add tls options
This commit is contained in:
ginuerzh
parent
cffbecc3c0
commit
e8d5e719a4
@ -99,11 +99,12 @@ type MetricsConfig struct {
|
||||
}
|
||||
|
||||
type TLSConfig struct {
|
||||
CertFile string `yaml:"certFile,omitempty" json:"certFile,omitempty"`
|
||||
KeyFile string `yaml:"keyFile,omitempty" json:"keyFile,omitempty"`
|
||||
CAFile string `yaml:"caFile,omitempty" json:"caFile,omitempty"`
|
||||
Secure bool `yaml:",omitempty" json:"secure,omitempty"`
|
||||
ServerName string `yaml:"serverName,omitempty" json:"serverName,omitempty"`
|
||||
CertFile string `yaml:"certFile,omitempty" json:"certFile,omitempty"`
|
||||
KeyFile string `yaml:"keyFile,omitempty" json:"keyFile,omitempty"`
|
||||
CAFile string `yaml:"caFile,omitempty" json:"caFile,omitempty"`
|
||||
Secure bool `yaml:",omitempty" json:"secure,omitempty"`
|
||||
ServerName string `yaml:"serverName,omitempty" json:"serverName,omitempty"`
|
||||
Options *TLSOptions `yaml:",omitempty" json:"options,omitempty"`
|
||||
|
||||
// for auto-generated default certificate.
|
||||
Validity time.Duration `yaml:",omitempty" json:"validity,omitempty"`
|
||||
@ -111,6 +112,12 @@ type TLSConfig struct {
|
||||
Organization string `yaml:",omitempty" json:"organization,omitempty"`
|
||||
}
|
||||
|
||||
type TLSOptions struct {
|
||||
MinVersion string `yaml:"minVersion,omitempty" json:"minVersion,omitempty"`
|
||||
MaxVersion string `yaml:"maxVersion,omitempty" json:"maxVersion,omitempty"`
|
||||
CipherSuites []string `yaml:"cipherSuites,omitempty" json:"cipherSuites,omitempty"`
|
||||
}
|
||||
|
||||
type PluginConfig struct {
|
||||
Type string `json:"type"`
|
||||
Addr string `json:"addr"`
|
||||
|
||||
@ -57,9 +57,7 @@ func ParseNode(hop string, cfg *config.NodeConfig) (*chain.Node, error) {
|
||||
if tlsCfg.ServerName == "" {
|
||||
tlsCfg.ServerName = serverName
|
||||
}
|
||||
tlsConfig, err := tls_util.LoadClientConfig(
|
||||
tlsCfg.CertFile, tlsCfg.KeyFile, tlsCfg.CAFile,
|
||||
tlsCfg.Secure, tlsCfg.ServerName)
|
||||
tlsConfig, err := tls_util.LoadClientConfig(tlsCfg)
|
||||
if err != nil {
|
||||
nodeLogger.Error(err)
|
||||
return nil, err
|
||||
@ -99,9 +97,7 @@ func ParseNode(hop string, cfg *config.NodeConfig) (*chain.Node, error) {
|
||||
if tlsCfg.ServerName == "" {
|
||||
tlsCfg.ServerName = serverName
|
||||
}
|
||||
tlsConfig, err = tls_util.LoadClientConfig(
|
||||
tlsCfg.CertFile, tlsCfg.KeyFile, tlsCfg.CAFile,
|
||||
tlsCfg.Secure, tlsCfg.ServerName)
|
||||
tlsConfig, err = tls_util.LoadClientConfig(tlsCfg)
|
||||
if err != nil {
|
||||
nodeLogger.Error(err)
|
||||
return nil, err
|
||||
|
||||
@ -55,8 +55,7 @@ func ParseService(cfg *config.ServiceConfig) (service.Service, error) {
|
||||
if tlsCfg == nil {
|
||||
tlsCfg = &config.TLSConfig{}
|
||||
}
|
||||
tlsConfig, err := tls_util.LoadServerConfig(
