tls

Documentation

Index

• func LoadClientConfig(certFile, keyFile, caFile string, verify bool, serverName string) (*tls.Config, error)
• func LoadServerConfig(certFile, keyFile, caFile string) (*tls.Config, error)
• func WrapTLSClient(conn net.Conn, tlsConfig *tls.Config, timeout time.Duration) (net.Conn, error)

Functions

func LoadClientConfig

func LoadClientConfig(certFile, keyFile, caFile string, verify bool, serverName string) (*tls.Config, error)

LoadClientConfig loads the certificate from cert & key files and optional CA file.

func LoadServerConfig

func LoadServerConfig(certFile, keyFile, caFile string) (*tls.Config, error)

LoadServerConfig loads the certificate from cert & key files and optional client CA file.

func WrapTLSClient

func WrapTLSClient(conn net.Conn, tlsConfig *tls.Config, timeout time.Duration) (net.Conn, error)

Wrap a net.Conn into a client tls connection, performing any additional verification as needed.

As of go 1.3, crypto/tls only supports either doing no certificate verification, or doing full verification including of the peer's DNS name. For consul, we want to validate that the certificate is signed by a known CA, but because consul doesn't use DNS names for node names, we don't verify the certificate DNS names. Since go 1.3 no longer supports this mode of operation, we have to do it manually.

This code is taken from consul: https://github.com/hashicorp/consul/blob/master/tlsutil/config.go