| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869 |
- package sockets
- import (
- "crypto/tls"
- "crypto/x509"
- "fmt"
- "io/ioutil"
- "net"
- "os"
- "github.com/docker/docker/pkg/listenbuffer"
- )
- type TlsConfig struct {
- CA string
- Certificate string
- Key string
- Verify bool
- }
- func NewTlsConfig(tlsCert, tlsKey, tlsCA string, verify bool) *TlsConfig {
- return &TlsConfig{
- Verify: verify,
- Certificate: tlsCert,
- Key: tlsKey,
- CA: tlsCA,
- }
- }
- func NewTcpSocket(addr string, config *TlsConfig, activate <-chan struct{}) (net.Listener, error) {
- l, err := listenbuffer.NewListenBuffer("tcp", addr, activate)
- if err != nil {
- return nil, err
- }
- if config != nil {
- if l, err = setupTls(l, config); err != nil {
- return nil, err
- }
- }
- return l, nil
- }
- func setupTls(l net.Listener, config *TlsConfig) (net.Listener, error) {
- tlsCert, err := tls.LoadX509KeyPair(config.Certificate, config.Key)
- if err != nil {
- if os.IsNotExist(err) {
- return nil, fmt.Errorf("Could not load X509 key pair (%s, %s): %v", config.Certificate, config.Key, err)
- }
- return nil, fmt.Errorf("Error reading X509 key pair (%s, %s): %q. Make sure the key is encrypted.",
- config.Certificate, config.Key, err)
- }
- tlsConfig := &tls.Config{
- NextProtos: []string{"http/1.1"},
- Certificates: []tls.Certificate{tlsCert},
- // Avoid fallback on insecure SSL protocols
- MinVersion: tls.VersionTLS10,
- }
- if config.CA != "" {
- certPool := x509.NewCertPool()
- file, err := ioutil.ReadFile(config.CA)
- if err != nil {
- return nil, fmt.Errorf("Could not read CA certificate: %v", err)
- }
- certPool.AppendCertsFromPEM(file)
- tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
- tlsConfig.ClientCAs = certPool
- }
- return tls.NewListener(l, tlsConfig), nil
- }
|
