fix cert auth

This commit is contained in:
Vladislav Yarmak 2022-09-07 10:27:33 +03:00
parent d0c1dec64b
commit 2e2f2c29af
2 changed files with 25 additions and 4 deletions

View File

@ -155,12 +155,11 @@ func run() int {
mainLogger.Info("Starting proxy server...") mainLogger.Info("Starting proxy server...")
if args.cert != "" { if args.cert != "" {
cfg, err1 := makeServerTLSConfig(args.cert, args.key, args.cafile) cfg, err1 := makeServerTLSConfig(args.cert, args.key, args.cafile, args.ciphers)
if err1 != nil { if err1 != nil {
mainLogger.Critical("TLS config construction failed: %v", err1) mainLogger.Critical("TLS config construction failed: %v", err1)
return 3 return 3
} }
cfg.CipherSuites = makeCipherList(args.ciphers)
server.TLSConfig = cfg server.TLSConfig = cfg
err = server.ListenAndServeTLS("", "") err = server.ListenAndServeTLS("", "")
} else if args.autocert { } else if args.autocert {
@ -180,7 +179,11 @@ func run() int {
}() }()
} }
cfg := m.TLSConfig() cfg := m.TLSConfig()
cfg.CipherSuites = makeCipherList(args.ciphers) cfg, err = updateServerTLSConfig(cfg, args.cafile, args.ciphers)
if err != nil {
mainLogger.Critical("TLS config construction failed: %v", err)
return 3
}
server.TLSConfig = cfg server.TLSConfig = cfg
err = server.ListenAndServeTLS("", "") err = server.ListenAndServeTLS("", "")
} else { } else {

View File

@ -149,7 +149,7 @@ func copyBody(wr io.Writer, body io.Reader) {
} }
} }
func makeServerTLSConfig(certfile, keyfile, cafile string) (*tls.Config, error) { func makeServerTLSConfig(certfile, keyfile, cafile, ciphers string) (*tls.Config, error) {
var cfg tls.Config var cfg tls.Config
cert, err := tls.LoadX509KeyPair(certfile, keyfile) cert, err := tls.LoadX509KeyPair(certfile, keyfile)
if err != nil { if err != nil {
@ -168,9 +168,27 @@ func makeServerTLSConfig(certfile, keyfile, cafile string) (*tls.Config, error)
cfg.ClientCAs = roots cfg.ClientCAs = roots
cfg.ClientAuth = tls.VerifyClientCertIfGiven cfg.ClientAuth = tls.VerifyClientCertIfGiven
} }
cfg.CipherSuites = makeCipherList(ciphers)
return &cfg, nil return &cfg, nil
} }
func updateServerTLSConfig(cfg *tls.Config, cafile, ciphers string) (*tls.Config, error) {
if cafile != "" {
roots := x509.NewCertPool()
certs, err := ioutil.ReadFile(cafile)
if err != nil {
return nil, err
}
if ok := roots.AppendCertsFromPEM(certs); !ok {
return nil, errors.New("Failed to load CA certificates")
}
cfg.ClientCAs = roots
cfg.ClientAuth = tls.VerifyClientCertIfGiven
}
cfg.CipherSuites = makeCipherList(ciphers)
return cfg, nil
}
func makeCipherList(ciphers string) []uint16 { func makeCipherList(ciphers string) []uint16 {
if ciphers == "" { if ciphers == "" {
return nil return nil