo []string) error

SetUserConfiguredAllowedCipherSuitesForTLSOneDotTwo allows configuration/setup components to constrain the allowed TLS ciphers for TLS1.2. It implements SetAllowedCiphersFunc.

Types ¶

type ConfigFunc ¶

type ConfigFunc func(*x509.CertPool) *tls.Config

type PrepareServerConfigFunc ¶ added in v0.29.0

type PrepareServerConfigFunc func(c *genericapiserver.RecommendedConfig)

PrepareServerConfigFunc is a function that can prepare a RecommendedConfig before the use of RecommendedOptions.ApplyTo().

func DefaultRecommendedOptions ¶

func DefaultRecommendedOptions(opts *options.RecommendedOptions, f RestConfigFunc) (PrepareServerConfigFunc, error)

DefaultRecommendedOptions configures the RecommendedOptions for a server to use the appropriate cipher suites, min TLS version, and client configuration options for servers that need to accept incoming connections from arbitrary clients (like the impersonation proxy). It returns a PrepareServerConfigFunc which must be used on a RecommendedConfig before passing it to RecommendedOptions.ApplyTo().

func SecureRecommendedOptions ¶

func SecureRecommendedOptions(opts *options.RecommendedOptions, f RestConfigFunc) (PrepareServerConfigFunc, error)

SecureRecommendedOptions configures the RecommendedOptions for a server to use the appropriate cipher suites, min TLS version, and client configuration options for servers that only need to accept incoming connections from certain well known clients which we expect will always use modern TLS settings (like the Kube API server). It returns a PrepareServerConfigFunc which must be used on a RecommendedConfig before passing it to RecommendedOptions.ApplyTo().

type RestConfigFunc ¶

type RestConfigFunc func(*rest.Config) (kubernetes.Interface, *rest.Config, error)

RestConfigFunc allows this package to not depend on the kubeclient package.

type SetAllowedCiphersFunc ¶ added in v0.32.0

type SetAllowedCiphersFunc func([]string) error

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL