func TestTLSConnection(t *testing.T) { reactor := NewReactor() client := reactor.CreateServer("local") initialiseServerConnection(client) // generate a test certificate to use priv, _ := ecdsa.GenerateKey(elliptic.P521(), rand.Reader) duration30Days, _ := time.ParseDuration("-30h") notBefore := time.Now().Add(duration30Days) // valid 30 hours ago duration1Year, _ := time.ParseDuration("90h") notAfter := notBefore.Add(duration1Year) // for 90 hours serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) serialNumber, _ := rand.Int(rand.Reader, serialNumberLimit) template := x509.Certificate{ SerialNumber: serialNumber, Subject: pkix.Name{ Organization: []string{"gIRC-Go Co"}, }, NotBefore: notBefore, NotAfter: notAfter, KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, BasicConstraintsValid: true, IsCA: true, } template.IPAddresses = append(template.IPAddresses, net.ParseIP("127.0.0.1")) template.IPAddresses = append(template.IPAddresses, net.ParseIP("::")) template.DNSNames = append(template.DNSNames, "localhost") derBytes, _ := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv) c := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes}) b, _ := x509.MarshalECPrivateKey(priv) k := pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: b}) // we mock up a server connection to test the client listenerKeyPair, _ := tls.X509KeyPair(c, k) var listenerTLSConfig tls.Config listenerTLSConfig.Certificates = make([]tls.Certificate, 0) listenerTLSConfig.Certificates = append(listenerTLSConfig.Certificates, listenerKeyPair) listener, _ := tls.Listen("tcp", ":0", &listenerTLSConfig) // mock up the client side too clientTLSCertPool := x509.NewCertPool() clientTLSCertPool.AppendCertsFromPEM(c) var clientTLSConfig tls.Config clientTLSConfig.RootCAs = clientTLSCertPool clientTLSConfig.ServerName = "localhost" go client.Connect(listener.Addr().String(), true, &clientTLSConfig) go client.ReceiveLoop() testServerConnection(t, reactor, client, listener) }
// Starts listening for client connections. // When a new application connects, launches listeners in a goroutine. // Returns an error when error occurs. func StartListen(port int, useTls bool, crtPath string, keyPath string, sname string) error { // Create a listening address addr, err := net.ResolveTCPAddr("tcp", fmt.Sprintf(":%d", port)) if err != nil { return err } // start a new server and listen on the address var l net.Listener l, err = net.ListenTCP("tcp", addr) if err != nil { return err } // wrap with TLS if required if useTls { cert, err := tls.LoadX509KeyPair(crtPath, keyPath) if err != nil { return err } conf := tls.Config{} certs := make([]tls.Certificate, 1) certs[0] = cert conf.Certificates = certs cp := x509.NewCertPool() caCert, err := ioutil.ReadFile(crtPath) if err != nil { return err } if !cp.AppendCertsFromPEM(caCert) { return errors.New("Could not append PEM cert") } conf.RootCAs = cp conf.ServerName = sname conf.ClientAuth = tls.RequireAndVerifyClientCert conf.ClientCAs = cp l = tls.NewListener(l, &conf) } // at the end of this function close the server connection defer l.Close() logging.Debug("Starting listen loop") for { a, err := acceptApp(l) if err != nil { return err } else { logging.Debug("Got connection") go ListenForCommands(a) } } return nil }