|
||||
tlsCfg.CertFile, tlsCfg.KeyFile, tlsCfg.CAFile)
|
||||
tlsConfig, err := tls_util.LoadServerConfig(tlsCfg)
|
||||
if err != nil {
|
||||
listenerLogger.Error(err)
|
||||
return nil, err
|
||||
@ -149,8 +148,7 @@ func ParseService(cfg *config.ServiceConfig) (service.Service, error) {
|
||||
if tlsCfg == nil {
|
||||
tlsCfg = &config.TLSConfig{}
|
||||
}
|
||||
tlsConfig, err = tls_util.LoadServerConfig(
|
||||
tlsCfg.CertFile, tlsCfg.KeyFile, tlsCfg.CAFile)
|
||||
tlsConfig, err = tls_util.LoadServerConfig(tlsCfg)
|
||||
if err != nil {
|
||||
handlerLogger.Error(err)
|
||||
return nil, err
|
||||
|
||||
@ -6,9 +6,43 @@ import (
|
||||
"errors"
|
||||
"net"
|
||||
"os"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/go-gost/core/logger"
|
||||
"github.com/go-gost/x/config"
|
||||
)
|
||||
|
||||
const (
|
||||
VersionTLS10 = "VersionTLS10"
|
||||
VersionTLS11 = "VersionTLS11"
|
||||
VersionTLS12 = "VersionTLS12"
|
||||
VersionTLS13 = "VersionTLS13"
|
||||
)
|
||||
|
||||
const (
|
||||
TLS_RSA_WITH_RC4_128_SHA = "TLS_RSA_WITH_RC4_128_SHA"
|
||||
TLS_RSA_WITH_3DES_EDE_CBC_SHA = "TLS_RSA_WITH_3DES_EDE_CBC_SHA"
|
||||
TLS_RSA_WITH_AES_128_CBC_SHA = "TLS_RSA_WITH_AES_128_CBC_SHA"
|
||||
TLS_RSA_WITH_AES_256_CBC_SHA = "TLS_RSA_WITH_AES_256_CBC_SHA"
|
||||
TLS_RSA_WITH_AES_128_CBC_SHA256 = "TLS_RSA_WITH_AES_128_CBC_SHA256"
|
||||
TLS_RSA_WITH_AES_128_GCM_SHA256 = "TLS_RSA_WITH_AES_128_GCM_SHA256"
|
||||
TLS_RSA_WITH_AES_256_GCM_SHA384 = "TLS_RSA_WITH_AES_256_GCM_SHA384"
|
||||
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA"
|
||||
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"
|
||||
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
|
||||
TLS_ECDHE_RSA_WITH_RC4_128_SHA = "TLS_ECDHE_RSA_WITH_RC4_128_SHA"
|
||||
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"
|
||||
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
|
||||
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
|
||||
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"
|
||||
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
|
||||
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
|
||||
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
|
||||
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
|
||||
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
|
||||
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"
|
||||
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 = "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
|
||||
)
|
||||
|
||||
// LoadDefaultConfig loads the certificate from cert & key files and optional CA file.
|
||||
@ -33,19 +67,19 @@ func LoadDefaultConfig(certFile, keyFile, caFile string) (*tls.Config, error) {
|
||||
}
|
||||
|
||||
// LoadServerConfig loads the certificate from cert & key files and client CA file.
|
||||
func LoadServerConfig(certFile, keyFile, caFile string) (*tls.Config, error) {
|
||||
if certFile == "" && keyFile == "" {
|
||||
func LoadServerConfig(config *config.TLSConfig) (*tls.Config, error) {
|
||||
if config.CertFile == "" && config.KeyFile == "" {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
cert, err := tls.LoadX509KeyPair(certFile, keyFile)
|
||||
cert, err := tls.LoadX509KeyPair(config.CertFile, config.KeyFile)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
cfg := &tls.Config{Certificates: []tls.Certificate{cert}}
|
||||
|
||||
pool, err := loadCA(caFile)
|
||||
pool, err := loadCA(config.CAFile)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -54,17 +88,88 @@ func LoadServerConfig(certFile, keyFile, caFile string) (*tls.Config, error) {
|
||||
cfg.ClientAuth = tls.RequireAndVerifyClientCert
|
||||
}
|
||||
|
||||
if opts := config.Options; opts != nil {
|
||||
switch strings.ToLower(opts.MinVersion) {
|
||||
case strings.ToLower(VersionTLS10):
|
||||
cfg.MinVersion = tls.VersionTLS10
|
||||
case strings.ToLower(VersionTLS11):
|
||||
cfg.MinVersion = tls.VersionTLS11
|
||||
case strings.ToLower(VersionTLS12):
|
||||
cfg.MinVersion = tls.VersionTLS12
|
||||
case strings.ToLower(VersionTLS13):
|
||||
cfg.MinVersion = tls.VersionTLS13
|
||||
}
|
||||
switch strings.ToLower(opts.MaxVersion) {
|
||||
case strings.ToLower(VersionTLS10):
|
||||
cfg.MaxVersion = tls.VersionTLS10
|
||||
case strings.ToLower(VersionTLS11):
|
||||
cfg.MaxVersion = tls.VersionTLS11
|
||||
case strings.ToLower(VersionTLS12):
|
||||
cfg.MaxVersion = tls.VersionTLS12
|
||||
case strings.ToLower(VersionTLS13):
|
||||
cfg.MaxVersion = tls.VersionTLS13
|
||||
}
|
||||
for _, v := range opts.CipherSuites {
|
||||
switch strings.ToLower(v) {
|
||||
case strings.ToLower(TLS_RSA_WITH_RC4_128_SHA):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_RC4_128_SHA)
|
||||
case strings.ToLower(TLS_RSA_WITH_3DES_EDE_CBC_SHA):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA)
|
||||
case strings.ToLower(TLS_RSA_WITH_AES_128_CBC_SHA):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_AES_128_CBC_SHA)
|
||||
case strings.ToLower(TLS_RSA_WITH_AES_256_CBC_SHA):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_AES_256_CBC_SHA)
|
||||
case strings.ToLower(TLS_RSA_WITH_AES_128_CBC_SHA256):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_AES_128_CBC_SHA256)
|
||||
case strings.ToLower(TLS_RSA_WITH_AES_128_GCM_SHA256):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_AES_128_GCM_SHA256)
|
||||
case strings.ToLower(TLS_RSA_WITH_AES_256_GCM_SHA384):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_AES_256_GCM_SHA384)
|
||||
case strings.ToLower(TLS_ECDHE_ECDSA_WITH_RC4_128_SHA):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA)
|
||||
case strings.ToLower(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)
|
||||
case strings.ToLower(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
|
||||
case strings.ToLower(TLS_ECDHE_RSA_WITH_RC4_128_SHA):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA)
|
||||
case strings.ToLower(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA)
|
||||
case strings.ToLower(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
|
||||
case strings.ToLower(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)
|
||||
case strings.ToLower(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256)
|
||||
case strings.ToLower(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256)
|
||||
case strings.ToLower(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
|
||||
case strings.ToLower(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
|
||||
case strings.ToLower(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
|
||||
case strings.ToLower(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
|
||||
case strings.ToLower(TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256)
|
||||
case strings.ToLower(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return cfg, nil
|
||||
}
|
||||
|
||||
// LoadClientConfig loads the certificate from cert & key files and CA file.
