-
Notifications
You must be signed in to change notification settings - Fork 0
/
tls.go
66 lines (60 loc) · 1.44 KB
/
tls.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
package main
import (
"crypto/tls"
"crypto/x509"
"errors"
"fmt"
"io/ioutil"
"os"
)
var (
tlsconfig *tls.Config = nil
autority *x509.CertPool = nil
)
func cacheTLSFromEnv() error {
keypath, defined := os.LookupEnv("KEY_PATH")
if defined == false {
return errors.New("env KEY_PATH undefined")
}
certpath, defined := os.LookupEnv("CERT_PATH")
if defined == false {
return errors.New("env CERT_PATH undefined")
}
return cacheTLSFromParams(keypath, certpath)
}
func cacheTLSFromParams(keypath, certpath string) error {
if tlsconfig != nil {
return nil
}
cert, err := tls.LoadX509KeyPair(certpath, keypath)
if err != nil {
return err
}
tlsconfig = &tls.Config{
MinVersion: tls.VersionTLS12,
Certificates: []tls.Certificate{cert},
// ClientAuth: tls.RequireAndVerifyClientCert,
// CipherSuites: []uint16{
// tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
// tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
// tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
// tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
// },
}
// tlsconfig.RootCAs, err = makeCertPool(certpath)
return err
}
func makeCertPool(certpath string) (*x509.CertPool, error) {
if autority != nil {
return autority, nil
}
autority = x509.NewCertPool()
blob, err := ioutil.ReadFile(certpath)
if err != nil {
return nil, err
}
if autority.AppendCertsFromPEM(blob) == false {
return nil, fmt.Errorf("failed to add cert from pem: %s", certpath)
}
return autority, nil
}