Skip to content

always use system CA when setting up TLS #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
evchee wants to merge 1 commit into from
Closed

always use system CA when setting up TLS #12

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions server/server/config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,7 @@ type (
KeyData string `yaml:"keyData"`
EnableHostVerification bool `yaml:"enableHostVerification"`
ServerName string `yaml:"serverName"`
DisableTLS bool `yaml:"disableTLS"`
}

Auth struct {
Expand Down
74 changes: 40 additions & 34 deletions server/server/rpc/tls.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,16 +60,15 @@ func CreateTLSConfig(address string, cfg *config.TLS) (*tls.Config, error) {
if err != nil {
return nil, err
}

if cfg.CaFile != "" || cfg.CaData != "" {
if !cfg.DisableTLS {
caCertPool, err := loadCACert(cfg)
if err != nil {
log.Fatalf("Unable to load server CA certificate")
return nil, err
}

caPool = caCertPool
}

if cfg.CertFile != "" || cfg.CertData != "" {
keyPair, err := loadKeyPair(cfg)
if err != nil {
Expand Down Expand Up @@ -111,44 +110,51 @@ func CreateTLSConfig(address string, cfg *config.TLS) (*tls.Config, error) {
}

func loadCACert(cfg *config.TLS) (caPool *x509.CertPool, err error) {
pathOrUrl := cfg.CaFile
caData := cfg.CaData

caPool = x509.NewCertPool()
var caBytes []byte

if strings.HasPrefix(pathOrUrl, "http://") {
return nil, errors.New("HTTP is not supported for CA cert URLs. Provide HTTPS URL")
caPool, err = x509.SystemCertPool()
if err != nil {
return nil, fmt.Errorf("unable to load system CA cert pool: %v", err)
}

if strings.HasPrefix(pathOrUrl, "https://") {
resp, err := netClient.Get(pathOrUrl)
if err != nil {
return nil, fmt.Errorf("unable to load CA cert from URL: %v", err)
}
defer resp.Body.Close()
caBytes, err = io.ReadAll(resp.Body)
if err != nil {
return nil, fmt.Errorf("unable to load CA cert from URL: %v", err)
}
// Append additional CA certs configured if provided
if cfg.CaFile != "" || cfg.CaData != "" {
pathOrUrl := cfg.CaFile
caData := cfg.CaData
var caBytes []byte

log.Printf("Loaded TLS CA cert from URL: %v", pathOrUrl)
} else if pathOrUrl != "" {
caBytes, err = os.ReadFile(pathOrUrl)
if err != nil {
return nil, fmt.Errorf("unable to load CA cert from file: %v", err)
if strings.HasPrefix(pathOrUrl, "http://") {
return nil, errors.New("HTTP is not supported for CA cert URLs. Provide HTTPS URL")
}
log.Printf("Loaded TLS CA cert from file: %v", pathOrUrl)
} else if caData != "" {
caBytes, err = base64.StdEncoding.DecodeString(caData)
if err != nil {
return nil, fmt.Errorf("unable to decode CA cert from base64: %v", err)

if strings.HasPrefix(pathOrUrl, "https://") {
resp, err := netClient.Get(pathOrUrl)
if err != nil {
return nil, fmt.Errorf("unable to load CA cert from URL: %v", err)
}
defer resp.Body.Close()
caBytes, err = io.ReadAll(resp.Body)
if err != nil {
return nil, fmt.Errorf("unable to load CA cert from URL: %v", err)
}

log.Printf("Loaded TLS CA cert from URL: %v", pathOrUrl)
} else if pathOrUrl != "" {
caBytes, err = os.ReadFile(pathOrUrl)
if err != nil {
return nil, fmt.Errorf("unable to load CA cert from file: %v", err)
}
log.Printf("Loaded TLS CA cert from file: %v", pathOrUrl)
} else if caData != "" {
caBytes, err = base64.StdEncoding.DecodeString(caData)
if err != nil {
return nil, fmt.Errorf("unable to decode CA cert from base64: %v", err)
}
log.Printf("Loaded CA cert from base64")
}
log.Printf("Loaded CA cert from base64")
}

if !caPool.AppendCertsFromPEM(caBytes) {
return nil, errors.New("unknown failure constructing cert pool for ca")
if !caPool.AppendCertsFromPEM(caBytes) {
return nil, errors.New("unknown failure constructing cert pool for ca")
}
}
return caPool, nil
}
Expand Down
Loading