// GetClientTLSConfig returns the context client TLS config, initializing it if needed.
// If Insecure is true, return a nil config, otherwise load a config based
// on the Certs directory. If Certs is empty, use a very permissive config.
// TODO(marc): empty Certs dir should fail when client certificates are required.
func (ctx *Context) GetClientTLSConfig() (*tls.Config, error) {
// Early out.
if ctx.Insecure {
return nil, nil
}
ctx.tlsConfigMu.Lock()
defer ctx.tlsConfigMu.Unlock()
if ctx.clientTLSConfig != nil {
return ctx.clientTLSConfig, nil
}
if ctx.Certs != "" {
if log.V(1) {
log.Infof("setting up TLS from certificates directory: %s", ctx.Certs)
}
cfg, err := security.LoadClientTLSConfig(ctx.Certs, ctx.User)
if err != nil {
return nil, util.Errorf("error setting up client TLS config: %s", err)
}
ctx.clientTLSConfig = cfg
} else {
if log.V(1) {
log.Infof("no certificates directory specified: using insecure TLS")
}
ctx.clientTLSConfig = security.LoadInsecureClientTLSConfig()
}
return ctx.clientTLSConfig, nil
}
// GetClientTLSConfig returns the context client TLS config, initializing it if needed.
// If Insecure is true, return a nil config, otherwise load a config based
// on the SSLCert file. If SSLCert is empty, use a very permissive config.
// TODO(marc): empty SSLCert should fail when client certificates are required.
func (ctx *Context) GetClientTLSConfig() (*tls.Config, error) {
// Early out.
if ctx.Insecure {
return nil, nil
}
ctx.clientTLSConfig.once.Do(func() {
if ctx.SSLCert != "" {
ctx.clientTLSConfig.tlsConfig, ctx.clientTLSConfig.err = security.LoadClientTLSConfig(
ctx.SSLCA, ctx.SSLCert, ctx.SSLCertKey)
if ctx.clientTLSConfig.err != nil {
ctx.clientTLSConfig.err = errors.Errorf("error setting up client TLS config: %s", ctx.clientTLSConfig.err)
}
} else {
log.Println("no certificates specified: using insecure TLS")
ctx.clientTLSConfig.tlsConfig = security.LoadInsecureClientTLSConfig()
}
})
return ctx.clientTLSConfig.tlsConfig, ctx.clientTLSConfig.err
}
