Commit graph

5 commits

Author SHA1 Message Date
Alexander Morozov
270e8cf64d Fix golint warnings
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-11-02 08:02:25 -08:00
Tibor Vass
c7a04fda2a tlsconfig: better format for error message in tlsconfig
Signed-off-by: Tibor Vass <tibor@docker.com>
2015-07-30 14:15:41 -04:00
Tibor Vass
96ce3a194a cli: new daemon command and new cli package
This patch creates a new cli package that allows to combine both client
and daemon commands (there is only one daemon command: docker daemon).

The `-d` and `--daemon` top-level flags are deprecated and a special
message is added to prompt the user to use `docker daemon`.

Providing top-level daemon-specific flags for client commands result
in an error message prompting the user to use `docker daemon`.

This patch does not break any old but correct usages.

This also makes `-d` and `--daemon` flags, as well as the `daemon`
command illegal in client-only binaries.

Signed-off-by: Tibor Vass <tibor@docker.com>
2015-07-23 19:44:46 -04:00
Phil Estes
9b43f5a3a1 Split client and server cipher suite list in TLS defaults
Per @ewindisch, removing the CBC ciphers from the client preferred TLS
cipher suites.  This will allow a future version of the server to also
remove the CBC ciphers from the accepted list.

This changes the server default to client + additional CBC cipher list,
and client default to the non-CBC ciphers.

Also, cipher order preference is modified so that best and highest-bit count
ciphers are most preferred.

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2015-06-11 14:00:31 -04:00
Tibor Vass
bfed4b7cc3 Refactor TLS code with a new tlsconfig package
This patch creates a new `tlsconfig` package to handle creation of
secure-enough TLS configurations for clients and servers.

The package was created by refactoring TLS code in the client and the
daemon. After this patch, it is expected that all code creating TLS
configurations use this `tlsconfig` package for greater security,
consistency and readability.

On the server side, this fixes a bug where --tlsverify was not taken
into account. Now, if specified, it will require the client to
authenticate.

Signed-off-by: Tibor Vass <tibor@docker.com>
2015-06-05 12:38:38 -04:00