Documentation
¶
Index ¶
Constants ¶
View Source
const H2TLSProto = "h2"
Variables ¶
View Source
var ( // DefaultCurve represent the supported TLS curves. DefaultCurve = []tls.CurveID{tls.CurveP256, tls.X25519} // DefaultCipher represent the accepted ciphers. DefaultCipher = []uint16{ tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, tls.TLS_AES_128_GCM_SHA256, tls.TLS_AES_256_GCM_SHA384, tls.TLS_CHACHA20_POLY1305_SHA256, tls.TLS_RSA_WITH_AES_256_GCM_SHA384, } // ErrParseUserCA error is returned in case of invalid ca cert path. ErrParseUserCA = errors.New("failed to parse root certificate") )
Functions ¶
func GetTLSCfg ¶
GetTLSCfg return a tls config ready for mTLS. Optional support for http can be specified via the http2 variadic argument. Enabling http2 add 'h2' to the NextProto list. thx to https://dev.to/living_syn/validating-client-certificate-sans-in-go-i5p see example/http2/main.go for more.
Types ¶
type Config ¶
type Config struct {
// Hash is a unique hash of the cert + key + ca content.
Hash string `json:"hash" mapstructure:"hash"`
// Cert is the path to the TLS certificate.
Cert string `json:"cert" mapstructure:"cert"`
// Key is the path to the TLS key.
Key string `json:"key" mapstructure:"key"`
// CA is the path to the TLS CA certificate.
Ca string `json:"ca" mapstructure:"ca"`
// Level TLS authentication level.
Level Level `json:"level" mapstructure:"level"`
// Insecure is true if insecure TLS is allowed (client).
Insecure bool `json:"insecure" mapstructure:"insecure"`
}
Config contain the tls config passed by the config file.
type Level ¶
type Level tls.ClientAuthType
const ( // NoClientCert indicates that no client certificate should be requested // during the handshake, and if any certificates are sent they will not // be verified. NoClientCert Level = iota // RequestClientCert indicates that a client certificate should be requested // during the handshake, but does not require that the client send any // certificates. RequestClientCert // RequireAnyClientCert indicates that a client certificate should be requested // during the handshake, and that at least one certificate is required to be // sent by the client, but that certificate is not required to be valid. RequireAnyClientCert // VerifyClientCertIfGiven indicates that a client certificate should be requested // during the handshake, but does not require that the client sends a // certificate. If the client does send a certificate it is required to be // valid. VerifyClientCertIfGiven // RequireAndVerifyClientCert indicates that a client certificate should be requested // during the handshake, and that at least one valid certificate is required // to be sent by the client. RequireAndVerifyClientCert // RequireAndVerifyClientCertAndSAN is the same as RequireAndVerifyClientCert // with an extra check to the certificate SAN. RequireAndVerifyClientCertAndSAN )
func (Level) MarshalJSON ¶
func (Level) STD ¶
func (lv Level) STD() tls.ClientAuthType
func (*Level) UnmarshalJSON ¶
type LevelError ¶
type LevelError struct {
// contains filtered or unexported fields
}
func (LevelError) Error ¶
func (e LevelError) Error() string
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.