mirror of
https://github.com/VictoriaMetrics/VictoriaMetrics.git
synced 2024-11-21 14:44:00 +00:00
lib/netutil: move creation of GetCertificate callback into a separate function
This improves code readability a bit
This commit is contained in:
parent
8412219781
commit
bd454f5063
1 changed files with 25 additions and 23 deletions
|
@ -12,44 +12,46 @@ import (
|
||||||
|
|
||||||
// GetServerTLSConfig returns TLS config for the server.
|
// GetServerTLSConfig returns TLS config for the server.
|
||||||
func GetServerTLSConfig(tlsCertFile, tlsKeyFile, tlsMinVersion string, tlsCipherSuites []string) (*tls.Config, error) {
|
func GetServerTLSConfig(tlsCertFile, tlsKeyFile, tlsMinVersion string, tlsCipherSuites []string) (*tls.Config, error) {
|
||||||
var certLock sync.Mutex
|
minVersion, err := ParseTLSVersion(tlsMinVersion)
|
||||||
var certDeadline uint64
|
|
||||||
var cert *tls.Certificate
|
|
||||||
c, err := tls.LoadX509KeyPair(tlsCertFile, tlsKeyFile)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("cannot load TLS cert from certFile=%q, keyFile=%q: %w", tlsCertFile, tlsKeyFile, err)
|
return nil, fmt.Errorf("cannnot use TLS min version from tlsMinVersion=%q. Supported TLS versions (TLS10, TLS11, TLS12, TLS13): %w", tlsMinVersion, err)
|
||||||
}
|
}
|
||||||
cipherSuites, err := cipherSuitesFromNames(tlsCipherSuites)
|
cipherSuites, err := cipherSuitesFromNames(tlsCipherSuites)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("cannot use TLS cipher suites from tlsCipherSuites=%q: %w", tlsCipherSuites, err)
|
return nil, fmt.Errorf("cannot use TLS cipher suites from tlsCipherSuites=%q: %w", tlsCipherSuites, err)
|
||||||
}
|
}
|
||||||
minVersion, err := ParseTLSVersion(tlsMinVersion)
|
|
||||||
if err != nil {
|
|
||||||
return nil, fmt.Errorf("cannnot use TLS min version from tlsMinVersion=%q. Supported TLS versions (TLS10, TLS11, TLS12, TLS13): %w", tlsMinVersion, err)
|
|
||||||
}
|
|
||||||
cert = &c
|
|
||||||
cfg := &tls.Config{
|
cfg := &tls.Config{
|
||||||
MinVersion: minVersion,
|
MinVersion: minVersion,
|
||||||
|
|
||||||
// Do not set MaxVersion, since this has no sense from security PoV.
|
// Do not set MaxVersion, since this has no sense from security PoV.
|
||||||
// This can only result in lower security level if improperly set.
|
// This can only result in lower security level if improperly set.
|
||||||
GetCertificate: func(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
|
||||||
certLock.Lock()
|
|
||||||
defer certLock.Unlock()
|
|
||||||
if fasttime.UnixTimestamp() > certDeadline {
|
|
||||||
c, err = tls.LoadX509KeyPair(tlsCertFile, tlsKeyFile)
|
|
||||||
if err != nil {
|
|
||||||
return nil, fmt.Errorf("cannot load TLS cert from certFile=%q, keyFile=%q: %w", tlsCertFile, tlsKeyFile, err)
|
|
||||||
}
|
|
||||||
certDeadline = fasttime.UnixTimestamp() + 1
|
|
||||||
cert = &c
|
|
||||||
}
|
|
||||||
return cert, nil
|
|
||||||
},
|
|
||||||
CipherSuites: cipherSuites,
|
CipherSuites: cipherSuites,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
cfg.GetCertificate = newGetCertificateFunc(tlsCertFile, tlsKeyFile)
|
||||||
return cfg, nil
|
return cfg, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func newGetCertificateFunc(tlsCertFile, tlsKeyFile string) func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||||
|
var certLock sync.Mutex
|
||||||
|
var certDeadline uint64
|
||||||
|
var cert *tls.Certificate
|
||||||
|
return func(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||||
|
certLock.Lock()
|
||||||
|
defer certLock.Unlock()
|
||||||
|
if fasttime.UnixTimestamp() > certDeadline {
|
||||||
|
c, err := tls.LoadX509KeyPair(tlsCertFile, tlsKeyFile)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("cannot load TLS cert from certFile=%q, keyFile=%q: %w", tlsCertFile, tlsKeyFile, err)
|
||||||
|
}
|
||||||
|
certDeadline = fasttime.UnixTimestamp() + 1
|
||||||
|
cert = &c
|
||||||
|
}
|
||||||
|
return cert, nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func cipherSuitesFromNames(cipherSuiteNames []string) ([]uint16, error) {
|
func cipherSuitesFromNames(cipherSuiteNames []string) ([]uint16, error) {
|
||||||
if len(cipherSuiteNames) == 0 {
|
if len(cipherSuiteNames) == 0 {
|
||||||
return nil, nil
|
return nil, nil
|
||||||
|
|
Loading…
Reference in a new issue