|
||||
func LoadClientConfig(certFile, keyFile, caFile string, verify bool, serverName string) (*tls.Config, error) {
|
||||
func LoadClientConfig(config *config.TLSConfig) (*tls.Config, error) {
|
||||
var cfg *tls.Config
|
||||
|
||||
if certFile == "" && keyFile == "" {
|
||||
if config.CertFile == "" && config.KeyFile == "" {
|
||||
cfg = &tls.Config{}
|
||||
} else {
|
||||
cert, err := tls.LoadX509KeyPair(certFile, keyFile)
|
||||
cert, err := tls.LoadX509KeyPair(config.CertFile, config.KeyFile)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -74,17 +179,88 @@ func LoadClientConfig(certFile, keyFile, caFile string, verify bool, serverName
|
||||
}
|
||||
}
|
||||
|
||||
rootCAs, err := loadCA(caFile)
|
||||
rootCAs, err := loadCA(config.CAFile)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
cfg.RootCAs = rootCAs
|
||||
cfg.ServerName = serverName
|
||||
cfg.InsecureSkipVerify = !verify
|
||||
cfg.ServerName = config.ServerName
|
||||
cfg.InsecureSkipVerify = !config.Secure
|
||||
|
||||
if opts := config.Options; opts != nil {
|
||||
switch strings.ToLower(opts.MinVersion) {
|
||||
case strings.ToLower(VersionTLS10):
|
||||
cfg.MinVersion = tls.VersionTLS10
|
||||
case strings.ToLower(VersionTLS11):
|
||||
cfg.MinVersion = tls.VersionTLS11
|
||||
case strings.ToLower(VersionTLS12):
|
||||
cfg.MinVersion = tls.VersionTLS12
|
||||
case strings.ToLower(VersionTLS13):
|
||||
cfg.MinVersion = tls.VersionTLS13
|
||||
}
|
||||
switch strings.ToLower(opts.MaxVersion) {
|
||||
case strings.ToLower(VersionTLS10):
|
||||
cfg.MaxVersion = tls.VersionTLS10
|
||||
case strings.ToLower(VersionTLS11):
|
||||
cfg.MaxVersion = tls.VersionTLS11
|
||||
case strings.ToLower(VersionTLS12):
|
||||
cfg.MaxVersion = tls.VersionTLS12
|
||||
case strings.ToLower(VersionTLS13):
|
||||
cfg.MaxVersion = tls.VersionTLS13
|
||||
}
|
||||
for _, v := range opts.CipherSuites {
|
||||
switch strings.ToLower(v) {
|
||||
case strings.ToLower(TLS_RSA_WITH_RC4_128_SHA):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_RC4_128_SHA)
|
||||
case strings.ToLower(TLS_RSA_WITH_3DES_EDE_CBC_SHA):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA)
|
||||
case strings.ToLower(TLS_RSA_WITH_AES_128_CBC_SHA):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_AES_128_CBC_SHA)
|
||||
case strings.ToLower(TLS_RSA_WITH_AES_256_CBC_SHA):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_AES_256_CBC_SHA)
|
||||
case strings.ToLower(TLS_RSA_WITH_AES_128_CBC_SHA256):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_AES_128_CBC_SHA256)
|
||||
case strings.ToLower(TLS_RSA_WITH_AES_128_GCM_SHA256):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_AES_128_GCM_SHA256)
|
||||
case strings.ToLower(TLS_RSA_WITH_AES_256_GCM_SHA384):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_RSA_WITH_AES_256_GCM_SHA384)
|
||||
case strings.ToLower(TLS_ECDHE_ECDSA_WITH_RC4_128_SHA):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA)
|
||||
case strings.ToLower(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA)
|
||||
case strings.ToLower(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA)
|
||||
case strings.ToLower(TLS_ECDHE_RSA_WITH_RC4_128_SHA):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA)
|
||||
case strings.ToLower(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA)
|
||||
case strings.ToLower(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
|
||||
case strings.ToLower(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA)
|
||||
case strings.ToLower(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256)
|
||||
case strings.ToLower(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256)
|
||||
case strings.ToLower(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
|
||||
case strings.ToLower(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
|
||||
case strings.ToLower(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
|
||||
case strings.ToLower(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384)
|
||||
case strings.ToLower(TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256)
|
||||
case strings.ToLower(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256):
|
||||
cfg.CipherSuites = append(cfg.CipherSuites, tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// If the root ca is given, but skip verify, we verify the certificate manually.
|
||||
if cfg.RootCAs != nil && !verify {
|
||||
if cfg.RootCAs != nil && !config.Secure {
|
||||
cfg.VerifyConnection = func(state tls.ConnectionState) error {
|
||||
opts := x509.VerifyOptions{
|
||||
Roots: cfg.RootCAs,
|
||||
|
||||
Loading…
Reference in New Issue
Block a user