Skip to content
Snippets Groups Projects
Commit 232cb4db authored by ale's avatar ale
Browse files

Rename client backend tls config attr to just 'tls'

For uniformity with the serverutil package. Also, make error checking
on client TLS setup a bit stricter.
parent 39b1908a
Branches
No related tags found
No related merge requests found
...@@ -13,7 +13,7 @@ import ( ...@@ -13,7 +13,7 @@ import (
// 'shard' parameter on their APIs. // 'shard' parameter on their APIs.
type BackendConfig struct { type BackendConfig struct {
URL string `yaml:"url"` URL string `yaml:"url"`
TLSConfig *TLSClientConfig `yaml:"tls_config"` TLSConfig *TLSClientConfig `yaml:"tls"`
Sharded bool `yaml:"sharded"` Sharded bool `yaml:"sharded"`
Debug bool `yaml:"debug"` Debug bool `yaml:"debug"`
} }
......
...@@ -2,6 +2,7 @@ package clientutil ...@@ -2,6 +2,7 @@ package clientutil
import ( import (
"crypto/tls" "crypto/tls"
"errors"
common "git.autistici.org/ai3/go-common" common "git.autistici.org/ai3/go-common"
) )
...@@ -16,6 +17,10 @@ type TLSClientConfig struct { ...@@ -16,6 +17,10 @@ type TLSClientConfig struct {
// TLSConfig returns a tls.Config object with the current configuration. // TLSConfig returns a tls.Config object with the current configuration.
func (c *TLSClientConfig) TLSConfig() (*tls.Config, error) { func (c *TLSClientConfig) TLSConfig() (*tls.Config, error) {
if c.Cert == "" || c.Key == "" || c.CA == "" {
return nil, errors.New("incomplete client tls specification")
}
cert, err := tls.LoadX509KeyPair(c.Cert, c.Key) cert, err := tls.LoadX509KeyPair(c.Cert, c.Key)
if err != nil { if err != nil {
return nil, err return nil, err
...@@ -24,13 +29,11 @@ func (c *TLSClientConfig) TLSConfig() (*tls.Config, error) { ...@@ -24,13 +29,11 @@ func (c *TLSClientConfig) TLSConfig() (*tls.Config, error) {
Certificates: []tls.Certificate{cert}, Certificates: []tls.Certificate{cert},
} }
if c.CA != "" {
cas, err := common.LoadCA(c.CA) cas, err := common.LoadCA(c.CA)
if err != nil { if err != nil {
return nil, err return nil, err
} }
tlsConf.RootCAs = cas tlsConf.RootCAs = cas
}
tlsConf.BuildNameToCertificate() tlsConf.BuildNameToCertificate()
return tlsConf, nil return tlsConf, nil
......
...@@ -2,6 +2,7 @@ package common ...@@ -2,6 +2,7 @@ package common
import ( import (
"crypto/x509" "crypto/x509"
"fmt"
"io/ioutil" "io/ioutil"
) )
...@@ -12,6 +13,8 @@ func LoadCA(path string) (*x509.CertPool, error) { ...@@ -12,6 +13,8 @@ func LoadCA(path string) (*x509.CertPool, error) {
return nil, err return nil, err
} }
cas := x509.NewCertPool() cas := x509.NewCertPool()
cas.AppendCertsFromPEM(data) if !cas.AppendCertsFromPEM(data) {
return nil, fmt.Errorf("no certificates could be parsed in %s", path)
}
return cas, nil return cas, nil
} }
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment