tls

package
v1.7.35 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 24, 2026 License: MIT Imports: 26 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// NoClientCert indicates that no client certificate should be requested
	// during the handshake, and if any certificates are sent they will not
	// be verified.
	NoClientCert = "NoClientCert"
	// RequestClientCert indicates that a client certificate should be requested
	// during the handshake, but does not require that the client send any
	// certificates.
	RequestClientCert = "RequestClientCert"
	// RequireAnyClientCert indicates that a client certificate should be requested
	// during the handshake, and that at least one certificate is required to be
	// sent by the client, but that certificate is not required to be valid.
	RequireAnyClientCert = "RequireAnyClientCert"
	// VerifyClientCertIfGiven indicates that a client certificate should be requested
	// during the handshake, but does not require that the client sends a
	// certificate. If the client does send a certificate it is required to be
	// valid.
	VerifyClientCertIfGiven = "VerifyClientCertIfGiven"
	// RequireAndVerifyClientCert indicates that a client certificate should be requested
	// during the handshake, and that at least one valid certificate is required
	// to be sent by the client.
	RequireAndVerifyClientCert = "RequireAndVerifyClientCert"
)
View Source 
const (
	// DefaultTLSConfigName is the name of the default set of options for configuring TLS.
	DefaultTLSConfigName = "default"
	// DefaultTLSStoreName is the name of the default store of TLS certificates.
	// Note that it actually is the only usable one for now.
	DefaultTLSStoreName = "default"
)

Variables

View Source 
var (
	// MinVersion Map of allowed TLS minimum versions.
	MinVersion = map[string]uint16{
		`VersionTLS10`: tls.VersionTLS10,
		`VersionTLS11`: tls.VersionTLS11,
		`VersionTLS12`: tls.VersionTLS12,
		`VersionTLS13`: tls.VersionTLS13,
	}

	// MaxVersion Map of allowed TLS maximum versions.
	MaxVersion = map[string]uint16{
		`VersionTLS10`: tls.VersionTLS10,
		`VersionTLS11`: tls.VersionTLS11,
		`VersionTLS12`: tls.VersionTLS12,
		`VersionTLS13`: tls.VersionTLS13,
	}

	// CurveIDs is a Map of TLS elliptic curves from crypto/tls
	// Available CurveIDs defined at https://godoc.org/crypto/tls#CurveID,
	// also allowing rfc names defined at https://tools.ietf.org/html/rfc8446#section-4.2.7
	CurveIDs = map[string]tls.CurveID{
		`secp256r1`:      tls.CurveP256,
		`CurveP256`:      tls.CurveP256,
		`secp384r1`:      tls.CurveP384,
		`CurveP384`:      tls.CurveP384,
		`secp521r1`:      tls.CurveP521,
		`CurveP521`:      tls.CurveP521,
		`x25519`:         tls.X25519,
		`X25519`:         tls.X25519,
		`x25519mlkem768`: tls.X25519MLKEM768,
		`X25519MLKEM768`: tls.X25519MLKEM768,
	}
)
View Source 
var (
	// CipherSuites Map of TLS CipherSuites from crypto/tls
	// Available CipherSuites defined at https://pkg.go.dev/crypto/tls/#pkg-constants
	CipherSuites = map[string]uint16{
		`TLS_RSA_WITH_RC4_128_SHA`:                      tls.TLS_RSA_WITH_RC4_128_SHA,
		`TLS_RSA_WITH_3DES_EDE_CBC_SHA`:                 tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
		`TLS_RSA_WITH_AES_128_CBC_SHA`:                  tls.TLS_RSA_WITH_AES_128_CBC_SHA,
		`TLS_RSA_WITH_AES_256_CBC_SHA`:                  tls.TLS_RSA_WITH_AES_256_CBC_SHA,
		`TLS_RSA_WITH_AES_128_CBC_SHA256`:               tls.TLS_RSA_WITH_AES_128_CBC_SHA256,
		`TLS_RSA_WITH_AES_128_GCM_SHA256`:               tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
		`TLS_RSA_WITH_AES_256_GCM_SHA384`:               tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
		`TLS_ECDHE_ECDSA_WITH_RC4_128_SHA`:              tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
		`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`:          tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
		`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`:          tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
		`TLS_ECDHE_RSA_WITH_RC4_128_SHA`:                tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
		`TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`:           tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
		`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`:            tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
		`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`:            tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
		`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`:       tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
		`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`:         tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
		`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`:         tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
		`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`:       tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
		`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`:         tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
		`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`:       tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
		`TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305`:          tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
		`TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`:   tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
		`TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305`:        tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
		`TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`: tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
		`TLS_AES_128_GCM_SHA256`:                        tls.TLS_AES_128_GCM_SHA256,
		`TLS_AES_256_GCM_SHA384`:                        tls.TLS_AES_256_GCM_SHA384,
		`TLS_CHACHA20_POLY1305_SHA256`:                  tls.TLS_CHACHA20_POLY1305_SHA256,
		`TLS_FALLBACK_SCSV`:                             tls.TLS_FALLBACK_SCSV,
	}

	// CipherSuitesReversed Map of TLS CipherSuites from crypto/tls
	// Available CipherSuites defined at https://pkg.go.dev/crypto/tls/#pkg-constants
	CipherSuitesReversed = map[uint16]string{
		tls.TLS_RSA_WITH_RC4_128_SHA:                      `TLS_RSA_WITH_RC4_128_SHA`,
		tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA:                 `TLS_RSA_WITH_3DES_EDE_CBC_SHA`,
		tls.TLS_RSA_WITH_AES_128_CBC_SHA:                  `TLS_RSA_WITH_AES_128_CBC_SHA`,
		tls.TLS_RSA_WITH_AES_256_CBC_SHA:                  `TLS_RSA_WITH_AES_256_CBC_SHA`,
		tls.TLS_RSA_WITH_AES_128_CBC_SHA256:               `TLS_RSA_WITH_AES_128_CBC_SHA256`,
		tls.TLS_RSA_WITH_AES_128_GCM_SHA256:               `TLS_RSA_WITH_AES_128_GCM_SHA256`,
		tls.TLS_RSA_WITH_AES_256_GCM_SHA384:               `TLS_RSA_WITH_AES_256_GCM_SHA384`,
		tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:              `TLS_ECDHE_ECDSA_WITH_RC4_128_SHA`,
		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:          `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`,
		tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:          `TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`,
		tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA:                `TLS_ECDHE_RSA_WITH_RC4_128_SHA`,
		tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:           `TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`,
		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:            `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`,
		tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:            `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`,
		tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:       `TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`,
		tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:         `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`,
		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:         `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`,
		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:       `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`,
		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:         `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`,
		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:       `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`,
		tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:   `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`,
		tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`,
		tls.TLS_AES_128_GCM_SHA256:                        `TLS_AES_128_GCM_SHA256`,
		tls.TLS_AES_256_GCM_SHA384:                        `TLS_AES_256_GCM_SHA384`,
		tls.TLS_CHACHA20_POLY1305_SHA256:                  `TLS_CHACHA20_POLY1305_SHA256`,
		tls.TLS_FALLBACK_SCSV:                             `TLS_FALLBACK_SCSV`,
	}
)
View Source 
var DefaultTLSOptions = Options{

	ALPNProtocols: []string{"h2", "http/1.1", tlsalpn01.ACMETLS1Protocol},
	MinVersion:    "VersionTLS13",
	CipherSuites:  getCipherSuites(),

	CurvePreferences: []string{"X25519MLKEM768", "X25519", "CurveP256", "CurveP384"},
}

DefaultTLSOptions the default TLS options.

Functions

func GetCipherName 

func GetCipherName(connState *tls.ConnectionState) string

GetCipherName returns the Cipher suite name. Available CipherSuites defined at https://pkg.go.dev/crypto/tls/#pkg-constants

func GetVersion 

func GetVersion(connState *tls.ConnectionState) string

GetVersion returns the normalized TLS version. Available TLS versions defined at https://pkg.go.dev/crypto/tls/#pkg-constants

func VerifyPeerCertificate 

func VerifyPeerCertificate(uri string, cfg *tls.Config, rawCerts [][]byte) error

VerifyPeerCertificate verifies the chain certificates and their URI.

