Documentation
¶
Overview ¶
Package tlsconfig provides opinionated TLS configurations.
Index ¶
- Variables
- func NewClientConfig(opts ...Option) (*tls.Config, error)
- func NewServerConfig(opts ...Option) (*tls.Config, error)
- type Option
- func WithCertificates(certs ...tls.Certificate) Option
- func WithCipherSuites(suites ...uint16) Option
- func WithClientAuth(auth tls.ClientAuthType) Option
- func WithClientCAs(pool *x509.CertPool) Option
- func WithCurvePreferences(curves ...tls.CurveID) Option
- func WithGetCertificate(fn func(*tls.ClientHelloInfo) (*tls.Certificate, error)) Option
- func WithGetClientCertificate(fn func(*tls.CertificateRequestInfo) (*tls.Certificate, error)) Option
- func WithInsecureSkipVerify(allow bool) Option
- func WithKeyLogWriter(writer io.Writer) Option
- func WithMaxVersion(version uint16) Option
- func WithMinVersion(version uint16) Option
- func WithNextProtos(protos ...string) Option
- func WithPostQuantumKeyExchange() Option
- func WithRootCAs(pool *x509.CertPool) Option
- func WithServerName(name string) Option
- func WithTLS13Only() Option
Constants ¶
This section is empty.
Variables ¶
var ( // ErrInvalidTLSConfig indicates the TLS configuration is invalid. ErrInvalidTLSConfig = ewrap.New("invalid tls config") // ErrTLSVersionTooLow indicates the TLS version is too low. ErrTLSVersionTooLow = ewrap.New("tls version too low") // ErrTLSVersionRange indicates the TLS version range is invalid. ErrTLSVersionRange = ewrap.New("tls version range invalid") // ErrTLSMissingCertificate indicates server certificates are required. ErrTLSMissingCertificate = ewrap.New("tls certificate required") // ErrTLSInvalidCipherSuites indicates the cipher suite list is invalid. ErrTLSInvalidCipherSuites = ewrap.New("tls cipher suites invalid") // ErrTLSInvalidCurvePreferences indicates the curve preferences are invalid. ErrTLSInvalidCurvePreferences = ewrap.New("tls curve preferences invalid") // ErrTLSMissingClientCAs indicates client CAs are required for mTLS verification. ErrTLSMissingClientCAs = ewrap.New("tls client ca required") )
Functions ¶
func NewClientConfig ¶
NewClientConfig returns a TLS client config with safe defaults.
Types ¶
type Option ¶
type Option func(*config) error
Option configures TLS settings.
func WithCertificates ¶
func WithCertificates(certs ...tls.Certificate) Option
WithCertificates sets the TLS certificates.
func WithCipherSuites ¶
WithCipherSuites sets the TLS 1.2 cipher suites.
func WithClientAuth ¶
func WithClientAuth(auth tls.ClientAuthType) Option
WithClientAuth sets the client authentication mode for servers.
func WithClientCAs ¶
WithClientCAs sets the client CA pool for mTLS verification.
func WithCurvePreferences ¶
WithCurvePreferences sets the elliptic curve preferences.
func WithGetCertificate ¶
func WithGetCertificate(fn func(*tls.ClientHelloInfo) (*tls.Certificate, error)) Option
WithGetCertificate sets a certificate callback for servers.
func WithGetClientCertificate ¶
func WithGetClientCertificate(fn func(*tls.CertificateRequestInfo) (*tls.Certificate, error)) Option
WithGetClientCertificate sets a certificate callback for clients.
func WithInsecureSkipVerify ¶
WithInsecureSkipVerify disables certificate verification (not recommended).
func WithKeyLogWriter ¶
WithKeyLogWriter enables TLS key logging for debugging.
func WithMaxVersion ¶
WithMaxVersion sets the maximum TLS version.
func WithMinVersion ¶
WithMinVersion sets the minimum TLS version.
func WithNextProtos ¶
WithNextProtos sets the ALPN protocols.
func WithPostQuantumKeyExchange ¶
func WithPostQuantumKeyExchange() Option
WithPostQuantumKeyExchange enables hybrid post-quantum key exchange. It prepends X25519MLKEM768 to the curve preferences for TLS 1.3 handshakes.
func WithRootCAs ¶
WithRootCAs sets the root CA pool for client TLS verification.
func WithServerName ¶
WithServerName sets the server name for client TLS verification.
Source Files