tlsutil

package

v0.80.0 Latest Latest Go to latest Published: Jun 10, 2026 License: Apache-2.0 Imports: 8 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/DataDog/datadog-agent

Links

Open Source Insights

Documentation ¶

Overview ¶

Package tlsutil provides shared TLS configuration types and helpers for any agent component that needs a server-side TLS listener.

Index ¶

func ClientAuthRequiresVerification(auth tls.ClientAuthType) bool
func WarnKeyFilePermissions(path string)
type ServerConfig
- func (c *ServerConfig) BuildTLSConfig(ctx context.Context) (*tls.Config, error)
- func (c *ServerConfig) Validate() error

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ClientAuthRequiresVerification ¶

func ClientAuthRequiresVerification(auth tls.ClientAuthType) bool

ClientAuthRequiresVerification returns true if the given client auth type requires a CA certificate for client verification.

func WarnKeyFilePermissions ¶

func WarnKeyFilePermissions(path string)

WarnKeyFilePermissions checks if the TLS private key file is readable by group or others and emits a warning if so.

Types ¶

type ServerConfig ¶

type ServerConfig struct {
	CertFile   string
	KeyFile    string
	CAFile     string
	ClientAuth tls.ClientAuthType
	MinVersion uint16
}

ServerConfig holds typed TLS settings for a server-side TLS listener. All fields use concrete Go crypto types rather than user-facing strings; the calling config layer is responsible for parsing and validating raw input before constructing a ServerConfig.

func (*ServerConfig) BuildTLSConfig ¶

func (c *ServerConfig) BuildTLSConfig(ctx context.Context) (*tls.Config, error)

BuildTLSConfig loads certificates from disk and returns a *tls.Config ready for use with tls.NewListener. A CertReloader is created to support automatic certificate rotation without process restarts.

When a CA file is configured, a CAReloader is used so that CA certificate rotation does not require a restart. Because tls.Config.ClientCAs cannot be safely mutated after use, we set ClientAuth to its non-verifying equivalent and perform CA verification in VerifyConnection against the dynamically-reloaded pool. This follows the pattern recommended by the Go crypto team: https://go.dev/issue/64796

func (*ServerConfig) Validate ¶

func (c *ServerConfig) Validate() error

Validate checks that the ServerConfig fields are internally consistent.

Source Files ¶

View all Source files

server_config.go

Directories ¶

Path	Synopsis
certreloader Package certreloader provides automatic TLS certificate reloading from disk.	Package certreloader provides automatic TLS certificate reloading from disk.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL