Documentation
¶
Overview ¶
Package tlsconfig provides configuration for TLS clients and servers.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ACME ¶
type ACME struct {
// TODO: Remove Enable (https://github.com/TheThingsNetwork/lorawan-stack/issues/1450)
Enable bool `` //nolint:lll
/* 145-byte string literal not displayed */
Endpoint string `name:"endpoint" description:"ACME endpoint"`
Dir string `name:"dir" description:"Location of ACME storage directory"`
Email string `name:"email" description:"Email address to register with the ACME account"`
Hosts []string `name:"hosts" description:"Hosts to enable automatic certificates for"`
DefaultHost string `name:"default-host" description:"Default host to assume for clients without SNI"`
// contains filtered or unexported fields
}
ACME represents ACME configuration.
func (*ACME) Initialize ¶
Initialize initializes the autocert manager for the ACME configuration. If it was already initialized, any changes after the previous initialization are ignored.
type Client ¶
type Client struct {
FileReader FileReader `json:"-" yaml:"-" name:"-"`
RootCA string `json:"root-ca" yaml:"root-ca" name:"root-ca" description:"Location of TLS root CA certificate (optional)"` //nolint:lll
InsecureSkipVerify bool `name:"insecure-skip-verify" description:"Skip verification of certificate chains (insecure)"` //nolint:lll
}
Client is client-side configuration for server TLS.
type ClientAuth ¶
type ClientAuth struct {
Source string `name:"source" description:"Source of the TLS certificate (file, key-vault)"`
FileReader FileReader `json:"-" yaml:"-" name:"-"`
Certificate string `json:"certificate" yaml:"certificate" name:"certificate" description:"Location of TLS certificate"` //nolint:lll
Key string `json:"key" yaml:"key" name:"key" description:"Location of TLS private key"`
KeyVault ClientKeyVault `name:"key-vault"`
}
ClientAuth is (client-side) configuration for TLS client authentication.
type ClientKeyVault ¶ added in v3.24.0
type ClientKeyVault struct {
CertificateProvider interface {
ClientCertificate(ctx context.Context, label string) (tls.Certificate, error)
} `name:"-"`
ID string `name:"id" description:"ID of the certificate"`
}
ClientKeyVault defines configuration for loading a TLS client certificate from the key vault.
type Config ¶
type Config struct {
Client `name:",squash"`
ServerAuth `name:",squash"`
}
Config represents TLS configuration.
type ConfigOptionFunc ¶ added in v3.17.0
ConfigOptionFunc is a Option.
type ConfigurationProvider ¶ added in v3.17.0
ConfigurationProvider generates a Config from the provided context.
func (ConfigurationProvider) GetTLSClientConfig ¶ added in v3.17.0
func (p ConfigurationProvider) GetTLSClientConfig(ctx context.Context, opts ...Option) (*tls.Config, error)
GetTLSClientConfig gets the component's client TLS config and applies the given options.
func (ConfigurationProvider) GetTLSServerConfig ¶ added in v3.17.0
func (p ConfigurationProvider) GetTLSServerConfig(ctx context.Context, opts ...Option) (*tls.Config, error)
GetTLSServerConfig gets the component's server TLS config and applies the given options.
type FileReader ¶
FileReader is the interface used to read TLS certificates and keys.
func FromFetcher ¶ added in v3.24.1
func FromFetcher(fetcher fetch.Interface) FileReader
FromFetcher returns a FileReader that reads files from the given fetcher.
type Option ¶ added in v3.17.0
type Option interface {
// contains filtered or unexported methods
}
Option provides customization for TLS configuration.
func WithNextProtos ¶ added in v3.17.0
WithNextProtos appends the given protocols to NextProtos.
func WithTLSCertificates ¶ added in v3.17.0
func WithTLSCertificates(certificates ...tls.Certificate) Option
WithTLSCertificates sets TLS certificates.
func WithTLSClientAuth ¶ added in v3.17.0
func WithTLSClientAuth( auth tls.ClientAuthType, cas *x509.CertPool, verify func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error, ) Option
WithTLSClientAuth sets TLS client authentication options.
type ServerAuth ¶
type ServerAuth struct {
Source string `name:"source" description:"Source of the TLS certificate (file, acme, key-vault)"`
FileReader FileReader `json:"-" yaml:"-" name:"-"`
Certificate string `json:"certificate" yaml:"certificate" name:"certificate" description:"Location of TLS certificate"` //nolint:lll
Key string `json:"key" yaml:"key" name:"key" description:"Location of TLS private key"`
ACME ACME `name:"acme"`
KeyVault ServerKeyVault `name:"key-vault"`
CipherSuites []string `name:"cipher-suites" description:"List of IANA names of TLS cipher suites to use (DEPRECATED)"` //nolint:lll
}
ServerAuth is configuration for TLS server authentication.
func (*ServerAuth) ApplyTo ¶
func (c *ServerAuth) ApplyTo(tlsConfig *tls.Config) error
ApplyTo applies the TLS authentication configuration options to the given TLS configuration. If tlsConfig is nil, this is a no-op.
func (*ServerAuth) GetCipherSuites ¶ added in v3.15.2
func (c *ServerAuth) GetCipherSuites() ([]uint16, error)
GetCipherSuites returns a list of IDs of cipher suites in configuration. This list can be passed to tls.Config.
type ServerKeyVault ¶ added in v3.24.0
type ServerKeyVault struct {
CertificateProvider interface {
ServerCertificate(ctx context.Context, id string) (tls.Certificate, error)
} `name:"-"`
ID string `name:"id" description:"ID of the certificate"`
}
ServerKeyVault defines configuration for loading a TLS server certificate from the key vault.
Source Files