forked from alpacahq/quickfix
-
Notifications
You must be signed in to change notification settings - Fork 1
/
tls.go
128 lines (109 loc) · 3.1 KB
/
tls.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
package quickfix
import (
"crypto/tls"
"crypto/x509"
"fmt"
"io/ioutil"
"github.com/cryptogarageinc/quickfix-go/config"
)
func loadTLSConfig(settings *SessionSettings) (tlsConfig *tls.Config, err error) {
allowSkipClientCerts := false
if settings.HasSetting(config.SocketUseSSL) {
allowSkipClientCerts, err = settings.BoolSetting(config.SocketUseSSL)
if err != nil {
return
}
}
var serverName string
if settings.HasSetting(config.SocketServerName) {
serverName, err = settings.Setting(config.SocketServerName)
if err != nil {
return
}
}
insecureSkipVerify := false
if settings.HasSetting(config.SocketInsecureSkipVerify) {
insecureSkipVerify, err = settings.BoolSetting(config.SocketInsecureSkipVerify)
if err != nil {
return
}
}
if !settings.HasSetting(config.SocketPrivateKeyFile) && !settings.HasSetting(config.SocketCertificateFile) {
if allowSkipClientCerts {
tlsConfig = defaultTLSConfig()
tlsConfig.ServerName = serverName
tlsConfig.InsecureSkipVerify = insecureSkipVerify
setMinVersionExplicit(settings, tlsConfig)
}
return
}
privateKeyFile, err := settings.Setting(config.SocketPrivateKeyFile)
if err != nil {
return
}
certificateFile, err := settings.Setting(config.SocketCertificateFile)
if err != nil {
return
}
tlsConfig = defaultTLSConfig()
tlsConfig.Certificates = make([]tls.Certificate, 1)
tlsConfig.ServerName = serverName
tlsConfig.InsecureSkipVerify = insecureSkipVerify
setMinVersionExplicit(settings, tlsConfig)
if tlsConfig.Certificates[0], err = tls.LoadX509KeyPair(certificateFile, privateKeyFile); err != nil {
return
}
if !settings.HasSetting(config.SocketCAFile) {
return
}
caFile, err := settings.Setting(config.SocketCAFile)
if err != nil {
return
}
pem, err := ioutil.ReadFile(caFile)
if err != nil {
return
}
certPool := x509.NewCertPool()
if !certPool.AppendCertsFromPEM(pem) {
err = fmt.Errorf("Failed to parse %v", caFile)
return
}
tlsConfig.RootCAs = certPool
tlsConfig.ClientCAs = certPool
tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
return
}
//defaultTLSConfig brought to you by https://github.com/gtank/cryptopasta/
func defaultTLSConfig() *tls.Config {
return &tls.Config{
// Avoids most of the memorably-named TLS attacks
MinVersion: tls.VersionTLS12,
// Causes servers to use Go's default ciphersuite preferences,
// which are tuned to avoid attacks. Does nothing on clients.
PreferServerCipherSuites: true,
// Only use curves which have constant-time implementations
CurvePreferences: []tls.CurveID{
tls.CurveP256,
},
}
}
func setMinVersionExplicit(settings *SessionSettings, tlsConfig *tls.Config) {
if settings.HasSetting(config.SocketMinimumTLSVersion) {
minVersion, err := settings.Setting(config.SocketMinimumTLSVersion)
if err != nil {
return
}
switch minVersion {
case "SSL30":
//nolint:staticcheck // SA1019 min version ok
tlsConfig.MinVersion = tls.VersionSSL30
case "TLS10":
tlsConfig.MinVersion = tls.VersionTLS10
case "TLS11":
tlsConfig.MinVersion = tls.VersionTLS11
case "TLS12":
tlsConfig.MinVersion = tls.VersionTLS12
}
}
}