func TestTLSConnection(t *testing.T) {
reactor := NewReactor()
client := reactor.CreateServer("local")
initialiseServerConnection(client)
// generate a test certificate to use
priv, _ := ecdsa.GenerateKey(elliptic.P521(), rand.Reader)
duration30Days, _ := time.ParseDuration("-30h")
notBefore := time.Now().Add(duration30Days) // valid 30 hours ago
duration1Year, _ := time.ParseDuration("90h")
notAfter := notBefore.Add(duration1Year) // for 90 hours
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, _ := rand.Int(rand.Reader, serialNumberLimit)
template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
Organization: []string{"gIRC-Go Co"},
},
NotBefore: notBefore,
NotAfter: notAfter,
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
BasicConstraintsValid: true,
IsCA: true,
}
template.IPAddresses = append(template.IPAddresses, net.ParseIP("127.0.0.1"))
template.IPAddresses = append(template.IPAddresses, net.ParseIP("::"))
template.DNSNames = append(template.DNSNames, "localhost")
derBytes, _ := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
c := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
b, _ := x509.MarshalECPrivateKey(priv)
k := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: b})
// we mock up a server connection to test the client
listenerKeyPair, _ := tls.X509KeyPair(c, k)
var listenerTLSConfig tls.Config
listenerTLSConfig.Certificates = make([]tls.Certificate, 0)
listenerTLSConfig.Certificates = append(listenerTLSConfig.Certificates, listenerKeyPair)
listener, _ := tls.Listen("tcp", ":0", &listenerTLSConfig)
// mock up the client side too
clientTLSCertPool := x509.NewCertPool()
clientTLSCertPool.AppendCertsFromPEM(c)
var clientTLSConfig tls.Config
clientTLSConfig.RootCAs = clientTLSCertPool
clientTLSConfig.ServerName = "localhost"
go client.Connect(listener.Addr().String(), true, &clientTLSConfig)
go client.ReceiveLoop()
testServerConnection(t, reactor, client, listener)
}
// Starts listening for client connections.
// When a new application connects, launches listeners in a goroutine.
// Returns an error when error occurs.
func StartListen(port int, useTls bool, crtPath string, keyPath string, sname string) error {
// Create a listening address
addr, err := net.ResolveTCPAddr("tcp", fmt.Sprintf(":%d", port))
if err != nil {
return err
}
// start a new server and listen on the address
var l net.Listener
l, err = net.ListenTCP("tcp", addr)
if err != nil {
return err
}
// wrap with TLS if required
if useTls {
cert, err := tls.LoadX509KeyPair(crtPath, keyPath)
if err != nil {
return err
}
conf := tls.Config{}
certs := make([]tls.Certificate, 1)
certs[0] = cert
conf.Certificates = certs
cp := x509.NewCertPool()
caCert, err := ioutil.ReadFile(crtPath)
if err != nil {
return err
}
if !cp.AppendCertsFromPEM(caCert) {
return errors.New("Could not append PEM cert")
}
conf.RootCAs = cp
conf.ServerName = sname
conf.ClientAuth = tls.RequireAndVerifyClientCert
conf.ClientCAs = cp
l = tls.NewListener(l, &conf)
}
// at the end of this function close the server connection
defer l.Close()
logging.Debug("Starting listen loop")
for {
a, err := acceptApp(l)
if err != nil {
return err
} else {
logging.Debug("Got connection")
go ListenForCommands(a)
}
}
return nil
}
func getTLSConfig(clientCertPEMData, clientKeyPEMData []byte) (*tls.Config, error) {
certPool := x509.NewCertPool()
certChainPath := os.Getenv("ORCHARD_HOST_CA")
if certChainPath != "" {
certChainData, err := ioutil.ReadFile(certChainPath)
if err != nil {
return nil, err
}
certPool.AppendCertsFromPEM(certChainData)
} else {
certPool.AppendCertsFromPEM([]byte(orchardCerts))
}
clientCert, err := tls.X509KeyPair(clientCertPEMData, clientKeyPEMData)
if err != nil {
return nil, err
}
config := new(tls.Config)
config.RootCAs = certPool
config.Certificates = []tls.Certificate{clientCert}
config.BuildNameToCertificate()
return config, nil
}
// NewClient returns a new docker test client.
func NewClient() (
cli *client.DockerCli, stdout *io.PipeReader, stdoutPipe *io.PipeWriter) {
proto, addr, _ := DockerHost()
stdout, stdoutPipe = io.Pipe()
dockerCertPath := os.Getenv("DOCKER_CERT_PATH")
// Boot2docker use TLS per default, Jenkins not
if dockerCertPath != "" {
var (
tlsConfig tls.Config
)
tlsConfig.InsecureSkipVerify = true
flCert := filepath.Join(dockerCertPath, defaultCertFile)
flKey := filepath.Join(dockerCertPath, defaultKeyFile)
_, errCert := os.Stat(flCert)
_, errKey := os.Stat(flKey)
if errCert == nil && errKey == nil {
cert, err := tls.LoadX509KeyPair(flCert, flKey)
if err != nil {
log.Fatalf("Couldn't load X509 key pair: %s. Key encrypted?", err)
}
tlsConfig.Certificates = []tls.Certificate{cert}
}
// Avoid fallback to SSL protocols < TLS1.0
tlsConfig.MinVersion = tls.VersionTLS10
cli = client.NewDockerCli(nil, stdoutPipe, nil, nil, proto, addr, &tlsConfig)
} else {
cli = client.NewDockerCli(nil, stdoutPipe, nil, nil, proto, addr, nil)
}
return
}
func runServer(transportFactory thrift.TTransportFactory, protocolFactory thrift.TProtocolFactory, addr string, secure bool) error {
var transport thrift.TServerTransport
var err error
if secure {
cfg := new(tls.Config)
if cert, err := tls.LoadX509KeyPair("server.crt", "server.key"); err == nil {
cfg.Certificates = append(cfg.Certificates, cert)
} else {
return err
}
transport, err = thrift.NewTSSLServerSocket(addr, cfg)
} else {
transport, err = thrift.NewTServerSocket(addr)
}
if err != nil {
return err
}
fmt.Printf("%T\n", transport)
handler := NewCalculatorHandler()
processor := tutorial.NewCalculatorProcessor(handler)
server := thrift.NewTSimpleServer4(processor, transport, transportFactory, protocolFactory)
fmt.Println("Starting the simple server... on ", addr)
return server.Serve()
}
// SecureListen obtains a listener that accepts
// secure connections
func SecureServe(addr string, certFile, keyFile, caFile string) {
config := tls.Config{}
// load the server cert / key
cert, err := tls.LoadX509KeyPair(certFile, keyFile)
if err != nil {
log.Fatalf("%s", err)
}
config.Certificates = []tls.Certificate{cert}
// load the ca if necessary
// FIXME(alainjobart) this doesn't quite work yet, have
// to investigate
if caFile != "" {
config.ClientCAs = x509.NewCertPool()
pemCerts, err := ioutil.ReadFile(caFile)
if err != nil {
log.Fatalf("%s", err)
}
if !config.ClientCAs.AppendCertsFromPEM(pemCerts) {
log.Fatalf("%s", err)
}
config.ClientAuth = tls.RequireAndVerifyClientCert
}
l, err := tls.Listen("tcp", addr, &config)
if err != nil {
log.Fatalf("%s", err)
}
throttled := NewThrottledListener(l, *secureThrottle, *secureMaxBuffer)
cl := proc.Published(throttled, "SecureConnections", "SecureAccepts")
go http.Serve(cl, nil)
}
// Makes an outgoing connection using that protocol type to the given node ID.
// Returns a non-nil error if it is unable to connect.
// Panics if it is called with protocol set to CLIENT_PROTOCOL.
func Dial(protocol int, id uint16) (*BaseConn, error) {
log.Print("dialing node ", id)
if protocol == CLIENT_PROTOCOL {
panic("tried to make outgoing client protocol connection")
}
ip := config.NodeIP(id)
ipStr := ip.String()
port := getProtocolPort(protocol)
portStr := strconv.FormatInt(int64(port), 10)
tlsConfig := new(tls.Config)
tlsConfig.Certificates = []tls.Certificate{*config.Certificate()}
tlsConfig.RootCAs = config.NodeCertPool(id)
// We rely on the receiving node to do TLS authentication for now.
// This is safe because it verifies our identity for us.
// Backwards to the usual arrangement but should be secure.
tlsConfig.InsecureSkipVerify = true
tlsConn, err := tls.Dial("tcp", ipStr+":"+portStr, tlsConfig)
if err != nil {
log.Print(err)
return nil, err
}
return newBaseConn(tlsConn), nil
}
// Generates a tls.Config object for a client from the given files.
func (info TLSInfo) ClientConfig() (*tls.Config, error) {
var cfg tls.Config
if info.KeyFile == "" || info.CertFile == "" {
return &cfg, nil
}
tlsCert, err := tls.LoadX509KeyPair(info.CertFile, info.KeyFile)
if err != nil {
return nil, err
}
cfg.Certificates = []tls.Certificate{tlsCert}
if info.CAFile != "" {
cp, err := newCertPool(info.CAFile)
if err != nil {
return nil, err
}
cfg.RootCAs = cp
}
return &cfg, nil
}
func (s *Server) tlsListener(listener net.Listener) net.Listener {
fkey, err := os.Open(s.TLSKey)
if err != nil {
log.Fatal(s, "can't open ssl.key: ", err)
}
defer fkey.Close()
fcrt, err := os.Open(s.TLSCert)
if err != nil {
log.Fatal(s, "can't open ssl.crt: ", err)
}
defer fcrt.Close()
key, err := ioutil.ReadAll(fkey)
if err != nil {
log.Fatal(s, "can't read ssl.key: ", err)
}
crt, err := ioutil.ReadAll(fcrt)
if err != nil {
log.Fatal(s, "can't read ssl.crt: ", err)
}
sslCert, err := tls.X509KeyPair(crt, key)
if err != nil {
log.Fatal(s, "X509KeyPair: ", err)
}
TLS := new(tls.Config)
TLS.Certificates = []tls.Certificate{sslCert}
return tls.NewListener(listener, TLS)
}
func (host *Host) getTLSConfig() (*tls.Config, error) {
var tlsConfig tls.Config
if !host.TLS {
return nil, nil
}
tlsConfig.InsecureSkipVerify = !host.TLSVerify
if host.TLSVerify {
certPool := x509.NewCertPool()
file, err := ioutil.ReadFile(host.TLSCaCert)
if err != nil {
return nil, err
}
certPool.AppendCertsFromPEM(file)
tlsConfig.RootCAs = certPool
}
cert, err := tls.LoadX509KeyPair(host.TLSCert, host.TLSKey)
if err != nil {
return nil, err
}
tlsConfig.Certificates = []tls.Certificate{cert}
tlsConfig.MinVersion = tls.VersionTLS10
return &tlsConfig, nil
}
func getTlsConfig(endpointOpts EndpointOptions) (*tls.Config, error) {
var tlsConfig *tls.Config
if endpointOpts.TLS {
tlsConfig = &tls.Config{
InsecureSkipVerify: !endpointOpts.TLSVerify,
}
if endpointOpts.tlsCert() != "" && endpointOpts.tlsKey() != "" {
cert, err := tls.LoadX509KeyPair(endpointOpts.tlsCert(), endpointOpts.tlsKey())
if err != nil {
return nil, err
}
tlsConfig.Certificates = []tls.Certificate{cert}
}
// Load CA cert
if endpointOpts.tlsCaCert() != "" {
caCert, err := ioutil.ReadFile(endpointOpts.tlsCaCert())
if err != nil {
return nil, err
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(caCert)
tlsConfig.RootCAs = caCertPool
}
}
return tlsConfig, nil
}
//run starts the webserver
func (v *Vault) startServer() error {
glog.Infof("Starting local server\n")
router := gin.New()
//TODO initialize configurations, correct middlewares, https/http
router.Use(ginglog.Logger(5)) //5 seconds
router.Use(gin.Recovery())
//setting up https by default
var tlsConfig = tls.Config{}
keypair, err := tls.LoadX509KeyPair(v.config["tlsCertfilePath"], v.config["tlsKeyfilePath"])
if err != nil {
fmt.Printf("ERR: Could not load X509 KeyPair, caused by: %s\n", err)
os.Exit(1) //exit explicitely as we choose a fail fast approach
}
tlsConfig.Certificates = []tls.Certificate{keypair}
tlsConfig.NextProtos = []string{"http/1.1"}
tlsConfig.Rand = rand.Reader
router.GET("/secret/:appID", v.getSecret)
serve := &http.Server{
Addr: fmt.Sprintf(":%s", v.config["serverPort"]),
Handler: router,
TLSConfig: &tlsConfig,
}
err = serve.ListenAndServe()
if err != nil {
glog.Errorf("Cannot start server for Cubbyhole tokens distribution\n")
}
return err
}
func getTLSConfig() (*tls.Config, error) {
// TLS config
var tlsConfig tls.Config
tlsConfig.InsecureSkipVerify = true
certPool := x509.NewCertPool()
file, err := ioutil.ReadFile(config.CACertificate)
if err != nil {
return nil, err
}
certPool.AppendCertsFromPEM(file)
tlsConfig.RootCAs = certPool
_, errCert := os.Stat(config.SSLCertificate)
_, errKey := os.Stat(config.SSLKey)
if errCert == nil && errKey == nil {
cert, err := tls.LoadX509KeyPair(config.SSLCertificate, config.SSLKey)
if err != nil {
return &tlsConfig, err
}
tlsConfig.Certificates = []tls.Certificate{cert}
}
return &tlsConfig, nil
}
// Present makes the keyAuth available as a cert
func (s *TLSProviderServer) Present(domain, token, keyAuth string) error {
if s.port == "" {
s.port = "443"
}
cert, _, err := TLSSNI01ChallengeCert(keyAuth)
if err != nil {
return err
}
tlsConf := new(tls.Config)
tlsConf.Certificates = []tls.Certificate{cert}
s.listener, err = tls.Listen("tcp", net.JoinHostPort(s.iface, s.port), tlsConf)
if err != nil {
return fmt.Errorf("Could not start HTTPS server for challenge -> %v", err)
}
s.done = make(chan bool)
go func() {
http.Serve(s.listener, nil)
s.done <- true
}()
return nil
}
func getTlsConfig(verify bool, cert, key, ca string) (*tls.Config, error) {
var config tls.Config
config.InsecureSkipVerify = true
if verify {
certPool := x509.NewCertPool()
file, err := ioutil.ReadFile(ca)
if err != nil {
return nil, err
}
certPool.AppendCertsFromPEM(file)
config.RootCAs = certPool
config.InsecureSkipVerify = false
}
_, errCert := os.Stat(cert)
_, errKey := os.Stat(key)
if errCert == nil || errKey == nil {
tlsCert, err := tls.LoadX509KeyPair(cert, key)
if err != nil {
return nil, fmt.Errorf("Couldn't load X509 key pair: %v. Key encrpyted?\n", err)
}
config.Certificates = []tls.Certificate{tlsCert}
}
config.MinVersion = tls.VersionTLS10
return &config, nil
}
func (client *Client) newH2Transport() http.RoundTripper {
tlsConfig := tls.Config{
InsecureSkipVerify: os.Getenv("TEST_MODE") == "1",
}
if client.ServerUrl.Scheme == "tcp" {
// 1. LoadClientCert
cert, err := tls.LoadX509KeyPair("client.crt", "client.key")
if err != nil {
log.WithError(err).Fatal("loading server certificate")
}
// 2. LoadCACert
caCert, err := ioutil.ReadFile("chain.pem")
if err != nil {
log.WithError(err).Fatal("loading CA certificate")
}
caPool := x509.NewCertPool()
caPool.AppendCertsFromPEM(caCert)
tlsConfig.RootCAs = caPool
tlsConfig.Certificates = []tls.Certificate{cert}
}
return &http2.Transport{
TLSClientConfig: &tlsConfig,
DialTLS: client.DialProxyTLS,
}
}
// Generates a tls.Config object for a server from the given files.
func (info TLSInfo) ServerConfig() (*tls.Config, error) {
// Both the key and cert must be present.
if info.KeyFile == "" || info.CertFile == "" {
return nil, fmt.Errorf("KeyFile and CertFile must both be present[key: %v, cert: %v]", info.KeyFile, info.CertFile)
}
var cfg tls.Config
tlsCert, err := tls.LoadX509KeyPair(info.CertFile, info.KeyFile)
if err != nil {
return nil, err
}
cfg.Certificates = []tls.Certificate{tlsCert}
if info.CAFile != "" {
cfg.ClientAuth = tls.RequireAndVerifyClientCert
cp, err := newCertPool(info.CAFile)
if err != nil {
return nil, err
}
cfg.RootCAs = cp
cfg.ClientCAs = cp
} else {
cfg.ClientAuth = tls.NoClientCert
}
return &cfg, nil
}
// Listen for incoming node connections, which are sent on the given channel.
// RemoteCerts must be setup by this point.
func Listen(addr string, ch chan<- *tls.Conn) {
config := new(tls.Config)
config.Certificates = []tls.Certificate{Cert}
config.AuthenticateClient = true
listener, err := tls.Listen("tcp", addr, config)
if err != nil {
panic(err)
}
for {
conn, err := listener.Accept()
if err != nil {
panic(err)
}
tlsConn := conn.(*tls.Conn)
err = tlsConn.Handshake()
if err != nil {
println(err.Error())
tlsConn.Close()
continue
}
ch <- tlsConn
}
}
// This is like a combination of http.ListenAndServe and http.ListenAndServeTLS, which also
// uses ThrottledListen to limit the number of open HTTP connections.
func ListenAndServeHTTP(addr string, connLimit int, certFile *string, keyFile *string, handler http.Handler, readTimeout *int, writeTimeout *int) error {
var config *tls.Config
if certFile != nil {
config = &tls.Config{}
config.MinVersion = tls.VersionTLS10 // Disable SSLv3 due to POODLE vulnerability
config.NextProtos = []string{"http/1.1"}
config.Certificates = make([]tls.Certificate, 1)
var err error
config.Certificates[0], err = tls.LoadX509KeyPair(*certFile, *keyFile)
if err != nil {
return err
}
}
listener, err := ThrottledListen("tcp", addr, connLimit)
if err != nil {
return err
}
if config != nil {
listener = tls.NewListener(listener, config)
}
defer listener.Close()
server := &http.Server{Addr: addr, Handler: handler}
if readTimeout != nil {
server.ReadTimeout = time.Duration(*readTimeout) * time.Second
}
if writeTimeout != nil {
server.WriteTimeout = time.Duration(*writeTimeout) * time.Second
}
return server.Serve(listener)
}
func (s *Server) Serve() error {
var tlsconfig tls.Config
tlsconfig.MinVersion = tls.VersionTLS10
cert, err := tls.LoadX509KeyPair(s.SSLCertificate, s.SSLKey)
if err != nil {
return fmt.Errorf("Failed loading client ssl certificate: %s", err)
}
tlsconfig.Certificates = []tls.Certificate{cert}
tlsconfig.Rand = rand.Reader
service := fmt.Sprintf("0.0.0.0:%s", s.Port)
listener, err := tls.Listen("tcp", service, &tlsconfig)
if err != nil {
return err
}
log.Print("server: listening")
for {
conn, err := listener.Accept()
if err != nil {
log.Printf("server: accept: %s", err)
break
}
defer conn.Close()
log.Printf("server: accepted from %s", conn.RemoteAddr())
go s.handleClient(conn)
}
return nil
}
func listenWithCert(hostname string, address string) {
listening.Add(1)
go func() {
log.Println("DEBUG - start mock server ..")
// Establish a dummy TLS server
var serverConfig tls.Config
kp := makeCert(hostname)
serverConfig.Certificates = []tls.Certificate{kp}
listener, err := tls.Listen("tcp", address, &serverConfig)
if err != nil {
panic(err)
}
// Listen and handshake for a single connection
defer listener.Close()
listening.Done()
conn, err := listener.Accept()
if err != nil {
panic(err)
}
defer conn.Close()
tlsconn, ok := conn.(*tls.Conn)
if !ok {
panic("conn should of *tls.Conn")
}
if err := tlsconn.Handshake(); err != nil {
return
}
}()
listening.Wait()
}
func (info TLSInfo) baseConfig() (*tls.Config, error) {
if info.KeyFile == "" || info.CertFile == "" {
return nil, fmt.Errorf("KeyFile and CertFile must both be present[key: %v, cert: %v]", info.KeyFile, info.CertFile)
}
cert, err := ioutil.ReadFile(info.CertFile)
if err != nil {
return nil, err
}
key, err := ioutil.ReadFile(info.KeyFile)
if err != nil {
return nil, err
}
parseFunc := info.parseFunc
if parseFunc == nil {
parseFunc = tls.X509KeyPair
}
tlsCert, err := parseFunc(cert, key)
if err != nil {
return nil, err
}
var cfg tls.Config
cfg.Certificates = []tls.Certificate{tlsCert}
return &cfg, nil
}
// If http.ListenandServe return an error,
// it will throws a panic.
