-
Notifications
You must be signed in to change notification settings - Fork 13
/
tls.go
176 lines (148 loc) · 4.91 KB
/
tls.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
// Copyright 2022-2024 Sauce Labs Inc., all rights reserved.
//
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at https://mozilla.org/MPL/2.0/.
package forwarder
import (
"crypto/tls"
"crypto/x509"
"fmt"
"os"
"time"
"github.com/saucelabs/forwarder/utils/certutil"
)
type TLSClientConfig struct {
// HandshakeTimeout specifies the maximum amount of time waiting to
// wait for a TLS handshake. Zero means no timeout.
HandshakeTimeout time.Duration
// Insecure controls whether a client verifies the server's
// certificate chain and host name. If Insecure is true, crypto/tls
// accepts any certificate presented by the server and any host name in that
// certificate. In this mode, TLS is susceptible to machine-in-the-middle
// attacks unless custom verification is used. This should be used only for
// testing or in combination with VerifyConnection or VerifyPeerCertificate.
Insecure bool
// CACertFiles is a list of paths to CA certificate files.
// If this is set, the system root CA pool will be supplemented with certificates from these files.
CACertFiles []string
// KeyLogFile optionally specifies a destination for TLS master secrets
// in NSS key log format that can be used to allow external programs
// such as Wireshark to decrypt TLS connections.
KeyLogFile string
}
func DefaultTLSClientConfig() *TLSClientConfig {
return &TLSClientConfig{
HandshakeTimeout: 10 * time.Second,
KeyLogFile: os.Getenv("SSLKEYLOGFILE"),
}
}
func (c *TLSClientConfig) ConfigureTLSConfig(tlsCfg *tls.Config) error {
if c.Insecure {
tlsCfg.InsecureSkipVerify = true
tlsCfg.MinVersion = tls.VersionTLS10
// Allow use all cipher suites for insecure connections,
// this only affects TLS 1.0-1.2 connections, TLS 1.3 cipher suites are fixed.
tlsCfg.CipherSuites = []uint16{
tls.TLS_RSA_WITH_RC4_128_SHA,
tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
}
}
if err := c.loadRootCAs(tlsCfg); err != nil {
return fmt.Errorf("load CAs: %w", err)
}
if c.KeyLogFile != "" {
f, err := os.OpenFile(c.KeyLogFile, os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0o600)
if err != nil {
return fmt.Errorf("open key log file: %w", err)
}
tlsCfg.KeyLogWriter = f
}
return nil
}
func (c *TLSClientConfig) loadRootCAs(tlsCfg *tls.Config) error {
if len(c.CACertFiles) == 0 {
return nil
}
rootCAs, err := x509.SystemCertPool()
if err != nil {
return err
}
for _, name := range c.CACertFiles {
b, err := ReadFileOrBase64(name)
if err != nil {
return err
}
if !rootCAs.AppendCertsFromPEM(b) {
return fmt.Errorf("append certificate %q", name)
}
}
tlsCfg.RootCAs = rootCAs
return nil
}
type TLSServerConfig struct {
// HandshakeTimeout specifies the maximum amount of time waiting to
// wait for a TLS handshake. Zero means no timeout.
HandshakeTimeout time.Duration
// CertFile is the path to the TLS certificate.
CertFile string
// KeyFile is the path to the TLS private key of the certificate.
KeyFile string
}
func (c *TLSServerConfig) ConfigureTLSConfig(tlsCfg *tls.Config) error {
if err := c.loadCertificate(tlsCfg); err != nil {
return fmt.Errorf("load certificate: %w", err)
}
return nil
}
func (c *TLSServerConfig) loadCertificate(tlsCfg *tls.Config) error {
var (
cert tls.Certificate
err error
)
if c.CertFile == "" && c.KeyFile == "" {
ssc := certutil.ECDSASelfSignedCert()
if n, err := os.Hostname(); err == nil {
ssc.Hosts = append(ssc.Hosts, n)
}
ssc.Hosts = append(ssc.Hosts, "localhost")
cert, err = ssc.Gen()
} else {
cert, err = loadX509KeyPair(c.CertFile, c.KeyFile)
}
if err == nil {
tlsCfg.Certificates = append(tlsCfg.Certificates, cert)
}
return err
}
func loadX509KeyPair(certFile, keyFile string) (tls.Certificate, error) {
certPEMBlock, err := ReadFileOrBase64(certFile)
if err != nil {
return tls.Certificate{}, err
}
keyPEMBlock, err := ReadFileOrBase64(keyFile)
if err != nil {
return tls.Certificate{}, err
}
return tls.X509KeyPair(certPEMBlock, keyPEMBlock)
}