// sets up TLS for the GRPC connection to notary-signer func grpcTLS(configuration *viper.Viper) (*tls.Config, error) { rootCA := configuration.GetString("trust_service.tls_ca_file") serverName := configuration.GetString("trust_service.hostname") clientCert := configuration.GetString("trust_service.tls_client_cert") clientKey := configuration.GetString("trust_service.tls_client_key") if (clientCert == "" && clientKey != "") || (clientCert != "" && clientKey == "") { return nil, fmt.Errorf("Partial TLS configuration found. Either include both a client cert and client key file in the configuration, or include neither.") } tlsConfig, err := utils.ConfigureClientTLS(&utils.ClientTLSOpts{ RootCAFile: rootCA, ServerName: serverName, ClientCertFile: clientCert, ClientKeyFile: clientKey, }) if err != nil { return nil, fmt.Errorf( "Unable to configure TLS to the trust service: %s", err.Error()) } return tlsConfig, nil }
func getTransport(gun string, readOnly bool) http.RoundTripper { // Attempt to get a root CA from the config file. Nil is the host defaults. rootCAFile := mainViper.GetString("remote_server.root_ca") if rootCAFile != "" { // If we haven't been given an Absolute path, we assume it's relative // from the configuration directory (~/.notary by default) if !filepath.IsAbs(rootCAFile) { rootCAFile = filepath.Join(configPath, rootCAFile) } } insecureSkipVerify := false if mainViper.IsSet("remote_server.skipTLSVerify") { insecureSkipVerify = mainViper.GetBool("remote_server.skipTLSVerify") } tlsConfig, err := utils.ConfigureClientTLS(&utils.ClientTLSOpts{ RootCAFile: rootCAFile, InsecureSkipVerify: insecureSkipVerify, }) if err != nil { logrus.Fatal("Unable to configure TLS: ", err.Error()) } base := &http.Transport{ Proxy: http.ProxyFromEnvironment, Dial: (&net.Dialer{ Timeout: 30 * time.Second, KeepAlive: 30 * time.Second, DualStack: true, }).Dial, TLSHandshakeTimeout: 10 * time.Second, TLSClientConfig: tlsConfig, DisableKeepAlives: true, } return tokenAuth(base, gun, readOnly) }