tls

package

v0.0.20 Latest Latest Go to latest Published: Apr 23, 2025 License: Apache-2.0 Imports: 8 Imported by: 3

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/Jigsaw-Code/outline-sdk

Links

Open Source Insights

Documentation ¶

Overview ¶

Package tls provides the TLS transport.

Index ¶

func WrapConn(ctx context.Context, conn transport.StreamConn, serverName string, ...) (transport.StreamConn, error)
type CertVerificationContext
type CertVerifier
type ClientConfig
type ClientOption
type StandardCertVerifier
- func (v *StandardCertVerifier) VerifyCertificate(certContext *CertVerificationContext) error
type StreamDialer
- func NewStreamDialer(baseDialer transport.StreamDialer, options ...ClientOption) (*StreamDialer, error)
- func (d *StreamDialer) DialStream(ctx context.Context, remoteAddr string) (transport.StreamConn, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func WrapConn ¶

func WrapConn(ctx context.Context, conn transport.StreamConn, serverName string, options ...ClientOption) (transport.StreamConn, error)

WrapConn wraps a transport.StreamConn in a TLS connection.

Types ¶

type CertVerificationContext ¶ added in v0.0.20

type CertVerificationContext struct {
	// PeerCertificates are the parsed certificates sent by the peer, in the
	// order in which they were sent. The first element is the leaf certificate
	// that the connection is verified against.
	//
	// On the client side, it can't be empty. On the server side, it can be
	// empty if Config.ClientAuth is not RequireAnyClientCert or
	// RequireAndVerifyClientCert.
	//
	// PeerCertificates and its contents should not be modified.
	PeerCertificates []*x509.Certificate
}

CertVerificationContext provides connection-time context for the certificate verification.

type CertVerifier ¶ added in v0.0.20

type CertVerifier interface {
	// VerifyCertificate verified a peer certificate given the context.
	VerifyCertificate(info *CertVerificationContext) error
}

CertVerifier verifies peer certificates for TLS connections.

type ClientConfig ¶

type ClientConfig struct {
	// ServerName specifies the hostname sent for Server Name Indication (SNI).
	// This is often the same as the dialed hostname but can be overridden using [WithSNI].
	ServerName string

	// NextProtos lists the application-layer protocols (e.g., "h2", "http/1.1")
	// supported by the client for Application-Layer Protocol Negotiation (ALPN).
	// See [WithALPN].
	NextProtos []string

	// SessionCache enables TLS session resumption by providing a cache for session tickets.
	// If nil, session resumption is disabled. See [WithSessionCache].
	SessionCache tls.ClientSessionCache

	// CertVerifier specifies a custom verifier for the peer's certificate chain.
	// If nil, [StandardCertVerifier] is used by default, validating against the dialed
	// server name. See [WithCertVerifier].
	CertVerifier CertVerifier
}

ClientConfig holds configuration parameters used for establishing a TLS client connection.

type ClientOption ¶

type ClientOption func(serverName string, config *ClientConfig)

ClientOption allows configuring the parameters to be used for a client TLS connection.

func IfHost ¶ added in v0.0.11

func IfHost(matchHost string, option ClientOption) ClientOption

IfHost applies the given option if the host matches the dialed one.

func WithALPN ¶

func WithALPN(protocolNameList []string) ClientOption

WithALPN sets the protocol name list for Application-Layer Protocol Negotiation (ALPN). The list of protocol IDs can be found in IANA's registry.

func WithCertVerifier ¶ added in v0.0.20

func WithCertVerifier(verifier CertVerifier) ClientOption

WithCertVerifier sets the verifier to be used for the certificate verification.

func WithSNI ¶

func WithSNI(hostName string) ClientOption

WithSNI sets the host name for Server Name Indication (SNI). If absent, defaults to the dialed hostname. Note that this only changes what is sent in the SNI, not what host is used for certificate verification.

func WithSessionCache ¶

func WithSessionCache(sessionCache tls.ClientSessionCache) ClientOption

WithSessionCache sets the tls.ClientSessionCache to enable session resumption of TLS connections.

type StandardCertVerifier ¶ added in v0.0.20

type StandardCertVerifier struct {
	// CertificateName specifies the expected DNS name (or IP address) against which
	// the peer's leaf certificate is verified.
	CertificateName string
	// Roots contains the set of trusted root certificate authorities.
	// If nil, the host's default root CAs are used for certificate chain validation.
	Roots *x509.CertPool
}

StandardCertVerifier implements CertVerifier using standard TLS certificate chain verification.

func (*StandardCertVerifier) VerifyCertificate ¶ added in v0.0.20

func (v *StandardCertVerifier) VerifyCertificate(certContext *CertVerificationContext) error

VerifyCertificate implements CertVerifier.

type StreamDialer ¶

type StreamDialer struct {
	// contains filtered or unexported fields
}

StreamDialer is a transport.StreamDialer that uses TLS to wrap the inner StreamDialer.

func NewStreamDialer ¶

func NewStreamDialer(baseDialer transport.StreamDialer, options ...ClientOption) (*StreamDialer, error)

NewStreamDialer creates a StreamDialer that wraps the connections from the baseDialer with TLS configured with the given options.

func (*StreamDialer) DialStream ¶ added in v0.0.12

func (d *StreamDialer) DialStream(ctx context.Context, remoteAddr string) (transport.StreamConn, error)

DialStream implements transport.StreamDialer.DialStream.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL