// sets up TLS for the GRPC connection to notary-signer
func grpcTLS(configuration *viper.Viper) (*tls.Config, error) {
rootCA := configuration.GetString("trust_service.tls_ca_file")
serverName := configuration.GetString("trust_service.hostname")
clientCert := configuration.GetString("trust_service.tls_client_cert")
clientKey := configuration.GetString("trust_service.tls_client_key")
if (clientCert == "" && clientKey != "") || (clientCert != "" && clientKey == "") {
return nil, fmt.Errorf("Partial TLS configuration found. Either include both a client cert and client key file in the configuration, or include neither.")
}
tlsConfig, err := utils.ConfigureClientTLS(&utils.ClientTLSOpts{
RootCAFile: rootCA,
ServerName: serverName,
ClientCertFile: clientCert,
ClientKeyFile: clientKey,
})
if err != nil {
return nil, fmt.Errorf(
"Unable to configure TLS to the trust service: %s", err.Error())
}
return tlsConfig, nil
}
func getTransport(gun string, readOnly bool) http.RoundTripper {
// Attempt to get a root CA from the config file. Nil is the host defaults.
rootCAFile := mainViper.GetString("remote_server.root_ca")
if rootCAFile != "" {
// If we haven't been given an Absolute path, we assume it's relative
// from the configuration directory (~/.notary by default)
if !filepath.IsAbs(rootCAFile) {
rootCAFile = filepath.Join(configPath, rootCAFile)
}
}
insecureSkipVerify := false
if mainViper.IsSet("remote_server.skipTLSVerify") {
insecureSkipVerify = mainViper.GetBool("remote_server.skipTLSVerify")
}
tlsConfig, err := utils.ConfigureClientTLS(&utils.ClientTLSOpts{
RootCAFile: rootCAFile,
InsecureSkipVerify: insecureSkipVerify,
})
if err != nil {
logrus.Fatal("Unable to configure TLS: ", err.Error())
}
base := &http.Transport{
Proxy: http.ProxyFromEnvironment,
Dial: (&net.Dialer{
Timeout: 30 * time.Second,
KeepAlive: 30 * time.Second,
DualStack: true,
}).Dial,
TLSHandshakeTimeout: 10 * time.Second,
TLSClientConfig: tlsConfig,
DisableKeepAlives: true,
}
return tokenAuth(base, gun, readOnly)
}
