// GetClientTLSConfig returns the context client TLS config, initializing it if needed. // If Insecure is true, return a nil config, otherwise load a config based // on the Certs directory. If Certs is empty, use a very permissive config. // TODO(marc): empty Certs dir should fail when client certificates are required. func (ctx *Context) GetClientTLSConfig() (*tls.Config, error) { // Early out. if ctx.Insecure { return nil, nil } ctx.tlsConfigMu.Lock() defer ctx.tlsConfigMu.Unlock() if ctx.clientTLSConfig != nil { return ctx.clientTLSConfig, nil } if ctx.Certs != "" { if log.V(1) { log.Infof("setting up TLS from certificates directory: %s", ctx.Certs) } cfg, err := security.LoadClientTLSConfig(ctx.Certs, ctx.User) if err != nil { return nil, util.Errorf("error setting up client TLS config: %s", err) } ctx.clientTLSConfig = cfg } else { if log.V(1) { log.Infof("no certificates directory specified: using insecure TLS") } ctx.clientTLSConfig = security.LoadInsecureClientTLSConfig() } return ctx.clientTLSConfig, nil }
// GetClientTLSConfig returns the context client TLS config, initializing it if needed. // If Insecure is true, return a nil config, otherwise load a config based // on the SSLCert file. If SSLCert is empty, use a very permissive config. // TODO(marc): empty SSLCert should fail when client certificates are required. func (ctx *Context) GetClientTLSConfig() (*tls.Config, error) { // Early out. if ctx.Insecure { return nil, nil } ctx.clientTLSConfig.once.Do(func() { if ctx.SSLCert != "" { ctx.clientTLSConfig.tlsConfig, ctx.clientTLSConfig.err = security.LoadClientTLSConfig( ctx.SSLCA, ctx.SSLCert, ctx.SSLCertKey) if ctx.clientTLSConfig.err != nil { ctx.clientTLSConfig.err = errors.Errorf("error setting up client TLS config: %s", ctx.clientTLSConfig.err) } } else { log.Println("no certificates specified: using insecure TLS") ctx.clientTLSConfig.tlsConfig = security.LoadInsecureClientTLSConfig() } }) return ctx.clientTLSConfig.tlsConfig, ctx.clientTLSConfig.err }