tls

package
v0.8.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 3, 2026 License: MIT Imports: 5 Imported by: 0

Documentation

Overview

Package tls holds the shared TLS plumbing used across every transport in the framework (HTTP, gRPC and the gateway): the hardened default config, the typed TLSPair config shape with shared/per-transport resolution, and the client-side cert-pool helpers. Keeping it in one place decouples the http and grpc packages from each other and gives the gateway a single dependency.

Index

Examples

Constants

View Source 
const SharedPrefix = "server.tls"

SharedPrefix is the config prefix for TLS settings shared across every transport. A transport-specific prefix (e.g. "server.grpc.tls") overrides individual fields, so one certificate can serve all transports with per-transport overrides where needed.

Variables

This section is empty.

Functions

func CertPool 

func CertPool(caFiles ...string) (*x509.CertPool, error)

CertPool builds an x509 certificate pool seeded with the given PEM CA/cert files, so clients can trust certificates that are not in the system roots (self-signed or private CA). Pass the same cert files the servers present to share one trust anchor across gRPC, HTTP and the gateway.

func ClientConfig 

func ClientConfig(caFiles ...string) (*cryptotls.Config, error)

ClientConfig returns a hardened client TLS config (DefaultConfig) that trusts the given CA/cert files via a custom pool. With no files it returns the default config, which trusts the system roots.

func DefaultConfig 

func DefaultConfig() *cryptotls.Config

DefaultConfig returns the hardened TLS configuration shared across HTTP and gRPC servers and the HTTP client. It enforces TLS 1.2 minimum with curated AEAD cipher suites and modern curve preferences.

Example 
package main

import (
	"fmt"

	gtbtls "gitlab.com/phpboyscout/go-tool-base/pkg/tls"
)

func main() {
	// DefaultConfig returns the shared hardened TLS configuration used by the
	// HTTP, gRPC and gateway transports.
	cfg := gtbtls.DefaultConfig()

	fmt.Println("Min TLS version:", cfg.MinVersion)
	fmt.Println("Cipher suites:", len(cfg.CipherSuites))
}

Output:
Min TLS version: 771
Cipher suites: 6

Types

type Pair 

type Pair struct {
	Enabled bool   `mapstructure:"enabled" yaml:"enabled" json:"enabled"`
	Cert    string `mapstructure:"cert"    yaml:"cert"    json:"cert"`
	Key     string `mapstructure:"key"     yaml:"key"     json:"key"`
}

Pair is the typed enabled/cert/key triple used to configure TLS for any transport. It carries struct tags so the same shape marshals to and from config consistently wherever it is used.

func Resolve 

func Resolve(cfg config.Containable, transportPrefix string) Pair

Resolve resolves the TLS settings for a transport. It starts from the shared SharedPrefix ("server.tls") and overrides each field individually from the transport-specific prefix (e.g. "server.grpc.tls", "server.http.tls", "server.gateway.tls") whenever that key is set. This lets a single certificate serve every transport, with per-transport overrides where needed.

func (Pair) Certificate 

func (p Pair) Certificate() (cryptotls.Certificate, error)

Certificate loads the X509 key pair described by the pair.

func (Pair) ServerConfig 

func (p Pair) ServerConfig(nextProtos ...string) (*cryptotls.Config, error)

ServerConfig returns the hardened DefaultConfig with this pair's certificate loaded. Pass nextProtos to advertise ALPN protocols (e.g. "h2" for a raw gRPC TLS listener); when empty the config's defaults are left as-is.

func (Pair) Valid 

func (p Pair) Valid() bool

Valid reports whether TLS is enabled and both certificate paths are present.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.