func NewAgentAnalyzerClientConn(addr *net.UDPAddr) (a *AgentAnalyzerClientConn, err error) {
a = &AgentAnalyzerClientConn{}
certPEM := config.GetConfig().GetString("agent.X509_cert")
keyPEM := config.GetConfig().GetString("agent.X509_key")
serverCertPEM := config.GetConfig().GetString("analyzer.X509_cert")
if len(certPEM) > 0 && len(keyPEM) > 0 {
cert, err := tls.LoadX509KeyPair(certPEM, keyPEM)
if err != nil {
logging.GetLogger().Fatalf("Can't read X509 key pair set in config : cert '%s' key '%s'", certPEM, keyPEM)
return nil, err
}
rootPEM, err := ioutil.ReadFile(serverCertPEM)
if err != nil {
logging.GetLogger().Fatalf("Failed to open root certificate '%s' : %s", certPEM, err.Error())
}
roots := x509.NewCertPool()
ok := roots.AppendCertsFromPEM(rootPEM)
if !ok {
logging.GetLogger().Fatal("Failed to parse root certificate " + certPEM)
}
cfgTLS := &tls.Config{
Certificates: []tls.Certificate{cert},
RootCAs: roots,
}
cfgTLS.BuildNameToCertificate()
logging.GetLogger().Debugf("TLS client connection ... Dial %s:%d", common.IPToString(addr.IP), addr.Port+1)
a.tlsConnClient, err = tls.Dial("tcp", fmt.Sprintf("%s:%d", common.IPToString(addr.IP), addr.Port+1), cfgTLS)
if err != nil {
logging.GetLogger().Errorf("TLS error %s:%d : %s", common.IPToString(addr.IP), addr.Port+1, err.Error())
return nil, err
}
state := a.tlsConnClient.ConnectionState()
if state.HandshakeComplete == false {
logging.GetLogger().Debugf("TLS Handshake is not complete %s:%d : %+v", common.IPToString(addr.IP), addr.Port+1, state)
return nil, errors.New("TLS Handshake is not complete")
}
logging.GetLogger().Debugf("TLS v%d Handshake is complete on %s:%d", state.Version, common.IPToString(addr.IP), addr.Port+1)
return a, nil
}
a.udpConn, err = net.DialUDP("udp", nil, addr)
if err != nil {
return nil, err
}
logging.GetLogger().Debug("UDP client dialup done")
return a, nil
}
func NewAgentAnalyzerServerConn(addr *net.UDPAddr) (a *AgentAnalyzerServerConn, err error) {
a = &AgentAnalyzerServerConn{mode: UDP}
certPEM := config.GetConfig().GetString("analyzer.X509_cert")
keyPEM := config.GetConfig().GetString("analyzer.X509_key")
clientCertPEM := config.GetConfig().GetString("agent.X509_cert")
if len(certPEM) > 0 && len(keyPEM) > 0 {
cert, err := tls.LoadX509KeyPair(certPEM, keyPEM)
if err != nil {
logging.GetLogger().Fatalf("Can't read X509 key pair set in config : cert '%s' key '%s'", certPEM, keyPEM)
}
rootPEM, err := ioutil.ReadFile(clientCertPEM)
if err != nil {
logging.GetLogger().Fatalf("Failed to open root certificate '%s' : %s", certPEM, err.Error())
}
roots := x509.NewCertPool()
ok := roots.AppendCertsFromPEM([]byte(rootPEM))
if !ok {
logging.GetLogger().Fatal("Failed to parse root certificate " + certPEM)
}
cfgTLS := &tls.Config{
ClientCAs: roots,
ClientAuth: tls.RequireAndVerifyClientCert,
Certificates: []tls.Certificate{cert},
MinVersion: tls.VersionTLS12,
PreferServerCipherSuites: true,
CipherSuites: []uint16{
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
},
}
cfgTLS.BuildNameToCertificate()
a.tlsListen, err = tls.Listen("tcp", fmt.Sprintf("%s:%d", common.IPToString(addr.IP), addr.Port+1), cfgTLS)
if err != nil {
return nil, err
}
a.mode = TLS
logging.GetLogger().Info("Analyzer listen agents on TLS socket")
return a, nil
}
a.udpConn, err = net.ListenUDP("udp", addr)
logging.GetLogger().Info("Analyzer listen agents on UDP socket")
return a, err
}
func validateIPPort(addressPort string) (string, int, error) {
/* Backward compatibility for old format like : listen = 1234 */
if !strings.ContainsAny(addressPort, ".:") {
addressPort = ":" + addressPort
}
/* validate IPv4 and IPv6 address */
IPAddr, err := net.ResolveUDPAddr("", addressPort)
if err != nil {
return "", 0, err
}
IPaddr := IPAddr.IP
port := IPAddr.Port
addr := "localhost"
if IPaddr != nil {
addr = common.IPToString(IPaddr)
}
return addr, port, nil
}