Types

type CertAndStores 

type CertAndStores struct {
	Certificate `yaml:",inline" export:"true"`

	Stores []string `json:"stores,omitempty" toml:"stores,omitempty" yaml:"stores,omitempty" export:"true"`
}

CertAndStores allows mapping a TLS certificate to a list of entry points.

func (*CertAndStores) DeepCopy 

func (in *CertAndStores) DeepCopy() *CertAndStores

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertAndStores.

func (*CertAndStores) DeepCopyInto 

func (in *CertAndStores) DeepCopyInto(out *CertAndStores)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Certificate 

type Certificate struct {
	CertFile types.FileOrContent `json:"certFile,omitempty" toml:"certFile,omitempty" yaml:"certFile,omitempty"`
	KeyFile  types.FileOrContent `json:"keyFile,omitempty" toml:"keyFile,omitempty" yaml:"keyFile,omitempty" loggable:"false"`
}

Certificate holds a SSL cert/key pair Certs and Key could be either a file path, or the file content itself.

func (*Certificate) GetCertificate 

func (c *Certificate) GetCertificate() (tls.Certificate, error)

GetCertificate returns a tls.Certificate matching the configured CertFile and KeyFile.

func (*Certificate) GetCertificateFromBytes 

func (c *Certificate) GetCertificateFromBytes() (tls.Certificate, error)

GetCertificateFromBytes returns a tls.Certificate matching the configured CertFile and KeyFile. It assumes that the configured CertFile and KeyFile are of byte type.

func (*Certificate) GetTruncatedCertificateName 

func (c *Certificate) GetTruncatedCertificateName() string

GetTruncatedCertificateName truncates the certificate name.

type CertificateData 

type CertificateData struct {
	Hash        string
	Certificate *tls.Certificate
}

CertificateData holds runtime data for runtime TLS certificate handling.

type CertificateStore 

type CertificateStore struct {
	DynamicCerts       *safe.Safe
	DefaultCertificate *CertificateData
	CertCache          *cache.Cache
	// contains filtered or unexported fields
}

CertificateStore store for dynamic certificates.

func NewCertificateStore 

func NewCertificateStore(ocspStapler *ocspStapler) *CertificateStore

NewCertificateStore create a store for dynamic certificates.

func (*CertificateStore) GetAllDomains 

func (c *CertificateStore) GetAllDomains() []string

GetAllDomains return a slice with all the certificate domain.

func (*CertificateStore) GetBestCertificate 

func (c *CertificateStore) GetBestCertificate(clientHello *tls.ClientHelloInfo) *tls.Certificate

GetBestCertificate returns the best match certificate, and caches the response.

func (*CertificateStore) GetCertificate 

func (c *CertificateStore) GetCertificate(domains []string) *CertificateData

GetCertificate returns the first certificate matching all the given domains.

func (*CertificateStore) GetDefaultCertificate 

func (c *CertificateStore) GetDefaultCertificate() *tls.Certificate

GetDefaultCertificate returns the default certificate.

func (*CertificateStore) ResetCache 

func (c *CertificateStore) ResetCache()

ResetCache clears the cache in the store.

type Certificates 

type Certificates []Certificate

Certificates defines ingress certificates type Certs and Keys could be either a file path, or the file content itself.

func (Certificates) GetCertificates 

func (c Certificates) GetCertificates() []tls.Certificate

GetCertificates retrieves the certificates as slice of tls.Certificate.

type ClientAuth 

type ClientAuth struct {
	CAFiles []types.FileOrContent `json:"caFiles,omitempty" toml:"caFiles,omitempty" yaml:"caFiles,omitempty"`
	// ClientAuthType defines the client authentication type to apply.
	// The available values are: "NoClientCert", "RequestClientCert", "VerifyClientCertIfGiven" and "RequireAndVerifyClientCert".
	ClientAuthType string `json:"clientAuthType,omitempty" toml:"clientAuthType,omitempty" yaml:"clientAuthType,omitempty" export:"true"`
}

ClientAuth defines the parameters of the client authentication part of the TLS connection, if any.

func (*ClientAuth) DeepCopy 

func (in *ClientAuth) DeepCopy() *ClientAuth

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientAuth.

func (*ClientAuth) DeepCopyInto 

func (in *ClientAuth) DeepCopyInto(out *ClientAuth)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type FileOrContent 

type FileOrContent string

FileOrContent hold a file path or content.

func (FileOrContent) IsPath 

func (f FileOrContent) IsPath() bool

IsPath returns true if the FileOrContent is a file path, otherwise returns false.