func wsListener() {
if err := func() error {
httpServeMux := http.NewServeMux()
httpServeMux.Handle("/pub", websocket.Handler(WsHandle))
var (
l net.Listener
err error
)
if Conf.Tls {
tlsConf := new(tls.Config)
tlsConf.Certificates = make([]tls.Certificate, 1)
tlsConf.Certificates[0], err = tls.X509KeyPair(Conf.Cert, Conf.Key)
if err != nil {
return err
}
l, err = tls.Listen("tcp", Conf.WebSocket_addr, tlsConf)
if err != nil {
return err
}
return http.Serve(l, httpServeMux)
} else {
return http.ListenAndServe(Conf.WebSocket_addr, httpServeMux)
}
}(); err != nil {
panic(err)
}
}
// GetServerTLSConfig returns a TLS config for using with ListenAndServeTLS
// This sets up the Root and Client CAs for verification
func GetServerTLSConfig(caCert, serverCert, serverKey []byte, allowInsecure bool) (*tls.Config, error) {
// TLS config
var tlsConfig tls.Config
tlsConfig.InsecureSkipVerify = allowInsecure
certPool := x509.NewCertPool()
// load system certs
if err := loadSystemCertificates(certPool); err != nil {
return nil, err
}
// append custom CA
certPool.AppendCertsFromPEM(caCert)
tlsConfig.RootCAs = certPool
tlsConfig.ClientCAs = certPool
log.Debugf("tls root CAs: %d", len(tlsConfig.RootCAs.Subjects()))
// require client auth
tlsConfig.ClientAuth = tls.VerifyClientCertIfGiven
// server cert
keypair, err := tls.X509KeyPair(serverCert, serverKey)
if err != nil {
return &tlsConfig, err
}
tlsConfig.Certificates = []tls.Certificate{keypair}
return &tlsConfig, nil
}
func main() {
random, _ := os.Open("/dev/urandom", os.O_RDONLY, 0)
pembytes := readEntireFile("/home/kris/SSL/gr0g.crt")
cert, _ := pem.Decode(pembytes)
keybytes := readEntireFile("/home/kris/SSL/gr0g.key")
pk, _ := pem.Decode(keybytes)
privatekey, _ := x509.ParsePKCS1PrivateKey(pk.Bytes)
config := new(tls.Config)
config.Certificates = make([]tls.Certificate, 1)
config.Certificates[0].Certificate = [][]byte{cert.Bytes}
config.Certificates[0].PrivateKey = privatekey
config.Rand = random
//config.RootCAs = caset
config.Time = time.Seconds
listener, err := tls.Listen("tcp", "0.0.0.0:8443", config)
fmt.Printf("%s\n", err)
for {
conn, _ := listener.Accept()
go func() {
for {
buf := make([]byte, 1024)
_, err := conn.Read(buf)
if err != nil {
return
}
fmt.Printf("%s", buf)
}
}()
}
}
// Tests that the server has handshaked the connection and seen the client
// protocol announcement. Does not nest that the connection.open is successful.
func TestTLSHandshake(t *testing.T) {
srv := startTlsServer()
defer srv.Close()
cfg := new(tls.Config)
cfg.RootCAs = x509.NewCertPool()
cfg.RootCAs.AppendCertsFromPEM([]byte(caCert))
cert, _ := tls.X509KeyPair([]byte(clientCert), []byte(clientKey))
cfg.Certificates = append(cfg.Certificates, cert)
c, err := amqp.DialTLS(srv.URL, cfg)
select {
case <-time.After(10 * time.Millisecond):
t.Fatalf("did not succeed to handshake the TLS connection after 10ms")
case header := <-srv.Header:
if string(header) != "AMQP" {
t.Fatalf("expected to handshake a TLS connection, got err: %v", err)
}
}
if st := c.ConnectionState(); !st.HandshakeComplete {
t.Errorf("TLS handshake failed, TLS connection state: %+v", st)
}
}
// NewTLSServer creates and starts a TLS-enabled testing server.
func NewTLSServer(bind string, containerChan chan<- *docker.Container, hook func(*http.Request), tlsConfig TLSConfig) (*DockerServer, error) {
listener, err := net.Listen("tcp", bind)
if err != nil {
return nil, err
}
defaultCertificate, err := tls.LoadX509KeyPair(tlsConfig.CertPath, tlsConfig.CertKeyPath)
if err != nil {
return nil, err
}
tlsServerConfig := new(tls.Config)
tlsServerConfig.Certificates = []tls.Certificate{defaultCertificate}
if tlsConfig.RootCAPath != "" {
rootCertPEM, err := ioutil.ReadFile(tlsConfig.RootCAPath)
if err != nil {
return nil, err
}
certsPool := x509.NewCertPool()
certsPool.AppendCertsFromPEM(rootCertPEM)
tlsServerConfig.RootCAs = certsPool
}
tlsListener := tls.NewListener(listener, tlsServerConfig)
server := buildDockerServer(tlsListener, containerChan, hook)
go http.Serve(tlsListener, server)
return server, nil
}
func (t *ThriftExporter) Export(serviceName string, processor thrift.TProcessor) (err error) {
var transport thrift.TServerTransport
if t.Config.Secure {
cfg := new(tls.Config)
if cert, err := tls.LoadX509KeyPair(t.Config.CertFile, t.Config.KeyFile); err == nil {
cfg.Certificates = append(cfg.Certificates, cert)
} else {
return err
}
transport, err = thrift.NewTSSLServerSocket(t.Provider.Addr, cfg)
} else {
transport, err = thrift.NewTServerSocket(t.Provider.Addr)
}
if err != nil {
return err
}
server := thrift.NewTSimpleServer4(processor, transport, t.Config.TransFactory, t.Config.ProtocolFactory)
err = t.Reg.Register(serviceName, t.Provider)
if err != nil {
fmt.Println("error when register service", err.Error())
return
}
fmt.Println("Starting the simple server... on ", t.Provider.Addr)
return server.Serve()
}
func (c *tlsClient) Connect(timeout time.Duration) error {
host, _, err := net.SplitHostPort(c.hostport)
if err != nil {
return err
}
var tlsconfig tls.Config
tlsconfig.MinVersion = c.tls.MinVersion
tlsconfig.RootCAs = c.tls.RootCAs
tlsconfig.Certificates = c.tls.Certificates
tlsconfig.ServerName = host
if err := c.tcpClient.Connect(timeout); err != nil {
return c.onFail(err)
}
socket := tls.Client(c.Conn, &tlsconfig)
if err := socket.SetDeadline(time.Now().Add(timeout)); err != nil {
_ = socket.Close()
return c.onFail(err)
}
if err := socket.Handshake(); err != nil {
_ = socket.Close()
return c.onFail(err)
}
c.Conn = socket
c.connected = true
return nil
}
func setupTls(caFile, certFile, keyFile string) {
if caFile == "" || certFile == "" || keyFile == "" {
return
}
caData, err := ioutil.ReadFile(caFile)
if os.IsNotExist(err) {
return
}
if err != nil {
fmt.Fprintf(os.Stderr, "Unable to load CA file\t%s\n",
err)
os.Exit(1)
}
caCertPool := x509.NewCertPool()
if !caCertPool.AppendCertsFromPEM(caData) {
fmt.Fprintln(os.Stderr, "Unable to parse CA file")
os.Exit(1)
}
clientConfig := new(tls.Config)
clientConfig.InsecureSkipVerify = true
clientConfig.MinVersion = tls.VersionTLS12
clientConfig.RootCAs = caCertPool
cert, err := tls.LoadX509KeyPair(certFile, keyFile)
if os.IsNotExist(err) {
return
}
if err != nil {
fmt.Fprintf(os.Stderr, "Unable to load keypair\t%s\n",
err)
os.Exit(1)
}
clientConfig.Certificates = append(clientConfig.Certificates, cert)
srpc.RegisterClientTlsConfig(clientConfig)
}