func init() {
var err error
certPool, err = gocertifi.CACerts()
if err != nil {
panic(err)
}
}
// Init pulls together everything necessary to make an API request.
// Caller may provide their own http.Client by setting it in the provided API object.
func (api *Client) Init(cfg *Config) error {
// Set default values
if cfg.BaseUrl == "" {
cfg.BaseUrl = "https://api.sparkpost.com"
} else if !strings.HasPrefix(cfg.BaseUrl, "https://") {
return fmt.Errorf("API base url must be https!")
}
if cfg.ApiVersion == 0 {
cfg.ApiVersion = 1
}
api.Config = cfg
api.headers = make(map[string]string)
if api.Client == nil {
// Ran into an issue where USERTrust was not recognized on OSX.
// The rest of this block was the fix.
// load Mozilla cert pool
pool, err := certifi.CACerts()
if err != nil {
return err
}
// configure transport using Mozilla cert pool
transport := &http.Transport{
TLSClientConfig: &tls.Config{RootCAs: pool},
}
// configure http client using transport
api.Client = &http.Client{Transport: transport}
}
return nil
}
func checkHost(host string) (result hostResult) {
result = hostResult{
host: host,
certs: []certErrors{},
}
//load ca certs. bundle
cert_pool, err := gocertifi.CACerts()
conn, err := tls.Dial("tcp", host, &tls.Config{RootCAs: cert_pool})
if err != nil {
result.err = err
return
}
defer conn.Close()
timeNow := time.Now()
checkedCerts := make(map[string]struct{})
for _, chain := range conn.ConnectionState().VerifiedChains {
for certNum, cert := range chain {
if _, checked := checkedCerts[string(cert.Signature)]; checked {
continue
}
checkedCerts[string(cert.Signature)] = struct{}{}
cErrs := []error{}
// Check the expiration.
if timeNow.AddDate(*warnYears, *warnMonths, *warnDays).After(cert.NotAfter) {
expiresIn := int64(cert.NotAfter.Sub(timeNow).Hours())
if expiresIn <= 48 {
cErrs = append(cErrs, fmt.Errorf(errExpiringShortly, host, cert.Subject.CommonName, cert.SerialNumber, expiresIn))
} else {
cErrs = append(cErrs, fmt.Errorf(errExpiringSoon, host, cert.Subject.CommonName, cert.SerialNumber, expiresIn/24))
}
}
// Check the signature algorithm, ignoring the root certificate.
if alg, exists := sunsetSigAlgs[cert.SignatureAlgorithm]; *checkSigAlg && exists && certNum != len(chain)-1 {
if cert.NotAfter.Equal(alg.sunsetsAt) || cert.NotAfter.After(alg.sunsetsAt) {
cErrs = append(cErrs, fmt.Errorf(errSunsetAlg, host, cert.Subject.CommonName, cert.SerialNumber, alg.name))
}
}
result.certs = append(result.certs, certErrors{
commonName: cert.Subject.CommonName,
errs: cErrs,
})
}
}
return
}
func newTransport() Transport {
t := &HTTPTransport{}
rootCAs, err := gocertifi.CACerts()
if err != nil {
log.Println("raven: failed to load root TLS certificates:", err)
} else {
t.Client = &http.Client{
Transport: &http.Transport{
TLSClientConfig: &tls.Config{RootCAs: rootCAs},
},
}
}
return t
}
func (pc ProbeConfig) getHTTPTransport(hostname string) (*http.Transport, error) {
if pc.Insecure {
return &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}, nil
}
host, _, err := net.SplitHostPort(hostname)
if err != nil {
return nil, err
}
certPool, err := gocertifi.CACerts()
if err != nil {
return nil, err
}
return &http.Transport{
TLSClientConfig: &tls.Config{
RootCAs: certPool,
ServerName: host,
},
}, nil
}