func (FileOrContent) Read 

func (f FileOrContent) Read() ([]byte, error)

func (FileOrContent) String 

func (f FileOrContent) String() string

type GeneratedCert 

type GeneratedCert struct {
	// Resolver is the name of the resolver that will be used to issue the DefaultCertificate.
	Resolver string `json:"resolver,omitempty" toml:"resolver,omitempty" yaml:"resolver,omitempty" export:"true"`
	// Domain is the domain definition for the DefaultCertificate.
	Domain *types.Domain `json:"domain,omitempty" toml:"domain,omitempty" yaml:"domain,omitempty" export:"true"`
}

GeneratedCert defines the default generated certificate configuration.

func (*GeneratedCert) DeepCopy 

func (in *GeneratedCert) DeepCopy() *GeneratedCert

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GeneratedCert.

func (*GeneratedCert) DeepCopyInto 

func (in *GeneratedCert) DeepCopyInto(out *GeneratedCert)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Manager 

type Manager struct {
	// contains filtered or unexported fields
}

Manager is the TLS option/store/configuration factory.

func NewManager 

func NewManager(ocspConfig *OCSPConfig) *Manager

NewManager creates a new Manager.

func (*Manager) Get 

func (m *Manager) Get(storeName, configName string) (*tls.Config, error)

Get gets the TLS configuration to use for a given store / configuration.

func (*Manager) GetServerCertificates 

func (m *Manager) GetServerCertificates() []*x509.Certificate

GetServerCertificates returns all certificates from the default store, as well as the user-defined default certificate (if it exists).

func (*Manager) GetStore 

func (m *Manager) GetStore(storeName string) *CertificateStore

GetStore gets the certificate store of a given name.

func (*Manager) Run 

func (m *Manager) Run(ctx context.Context)

func (*Manager) UpdateConfigs 

func (m *Manager) UpdateConfigs(ctx context.Context, stores map[string]Store, configs map[string]Options, certs []*CertAndStores)

UpdateConfigs updates the TLS* configuration options. It initializes the default TLS store, and the TLS store for the ACME challenges.

type OCSPConfig 

type OCSPConfig struct {
	ResponderOverrides map[string]string `` /* 192-byte string literal not displayed */
}

OCSPConfig contains the OCSP configuration.

type Options 

type Options struct {
	MinVersion            string     `json:"minVersion,omitempty" toml:"minVersion,omitempty" yaml:"minVersion,omitempty" export:"true"`
	MaxVersion            string     `json:"maxVersion,omitempty" toml:"maxVersion,omitempty" yaml:"maxVersion,omitempty" export:"true"`
	CipherSuites          []string   `json:"cipherSuites,omitempty" toml:"cipherSuites,omitempty" yaml:"cipherSuites,omitempty" export:"true"`
	CurvePreferences      []string   `json:"curvePreferences,omitempty" toml:"curvePreferences,omitempty" yaml:"curvePreferences,omitempty" export:"true"`
	ClientAuth            ClientAuth `json:"clientAuth,omitempty" toml:"clientAuth,omitempty" yaml:"clientAuth,omitempty"`
	SniStrict             bool       `json:"sniStrict,omitempty" toml:"sniStrict,omitempty" yaml:"sniStrict,omitempty" export:"true"`
	ALPNProtocols         []string   `json:"alpnProtocols,omitempty" toml:"alpnProtocols,omitempty" yaml:"alpnProtocols,omitempty" export:"true"`
	DisableSessionTickets bool       `` /* 130-byte string literal not displayed */

	// Deprecated: https://github.com/golang/go/issues/45430
	PreferServerCipherSuites *bool `` /* 139-byte string literal not displayed */
}

Options configures TLS for an entry point.

func (*Options) DeepCopy 

func (in *Options) DeepCopy() *Options

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Options.

func (*Options) DeepCopyInto 

func (in *Options) DeepCopyInto(out *Options)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Options) SetDefaults 

func (o *Options) SetDefaults()

SetDefaults sets the default values for an Options struct.

type Store 

type Store struct {
	DefaultCertificate   *Certificate   `` /* 131-byte string literal not displayed */
	DefaultGeneratedCert *GeneratedCert `` /* 127-byte string literal not displayed */
}

Store holds the options for a given Store.

func (*Store) DeepCopy 

func (in *Store) DeepCopy() *Store

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Store.

func (*Store) DeepCopyInto 

func (in *Store) DeepCopyInto(out *Store)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.