fix cert auth
This commit is contained in:
parent
d0c1dec64b
commit
2e2f2c29af
9
main.go
9
main.go
|
@ -155,12 +155,11 @@ func run() int {
|
||||||
|
|
||||||
mainLogger.Info("Starting proxy server...")
|
mainLogger.Info("Starting proxy server...")
|
||||||
if args.cert != "" {
|
if args.cert != "" {
|
||||||
cfg, err1 := makeServerTLSConfig(args.cert, args.key, args.cafile)
|
cfg, err1 := makeServerTLSConfig(args.cert, args.key, args.cafile, args.ciphers)
|
||||||
if err1 != nil {
|
if err1 != nil {
|
||||||
mainLogger.Critical("TLS config construction failed: %v", err1)
|
mainLogger.Critical("TLS config construction failed: %v", err1)
|
||||||
return 3
|
return 3
|
||||||
}
|
}
|
||||||
cfg.CipherSuites = makeCipherList(args.ciphers)
|
|
||||||
server.TLSConfig = cfg
|
server.TLSConfig = cfg
|
||||||
err = server.ListenAndServeTLS("", "")
|
err = server.ListenAndServeTLS("", "")
|
||||||
} else if args.autocert {
|
} else if args.autocert {
|
||||||
|
@ -180,7 +179,11 @@ func run() int {
|
||||||
}()
|
}()
|
||||||
}
|
}
|
||||||
cfg := m.TLSConfig()
|
cfg := m.TLSConfig()
|
||||||
cfg.CipherSuites = makeCipherList(args.ciphers)
|
cfg, err = updateServerTLSConfig(cfg, args.cafile, args.ciphers)
|
||||||
|
if err != nil {
|
||||||
|
mainLogger.Critical("TLS config construction failed: %v", err)
|
||||||
|
return 3
|
||||||
|
}
|
||||||
server.TLSConfig = cfg
|
server.TLSConfig = cfg
|
||||||
err = server.ListenAndServeTLS("", "")
|
err = server.ListenAndServeTLS("", "")
|
||||||
} else {
|
} else {
|
||||||
|
|
20
utils.go
20
utils.go
|
@ -149,7 +149,7 @@ func copyBody(wr io.Writer, body io.Reader) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func makeServerTLSConfig(certfile, keyfile, cafile string) (*tls.Config, error) {
|
func makeServerTLSConfig(certfile, keyfile, cafile, ciphers string) (*tls.Config, error) {
|
||||||
var cfg tls.Config
|
var cfg tls.Config
|
||||||
cert, err := tls.LoadX509KeyPair(certfile, keyfile)
|
cert, err := tls.LoadX509KeyPair(certfile, keyfile)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -168,9 +168,27 @@ func makeServerTLSConfig(certfile, keyfile, cafile string) (*tls.Config, error)
|
||||||
cfg.ClientCAs = roots
|
cfg.ClientCAs = roots
|
||||||
cfg.ClientAuth = tls.VerifyClientCertIfGiven
|
cfg.ClientAuth = tls.VerifyClientCertIfGiven
|
||||||
}
|
}
|
||||||
|
cfg.CipherSuites = makeCipherList(ciphers)
|
||||||
return &cfg, nil
|
return &cfg, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func updateServerTLSConfig(cfg *tls.Config, cafile, ciphers string) (*tls.Config, error) {
|
||||||
|
if cafile != "" {
|
||||||
|
roots := x509.NewCertPool()
|
||||||
|
certs, err := ioutil.ReadFile(cafile)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
if ok := roots.AppendCertsFromPEM(certs); !ok {
|
||||||
|
return nil, errors.New("Failed to load CA certificates")
|
||||||
|
}
|
||||||
|
cfg.ClientCAs = roots
|
||||||
|
cfg.ClientAuth = tls.VerifyClientCertIfGiven
|
||||||
|
}
|
||||||
|
cfg.CipherSuites = makeCipherList(ciphers)
|
||||||
|
return cfg, nil
|
||||||
|
}
|
||||||
|
|
||||||
func makeCipherList(ciphers string) []uint16 {
|
func makeCipherList(ciphers string) []uint16 {
|
||||||
if ciphers == "" {
|
if ciphers == "" {
|
||||||
return nil
|
return nil
|
||||||
|
|
Loading…
Reference in New Issue