func getTLSConfig(clientCertPEMData, clientKeyPEMData []byte) (*tls.Config, error) { certPool := x509.NewCertPool() certChainPath := os.Getenv("ORCHARD_HOST_CA") if certChainPath != "" { certChainData, err := ioutil.ReadFile(certChainPath) if err != nil { return nil, err } certPool.AppendCertsFromPEM(certChainData) } else { certPool.AppendCertsFromPEM([]byte(orchardCerts)) } clientCert, err := tls.X509KeyPair(clientCertPEMData, clientKeyPEMData) if err != nil { return nil, err } config := new(tls.Config) config.RootCAs = certPool config.Certificates = []tls.Certificate{clientCert} config.BuildNameToCertificate() return config, nil }
// NewClient returns a new docker test client. func NewClient() ( cli *client.DockerCli, stdout *io.PipeReader, stdoutPipe *io.PipeWriter) { proto, addr, _ := DockerHost() stdout, stdoutPipe = io.Pipe() dockerCertPath := os.Getenv("DOCKER_CERT_PATH") // Boot2docker use TLS per default, Jenkins not if dockerCertPath != "" { var ( tlsConfig tls.Config ) tlsConfig.InsecureSkipVerify = true flCert := filepath.Join(dockerCertPath, defaultCertFile) flKey := filepath.Join(dockerCertPath, defaultKeyFile) _, errCert := os.Stat(flCert) _, errKey := os.Stat(flKey) if errCert == nil && errKey == nil { cert, err := tls.LoadX509KeyPair(flCert, flKey) if err != nil { log.Fatalf("Couldn't load X509 key pair: %s. Key encrypted?", err) } tlsConfig.Certificates = []tls.Certificate{cert} } // Avoid fallback to SSL protocols < TLS1.0 tlsConfig.MinVersion = tls.VersionTLS10 cli = client.NewDockerCli(nil, stdoutPipe, nil, nil, proto, addr, &tlsConfig) } else { cli = client.NewDockerCli(nil, stdoutPipe, nil, nil, proto, addr, nil) } return }
func runServer(transportFactory thrift.TTransportFactory, protocolFactory thrift.TProtocolFactory, addr string, secure bool) error { var transport thrift.TServerTransport var err error if secure { cfg := new(tls.Config) if cert, err := tls.LoadX509KeyPair("server.crt", "server.key"); err == nil { cfg.Certificates = append(cfg.Certificates, cert) } else { return err } transport, err = thrift.NewTSSLServerSocket(addr, cfg) } else { transport, err = thrift.NewTServerSocket(addr) } if err != nil { return err } fmt.Printf("%T\n", transport) handler := NewCalculatorHandler() processor := tutorial.NewCalculatorProcessor(handler) server := thrift.NewTSimpleServer4(processor, transport, transportFactory, protocolFactory) fmt.Println("Starting the simple server... on ", addr) return server.Serve() }
// SecureListen obtains a listener that accepts // secure connections func SecureServe(addr string, certFile, keyFile, caFile string) { config := tls.Config{} // load the server cert / key cert, err := tls.LoadX509KeyPair(certFile, keyFile) if err != nil { log.Fatalf("%s", err) } config.Certificates = []tls.Certificate{cert} // load the ca if necessary // FIXME(alainjobart) this doesn't quite work yet, have // to investigate if caFile != "" { config.ClientCAs = x509.NewCertPool() pemCerts, err := ioutil.ReadFile(caFile) if err != nil { log.Fatalf("%s", err) } if !config.ClientCAs.AppendCertsFromPEM(pemCerts) { log.Fatalf("%s", err) } config.ClientAuth = tls.RequireAndVerifyClientCert } l, err := tls.Listen("tcp", addr, &config) if err != nil { log.Fatalf("%s", err) } throttled := NewThrottledListener(l, *secureThrottle, *secureMaxBuffer) cl := proc.Published(throttled, "SecureConnections", "SecureAccepts") go http.Serve(cl, nil) }
