From a093ea34c3168c085c949e292108b4ae9be15784 Mon Sep 17 00:00:00 2001 From: deads2k Date: Wed, 16 Sep 2015 14:41:43 -0400 Subject: [PATCH] enable system cas --- pkg/client/unversioned/transport.go | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/pkg/client/unversioned/transport.go b/pkg/client/unversioned/transport.go index fae7ddf6e5..ecb73dc1e7 100644 --- a/pkg/client/unversioned/transport.go +++ b/pkg/client/unversioned/transport.go @@ -171,30 +171,41 @@ func NewClientCertTLSConfig(certData, keyData, caData []byte) (*tls.Config, erro if err != nil { return nil, err } - certPool := x509.NewCertPool() - certPool.AppendCertsFromPEM(caData) + return &tls.Config{ // Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability) MinVersion: tls.VersionTLS10, Certificates: []tls.Certificate{ cert, }, - RootCAs: certPool, - ClientCAs: certPool, - ClientAuth: tls.RequireAndVerifyClientCert, + RootCAs: rootCertPool(caData), }, nil } func NewTLSConfig(caData []byte) (*tls.Config, error) { - certPool := x509.NewCertPool() - certPool.AppendCertsFromPEM(caData) return &tls.Config{ // Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability) MinVersion: tls.VersionTLS10, - RootCAs: certPool, + RootCAs: rootCertPool(caData), }, nil } +// rootCertPool returns nil if caData is empty. When passed along, this will mean "use system CAs". +// When caData is not empty, it will be the ONLY information used in the CertPool. +func rootCertPool(caData []byte) *x509.CertPool { + // What we really want is a copy of x509.systemRootsPool, but that isn't exposed. It's difficult to build (see the go + // code for a look at the platform specific insanity), so we'll use the fact that RootCAs == nil gives us the system values + // It doesn't allow trusting either/or, but hopefully that won't be an issue + if len(caData) == 0 { + return nil + } + + // if we have caData, use it + certPool := x509.NewCertPool() + certPool.AppendCertsFromPEM(caData) + return certPool +} + func NewUnsafeTLSConfig() *tls.Config { return &tls.Config{ InsecureSkipVerify: true,