-
Notifications
You must be signed in to change notification settings - Fork 17
Expand file tree
/
Copy pathserver_tls.go
More file actions
84 lines (71 loc) · 3.02 KB
/
server_tls.go
File metadata and controls
84 lines (71 loc) · 3.02 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
// Copyright 2021-2024 Nokia
// Licensed under the BSD 3-Clause License.
// SPDX-License-Identifier: BSD-3-Clause
package restful
import (
"crypto/tls"
"net/http"
"sync"
"time"
)
// TLSConfig returns raw TLS config used by the server
func (s *Server) TLSConfig() *tls.Config {
return s.server.TLSConfig
}
// TLSClientCert adds client certs to server, enabling mutual TLS (mTLS).
// If path is a directory then scans for files recursively. If path is not set then defaults to /etc.
// If loadSystemCerts is true, clients with CA from system CA pool are accepted, too.
// As the role of mTLS is to authorize certain clients to connect, enable system CAs only if those are reasonable for auth.
// File names should match *.crt or *.pem.
func (s *Server) TLSClientCert(path string, loadSystemCerts bool) *Server {
if s.server.TLSConfig == nil {
s.server.TLSConfig = &tls.Config{MinVersion: tls.VersionTLS12}
}
s.server.TLSConfig.ClientCAs = NewCertPool(path, loadSystemCerts)
s.server.TLSConfig.ClientAuth = tls.RequireAndVerifyClientCert
return s
}
// TLSServerCert sets server cert + key.
func (s *Server) TLSServerCert(certFile, keyFile string) *Server {
s.certFile = certFile
s.keyFile = keyFile
return s
}
// ListenAndServeTLS acts like standard http.ListenAndServeTLS().
// Logs, except for automatically served LivenessProbePath and HealthCheckPath.
func ListenAndServeTLS(addr, certFile, keyFile string, handler http.Handler) error {
return NewServer().Addr(addr).Handler(handler).TLSServerCert(certFile, keyFile).ListenAndServe()
}
// ListenAndServeMTLS acts like standard http.ListenAndServeTLS(). Just authenticates client.
// Parameter clientCerts is a PEM cert file or a directory of PEM cert files case insensitively matching *.pem or *.crt.
// If loadSystemCerts is true, clients with CA from system CA pool are accepted, too.
// As the role of mTLS is to authorize certain clients to connect, enable system CAs only if those are reasonable for auth.
// Logs, except for automatically served LivenessProbePath and HealthCheckPath.
func ListenAndServeMTLS(addr, certFile, keyFile, clientCerts string, loadSystemCerts bool, handler http.Handler) error {
return NewServer().Addr(addr).Handler(handler).TLSServerCert(certFile, keyFile).TLSClientCert(clientCerts, loadSystemCerts).ListenAndServe()
}
// CRL sets up Certificate Revocation List watching for the Server.
// CRL cert is read from *path*, re-read every *readInterval* and has to exist until *fileExistTimeout*.
// Errors are delivered through *errChan*
func (s *Server) CRL(o CRLOptions) *Server {
setCRL(s, o)
s.server.TLSConfig.VerifyPeerCertificate = verifyPeerCert(s.crl)
return s
}
func (s *Server) getCRL() *crl {
return s.crl
}
func (s *Server) setCRL(serials map[string]struct{}, nextUpdate time.Time, strict bool) {
if s.crl == nil {
s.crl = &crl{
mu: sync.RWMutex{},
serials: map[string]struct{}{},
nextUpdate: time.Time{},
}
}
s.crl.mu.Lock()
defer s.crl.mu.Unlock()
s.crl.serials = serials
s.crl.nextUpdate = nextUpdate
s.crl.strictCheck = strict
}