// Makes an outgoing connection using that protocol type to the given node ID. // Returns a non-nil error if it is unable to connect. // Panics if it is called with protocol set to CLIENT_PROTOCOL. func Dial(protocol int, id uint16) (*BaseConn, error) { log.Print("dialing node ", id) if protocol == CLIENT_PROTOCOL { panic("tried to make outgoing client protocol connection") } ip := config.NodeIP(id) ipStr := ip.String() port := getProtocolPort(protocol) portStr := strconv.FormatInt(int64(port), 10) tlsConfig := new(tls.Config) tlsConfig.Certificates = []tls.Certificate{*config.Certificate()} tlsConfig.RootCAs = config.NodeCertPool(id) // We rely on the receiving node to do TLS authentication for now. // This is safe because it verifies our identity for us. // Backwards to the usual arrangement but should be secure. tlsConfig.InsecureSkipVerify = true tlsConn, err := tls.Dial("tcp", ipStr+":"+portStr, tlsConfig) if err != nil { log.Print(err) return nil, err } return newBaseConn(tlsConn), nil }
// Generates a tls.Config object for a client from the given files. func (info TLSInfo) ClientConfig() (*tls.Config, error) { var cfg tls.Config if info.KeyFile == "" || info.CertFile == "" { return &cfg, nil } tlsCert, err := tls.LoadX509KeyPair(info.CertFile, info.KeyFile) if err != nil { return nil, err } cfg.Certificates = []tls.Certificate{tlsCert} if info.CAFile != "" { cp, err := newCertPool(info.CAFile) if err != nil { return nil, err } cfg.RootCAs = cp } return &cfg, nil }
func (s *Server) tlsListener(listener net.Listener) net.Listener { fkey, err := os.Open(s.TLSKey) if err != nil { log.Fatal(s, "can't open ssl.key: ", err) } defer fkey.Close() fcrt, err := os.Open(s.TLSCert) if err != nil { log.Fatal(s, "can't open ssl.crt: ", err) } defer fcrt.Close() key, err := ioutil.ReadAll(fkey) if err != nil { log.Fatal(s, "can't read ssl.key: ", err) } crt, err := ioutil.ReadAll(fcrt) if err != nil { log.Fatal(s, "can't read ssl.crt: ", err) } sslCert, err := tls.X509KeyPair(crt, key) if err != nil { log.Fatal(s, "X509KeyPair: ", err) } TLS := new(tls.Config) TLS.Certificates = []tls.Certificate{sslCert} return tls.NewListener(listener, TLS) }
func (host *Host) getTLSConfig() (*tls.Config, error) { var tlsConfig tls.Config if !host.TLS { return nil, nil } tlsConfig.InsecureSkipVerify = !host.TLSVerify if host.TLSVerify { certPool := x509.NewCertPool() file, err := ioutil.ReadFile(host.TLSCaCert) if err != nil { return nil, err } certPool.AppendCertsFromPEM(file) tlsConfig.RootCAs = certPool } cert, err := tls.LoadX509KeyPair(host.TLSCert, host.TLSKey) if err != nil { return nil, err } tlsConfig.Certificates = []tls.Certificate{cert} tlsConfig.MinVersion = tls.VersionTLS10 return &tlsConfig, nil }
func getTlsConfig(endpointOpts EndpointOptions) (*tls.Config, error) { var tlsConfig *tls.Config if endpointOpts.TLS { tlsConfig = &tls.Config{ InsecureSkipVerify: !endpointOpts.TLSVerify, } if endpointOpts.tlsCert() != "" && endpointOpts.tlsKey() != "" { cert, err := tls.LoadX509KeyPair(endpointOpts.tlsCert(), endpointOpts.tlsKey()) if err != nil { return nil, err } tlsConfig.Certificates = []tls.Certificate{cert} } // Load CA cert if endpointOpts.tlsCaCert() != "" { caCert, err := ioutil.ReadFile(endpointOpts.tlsCaCert()) if err != nil { return nil, err } caCertPool := x509.NewCertPool() caCertPool.AppendCertsFromPEM(caCert) tlsConfig.RootCAs = caCertPool } } return tlsConfig, nil }
//run starts the webserver func (v *Vault) startServer() error { glog.Infof("Starting local server\n") router := gin.New() //TODO initialize configurations, correct middlewares, https/http router.Use(ginglog.Logger(5)) //5 seconds router.Use(gin.Recovery()) //setting up https by default var tlsConfig = tls.Config{} keypair, err := tls.LoadX509KeyPair(v.config["tlsCertfilePath"], v.config["tlsKeyfilePath"]) if err != nil { fmt.Printf("ERR: Could not load X509 KeyPair, caused by: %s\n", err) os.Exit(1) //exit explicitely as we choose a fail fast approach } tlsConfig.Certificates = []tls.Certificate{keypair} tlsConfig.NextProtos = []string{"http/1.1"} tlsConfig.Rand = rand.Reader router.GET("/secret/:appID", v.getSecret) serve := &http.Server{ Addr: fmt.Sprintf(":%s", v.config["serverPort"]), Handler: router, TLSConfig: &tlsConfig, } err = serve.ListenAndServe() if err != nil { glog.Errorf("Cannot start server for Cubbyhole tokens distribution\n") } return err }
func getTLSConfig() (*tls.Config, error) { // TLS config var tlsConfig tls.Config tlsConfig.InsecureSkipVerify = true certPool := x509.NewCertPool() file, err := ioutil.ReadFile(config.CACertificate) if err != nil { return nil, err } certPool.AppendCertsFromPEM(file) tlsConfig.RootCAs = certPool _, errCert := os.Stat(config.SSLCertificate) _, errKey := os.Stat(config.SSLKey) if errCert == nil && errKey == nil { cert, err := tls.LoadX509KeyPair(config.SSLCertificate, config.SSLKey) if err != nil { return &tlsConfig, err } tlsConfig.Certificates = []tls.Certificate{cert} } return &tlsConfig, nil }
// Present makes the keyAuth available as a cert func (s *TLSProviderServer) Present(domain, token, keyAuth string) error { if s.port == "" { s.port = "443" } cert, _, err := TLSSNI01ChallengeCert(keyAuth) if err != nil { return err } tlsConf := new(tls.Config) tlsConf.Certificates = []tls.Certificate{cert} s.listener, err = tls.Listen("tcp", net.JoinHostPort(s.iface, s.port), tlsConf) if err != nil { return fmt.Errorf("Could not start HTTPS server for challenge -> %v", err) } s.done = make(chan bool) go func() { http.Serve(s.listener, nil) s.done <- true }() return nil }
func getTlsConfig(verify bool, cert, key, ca string) (*tls.Config, error) { var config tls.Config config.InsecureSkipVerify = true if verify { certPool := x509.NewCertPool() file, err := ioutil.ReadFile(ca) if err != nil { return nil, err } certPool.AppendCertsFromPEM(file) config.RootCAs = certPool config.InsecureSkipVerify = false } _, errCert := os.Stat(cert) _, errKey := os.Stat(key) if errCert == nil || errKey == nil { tlsCert, err := tls.LoadX509KeyPair(cert, key) if err != nil { return nil, fmt.Errorf("Couldn't load X509 key pair: %v. Key encrpyted?\n", err) } config.Certificates = []tls.Certificate{tlsCert} } config.MinVersion = tls.VersionTLS10 return &config, nil }
func (client *Client) newH2Transport() http.RoundTripper { tlsConfig := tls.Config{ InsecureSkipVerify: os.Getenv("TEST_MODE") == "1", } if client.ServerUrl.Scheme == "tcp" { // 1. LoadClientCert cert, err := tls.LoadX509KeyPair("client.crt", "client.key") if err != nil { log.WithError(err).Fatal("loading server certificate") } // 2. LoadCACert caCert, err := ioutil.ReadFile("chain.pem") if err != nil { log.WithError(err).Fatal("loading CA certificate") } caPool := x509.NewCertPool() caPool.AppendCertsFromPEM(caCert) tlsConfig.RootCAs = caPool tlsConfig.Certificates = []tls.Certificate{cert} } return &http2.Transport{ TLSClientConfig: &tlsConfig, DialTLS: client.DialProxyTLS, } }
