mirror of https://github.com/hashicorp/consul
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
125 lines
4.0 KiB
125 lines
4.0 KiB
7 years ago
|
package connect
|
||
|
|
||
|
import (
|
||
|
"crypto/tls"
|
||
|
"crypto/x509"
|
||
|
"io/ioutil"
|
||
|
"sync"
|
||
|
)
|
||
|
|
||
|
// defaultTLSConfig returns the standard config for connect clients and servers.
|
||
|
func defaultTLSConfig() *tls.Config {
|
||
|
serverAuther := &ServerAuther{}
|
||
|
return &tls.Config{
|
||
|
MinVersion: tls.VersionTLS12,
|
||
|
ClientAuth: tls.RequireAndVerifyClientCert,
|
||
|
// We don't have access to go internals that decide if AES hardware
|
||
|
// acceleration is available in order to prefer CHA CHA if not. So let's
|
||
|
// just always prefer AES for now. We can look into doing something uglier
|
||
|
// later like using an external lib for AES checking if it seems important.
|
||
|
// https://github.com/golang/go/blob/df91b8044dbe790c69c16058330f545be069cc1f/src/crypto/tls/common.go#L919:14
|
||
|
CipherSuites: []uint16{
|
||
|
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||
|
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||
|
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||
|
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
||
|
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
||
|
},
|
||
|
// We have to set this since otherwise Go will attempt to verify DNS names
|
||
|
// match DNS SAN/CN which we don't want. We hook up VerifyPeerCertificate to
|
||
|
// do our own path validation as well as Connect AuthZ.
|
||
|
InsecureSkipVerify: true,
|
||
|
// By default auth as if we are a server. Clients need to override this with
|
||
|
// an Auther that is performs correct validation of the server identity they
|
||
|
// intended to connect to.
|
||
|
VerifyPeerCertificate: serverAuther.Auth,
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// ReloadableTLSConfig exposes a tls.Config that can have it's certificates
|
||
|
// reloaded. This works by
|
||
|
type ReloadableTLSConfig struct {
|
||
|
mu sync.Mutex
|
||
|
|
||
|
// cfg is the current config to use for new connections
|
||
|
cfg *tls.Config
|
||
|
}
|
||
|
|
||
|
// NewReloadableTLSConfig returns a reloadable config currently set to base. The
|
||
|
// Auther used to verify certificates for incoming connections on a Server will
|
||
|
// just be copied from the VerifyPeerCertificate passed. Clients will need to
|
||
|
// pass a specific Auther instance when they call TLSConfig that is configured
|
||
|
// to perform the necessary validation of the server's identity.
|
||
|
func NewReloadableTLSConfig(base *tls.Config) *ReloadableTLSConfig {
|
||
|
return &ReloadableTLSConfig{cfg: base}
|
||
|
}
|
||
|
|
||
|
// ServerTLSConfig returns a *tls.Config that will dynamically load certs for
|
||
|
// each inbound connection via the GetConfigForClient callback.
|
||
|
func (c *ReloadableTLSConfig) ServerTLSConfig() *tls.Config {
|
||
|
// Setup the basic one with current params even though we will be using
|
||
|
// different config for each new conn.
|
||
|
c.mu.Lock()
|
||
|
base := c.cfg
|
||
|
c.mu.Unlock()
|
||
|
|
||
|
// Dynamically fetch the current config for each new inbound connection
|
||
|
base.GetConfigForClient = func(info *tls.ClientHelloInfo) (*tls.Config, error) {
|
||
|
return c.TLSConfig(nil), nil
|
||
|
}
|
||
|
|
||
|
return base
|
||
|
}
|
||
|
|
||
|
// TLSConfig returns the current value for the config. It is safe to call from
|
||
|
// any goroutine. The passed Auther is inserted into the config's
|
||
|
// VerifyPeerCertificate. Passing a nil Auther will leave the default one in the
|
||
|
// base config
|
||
|
func (c *ReloadableTLSConfig) TLSConfig(auther Auther) *tls.Config {
|
||
|
c.mu.Lock()
|
||
|
cfgCopy := c.cfg
|
||
|
c.mu.Unlock()
|
||
|
if auther != nil {
|
||
|
cfgCopy.VerifyPeerCertificate = auther.Auth
|
||
|
}
|
||
|
return cfgCopy
|
||
|
}
|
||
|
|
||
|
// SetTLSConfig sets the config used for future connections. It is safe to call
|
||
|
// from any goroutine.
|
||
|
func (c *ReloadableTLSConfig) SetTLSConfig(cfg *tls.Config) error {
|
||
|
c.mu.Lock()
|
||
|
defer c.mu.Unlock()
|
||
|
c.cfg = cfg
|
||
|
return nil
|
||
|
}
|
||
|
|
||
|
// devTLSConfigFromFiles returns a default TLS Config but with certs and CAs
|
||
|
// based on local files for dev.
|
||
|
func devTLSConfigFromFiles(caFile, certFile,
|
||
|
keyFile string) (*tls.Config, error) {
|
||
|
|
||
|
roots := x509.NewCertPool()
|
||
|
|
||
|
bs, err := ioutil.ReadFile(caFile)
|
||
|
if err != nil {
|
||
|
return nil, err
|
||
|
}
|
||
|
|
||
|
roots.AppendCertsFromPEM(bs)
|
||
|
|
||
|
cert, err := tls.LoadX509KeyPair(certFile, keyFile)
|
||
|
if err != nil {
|
||
|
return nil, err
|
||
|
}
|
||
|
|
||
|
cfg := defaultTLSConfig()
|
||
|
|
||
|
cfg.Certificates = []tls.Certificate{cert}
|
||
|
cfg.RootCAs = roots
|
||
|
cfg.ClientCAs = roots
|
||
|
|
||
|
return cfg, nil
|
||
|
}
|