// Generates a tls.Config object for a server from the given files. func (info TLSInfo) ServerConfig() (*tls.Config, error) { // Both the key and cert must be present. if info.KeyFile == "" || info.CertFile == "" { return nil, fmt.Errorf("KeyFile and CertFile must both be present[key: %v, cert: %v]", info.KeyFile, info.CertFile) } var cfg tls.Config tlsCert, err := tls.LoadX509KeyPair(info.CertFile, info.KeyFile) if err != nil { return nil, err } cfg.Certificates = []tls.Certificate{tlsCert} if info.CAFile != "" { cfg.ClientAuth = tls.RequireAndVerifyClientCert cp, err := newCertPool(info.CAFile) if err != nil { return nil, err } cfg.RootCAs = cp cfg.ClientCAs = cp } else { cfg.ClientAuth = tls.NoClientCert } return &cfg, nil }
// Listen for incoming node connections, which are sent on the given channel. // RemoteCerts must be setup by this point. func Listen(addr string, ch chan<- *tls.Conn) { config := new(tls.Config) config.Certificates = []tls.Certificate{Cert} config.AuthenticateClient = true listener, err := tls.Listen("tcp", addr, config) if err != nil { panic(err) } for { conn, err := listener.Accept() if err != nil { panic(err) } tlsConn := conn.(*tls.Conn) err = tlsConn.Handshake() if err != nil { println(err.Error()) tlsConn.Close() continue } ch <- tlsConn } }
// This is like a combination of http.ListenAndServe and http.ListenAndServeTLS, which also // uses ThrottledListen to limit the number of open HTTP connections. func ListenAndServeHTTP(addr string, connLimit int, certFile *string, keyFile *string, handler http.Handler, readTimeout *int, writeTimeout *int) error { var config *tls.Config if certFile != nil { config = &tls.Config{} config.MinVersion = tls.VersionTLS10 // Disable SSLv3 due to POODLE vulnerability config.NextProtos = []string{"http/1.1"} config.Certificates = make([]tls.Certificate, 1) var err error config.Certificates[0], err = tls.LoadX509KeyPair(*certFile, *keyFile) if err != nil { return err } } listener, err := ThrottledListen("tcp", addr, connLimit) if err != nil { return err } if config != nil { listener = tls.NewListener(listener, config) } defer listener.Close() server := &http.Server{Addr: addr, Handler: handler} if readTimeout != nil { server.ReadTimeout = time.Duration(*readTimeout) * time.Second } if writeTimeout != nil { server.WriteTimeout = time.Duration(*writeTimeout) * time.Second } return server.Serve(listener) }
func (s *Server) Serve() error { var tlsconfig tls.Config tlsconfig.MinVersion = tls.VersionTLS10 cert, err := tls.LoadX509KeyPair(s.SSLCertificate, s.SSLKey) if err != nil { return fmt.Errorf("Failed loading client ssl certificate: %s", err) } tlsconfig.Certificates = []tls.Certificate{cert} tlsconfig.Rand = rand.Reader service := fmt.Sprintf("0.0.0.0:%s", s.Port) listener, err := tls.Listen("tcp", service, &tlsconfig) if err != nil { return err } log.Print("server: listening") for { conn, err := listener.Accept() if err != nil { log.Printf("server: accept: %s", err) break } defer conn.Close() log.Printf("server: accepted from %s", conn.RemoteAddr()) go s.handleClient(conn) } return nil }
func listenWithCert(hostname string, address string) { listening.Add(1) go func() { log.Println("DEBUG - start mock server ..") // Establish a dummy TLS server var serverConfig tls.Config kp := makeCert(hostname) serverConfig.Certificates = []tls.Certificate{kp} listener, err := tls.Listen("tcp", address, &serverConfig) if err != nil { panic(err) } // Listen and handshake for a single connection defer listener.Close() listening.Done() conn, err := listener.Accept() if err != nil { panic(err) } defer conn.Close() tlsconn, ok := conn.(*tls.Conn) if !ok { panic("conn should of *tls.Conn") } if err := tlsconn.Handshake(); err != nil { return } }() listening.Wait() }
func (info TLSInfo) baseConfig() (*tls.Config, error) { if info.KeyFile == "" || info.CertFile == "" { return nil, fmt.Errorf("KeyFile and CertFile must both be present[key: %v, cert: %v]", info.KeyFile, info.CertFile) } cert, err := ioutil.ReadFile(info.CertFile) if err != nil { return nil, err } key, err := ioutil.ReadFile(info.KeyFile) if err != nil { return nil, err } parseFunc := info.parseFunc if parseFunc == nil { parseFunc = tls.X509KeyPair } tlsCert, err := parseFunc(cert, key) if err != nil { return nil, err } var cfg tls.Config cfg.Certificates = []tls.Certificate{tlsCert} return &cfg, nil }
// If http.ListenandServe return an error, // it will throws a panic. func wsListener() { if err := func() error { httpServeMux := http.NewServeMux() httpServeMux.Handle("/pub", websocket.Handler(WsHandle)) var ( l net.Listener err error ) if Conf.Tls { tlsConf := new(tls.Config) tlsConf.Certificates = make([]tls.Certificate, 1) tlsConf.Certificates[0], err = tls.X509KeyPair(Conf.Cert, Conf.Key) if err != nil { return err } l, err = tls.Listen("tcp", Conf.WebSocket_addr, tlsConf) if err != nil { return err } return http.Serve(l, httpServeMux) } else { return http.ListenAndServe(Conf.WebSocket_addr, httpServeMux) } }(); err != nil { panic(err) } }
// GetServerTLSConfig returns a TLS config for using with ListenAndServeTLS // This sets up the Root and Client CAs for verification func GetServerTLSConfig(caCert, serverCert, serverKey []byte, allowInsecure bool) (*tls.Config, error) { // TLS config var tlsConfig tls.Config tlsConfig.InsecureSkipVerify = allowInsecure certPool := x509.NewCertPool() // load system certs if err := loadSystemCertificates(certPool); err != nil { return nil, err } // append custom CA certPool.AppendCertsFromPEM(caCert) tlsConfig.RootCAs = certPool tlsConfig.ClientCAs = certPool log.Debugf("tls root CAs: %d", len(tlsConfig.RootCAs.Subjects())) // require client auth tlsConfig.ClientAuth = tls.VerifyClientCertIfGiven // server cert keypair, err := tls.X509KeyPair(serverCert, serverKey) if err != nil { return &tlsConfig, err } tlsConfig.Certificates = []tls.Certificate{keypair} return &tlsConfig, nil }
func main() { random, _ := os.Open("/dev/urandom", os.O_RDONLY, 0) pembytes := readEntireFile("/home/kris/SSL/gr0g.crt") cert, _ := pem.Decode(pembytes) keybytes := readEntireFile("/home/kris/SSL/gr0g.key") pk, _ := pem.Decode(keybytes) privatekey, _ := x509.ParsePKCS1PrivateKey(pk.Bytes) config := new(tls.Config) config.Certificates = make([]tls.Certificate, 1) config.Certificates[0].Certificate = [][]byte{cert.Bytes} config.Certificates[0].PrivateKey = privatekey config.Rand = random //config.RootCAs = caset config.Time = time.Seconds listener, err := tls.Listen("tcp", "0.0.0.0:8443", config) fmt.Printf("%s\n", err) for { conn, _ := listener.Accept() go func() { for { buf := make([]byte, 1024) _, err := conn.Read(buf) if err != nil { return } fmt.Printf("%s", buf) } }() } }
// Tests that the server has handshaked the connection and seen the client // protocol announcement. Does not nest that the connection.open is successful. func TestTLSHandshake(t *testing.T) { srv := startTlsServer() defer srv.Close() cfg := new(tls.Config) cfg.RootCAs = x509.NewCertPool() cfg.RootCAs.AppendCertsFromPEM([]byte(caCert)) cert, _ := tls.X509KeyPair([]byte(clientCert), []byte(clientKey)) cfg.Certificates = append(cfg.Certificates, cert) c, err := amqp.DialTLS(srv.URL, cfg) select { case <-time.After(10 * time.Millisecond): t.Fatalf("did not succeed to handshake the TLS connection after 10ms") case header := <-srv.Header: if string(header) != "AMQP" { t.Fatalf("expected to handshake a TLS connection, got err: %v", err) } } if st := c.ConnectionState(); !st.HandshakeComplete { t.Errorf("TLS handshake failed, TLS connection state: %+v", st) } }
// NewTLSServer creates and starts a TLS-enabled testing server. func NewTLSServer(bind string, containerChan chan<- *docker.Container, hook func(*http.Request), tlsConfig TLSConfig) (*DockerServer, error) { listener, err := net.Listen("tcp", bind) if err != nil { return nil, err } defaultCertificate, err := tls.LoadX509KeyPair(tlsConfig.CertPath, tlsConfig.CertKeyPath) if err != nil { return nil, err } tlsServerConfig := new(tls.Config) tlsServerConfig.Certificates = []tls.Certificate{defaultCertificate} if tlsConfig.RootCAPath != "" { rootCertPEM, err := ioutil.ReadFile(tlsConfig.RootCAPath) if err != nil { return nil, err } certsPool := x509.NewCertPool() certsPool.AppendCertsFromPEM(rootCertPEM) tlsServerConfig.RootCAs = certsPool } tlsListener := tls.NewListener(listener, tlsServerConfig) server := buildDockerServer(tlsListener, containerChan, hook) go http.Serve(tlsListener, server) return server, nil }
func (t *ThriftExporter) Export(serviceName string, processor thrift.TProcessor) (err error) { var transport thrift.TServerTransport if t.Config.Secure { cfg := new(tls.Config) if cert, err := tls.LoadX509KeyPair(t.Config.CertFile, t.Config.KeyFile); err == nil { cfg.Certificates = append(cfg.Certificates, cert) } else { return err } transport, err = thrift.NewTSSLServerSocket(t.Provider.Addr, cfg) } else { transport, err = thrift.NewTServerSocket(t.Provider.Addr) } if err != nil { return err } server := thrift.NewTSimpleServer4(processor, transport, t.Config.TransFactory, t.Config.ProtocolFactory) err = t.Reg.Register(serviceName, t.Provider) if err != nil { fmt.Println("error when register service", err.Error()) return } fmt.Println("Starting the simple server... on ", t.Provider.Addr) return server.Serve() }
func (c *tlsClient) Connect(timeout time.Duration) error { host, _, err := net.SplitHostPort(c.hostport) if err != nil { return err } var tlsconfig tls.Config tlsconfig.MinVersion = c.tls.MinVersion tlsconfig.RootCAs = c.tls.RootCAs tlsconfig.Certificates = c.tls.Certificates tlsconfig.ServerName = host if err := c.tcpClient.Connect(timeout); err != nil { return c.onFail(err) } socket := tls.Client(c.Conn, &tlsconfig) if err := socket.SetDeadline(time.Now().Add(timeout)); err != nil { _ = socket.Close() return c.onFail(err) } if err := socket.Handshake(); err != nil { _ = socket.Close() return c.onFail(err) } c.Conn = socket c.connected = true return nil }
func setupTls(caFile, certFile, keyFile string) { if caFile == "" || certFile == "" || keyFile == "" { return } caData, err := ioutil.ReadFile(caFile) if os.IsNotExist(err) { return } if err != nil { fmt.Fprintf(os.Stderr, "Unable to load CA file\t%s\n", err) os.Exit(1) } caCertPool := x509.NewCertPool() if !caCertPool.AppendCertsFromPEM(caData) { fmt.Fprintln(os.Stderr, "Unable to parse CA file") os.Exit(1) } clientConfig := new(tls.Config) clientConfig.InsecureSkipVerify = true clientConfig.MinVersion = tls.VersionTLS12 clientConfig.RootCAs = caCertPool cert, err := tls.LoadX509KeyPair(certFile, keyFile) if os.IsNotExist(err) { return } if err != nil { fmt.Fprintf(os.Stderr, "Unable to load keypair\t%s\n", err) os.Exit(1) } clientConfig.Certificates = append(clientConfig.Certificates, cert) srpc.RegisterClientTlsConfig(clientConfig) }