Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
de1a9e31
Commit
de1a9e31
authored
Oct 13, 2015
by
k8s-merge-robot
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #15430 from liggitt/fix_tls_config_for
Auto commit by PR queue bot
parents
ae9f7c8f
0ed67514
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
17 additions
and
50 deletions
+17
-50
transport.go
pkg/client/unversioned/transport.go
+17
-43
transport_test.go
pkg/client/unversioned/transport_test.go
+0
-7
No files found.
pkg/client/unversioned/transport.go
View file @
de1a9e31
...
@@ -110,28 +110,32 @@ func TLSConfigFor(config *Config) (*tls.Config, error) {
...
@@ -110,28 +110,32 @@ func TLSConfigFor(config *Config) (*tls.Config, error) {
hasCA
:=
len
(
config
.
CAFile
)
>
0
||
len
(
config
.
CAData
)
>
0
hasCA
:=
len
(
config
.
CAFile
)
>
0
||
len
(
config
.
CAData
)
>
0
hasCert
:=
len
(
config
.
CertFile
)
>
0
||
len
(
config
.
CertData
)
>
0
hasCert
:=
len
(
config
.
CertFile
)
>
0
||
len
(
config
.
CertData
)
>
0
if
!
hasCA
&&
!
hasCert
&&
!
config
.
Insecure
{
return
nil
,
nil
}
if
hasCA
&&
config
.
Insecure
{
if
hasCA
&&
config
.
Insecure
{
return
nil
,
fmt
.
Errorf
(
"specifying a root certificates file with the insecure flag is not allowed"
)
return
nil
,
fmt
.
Errorf
(
"specifying a root certificates file with the insecure flag is not allowed"
)
}
}
if
err
:=
LoadTLSFiles
(
config
);
err
!=
nil
{
if
err
:=
LoadTLSFiles
(
config
);
err
!=
nil
{
return
nil
,
err
return
nil
,
err
}
}
var
tlsConfig
*
tls
.
Config
switch
{
tlsConfig
:=
&
tls
.
Config
{
case
hasCert
:
// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
cfg
,
err
:=
NewClientCertTLSConfig
(
config
.
CertData
,
config
.
KeyData
,
config
.
CAData
)
MinVersion
:
tls
.
VersionTLS10
,
if
err
!=
nil
{
InsecureSkipVerify
:
config
.
Insecure
,
return
nil
,
err
}
}
tlsConfig
=
cfg
if
hasCA
{
case
hasCA
:
tlsConfig
.
RootCAs
=
rootCertPool
(
config
.
CAData
)
cfg
,
err
:=
NewTLSConfig
(
config
.
CAData
)
}
if
hasCert
{
cert
,
err
:=
tls
.
X509KeyPair
(
config
.
CertData
,
config
.
KeyData
)
if
err
!=
nil
{
if
err
!=
nil
{
return
nil
,
err
return
nil
,
err
}
}
tlsConfig
=
cfg
tlsConfig
.
Certificates
=
[]
tls
.
Certificate
{
cert
}
case
config
.
Insecure
:
tlsConfig
=
NewUnsafeTLSConfig
()
}
}
return
tlsConfig
,
nil
return
tlsConfig
,
nil
...
@@ -186,30 +190,6 @@ func dataFromSliceOrFile(data []byte, file string) ([]byte, error) {
...
@@ -186,30 +190,6 @@ func dataFromSliceOrFile(data []byte, file string) ([]byte, error) {
return
nil
,
nil
return
nil
,
nil
}
}
func
NewClientCertTLSConfig
(
certData
,
keyData
,
caData
[]
byte
)
(
*
tls
.
Config
,
error
)
{
cert
,
err
:=
tls
.
X509KeyPair
(
certData
,
keyData
)
if
err
!=
nil
{
return
nil
,
err
}
return
&
tls
.
Config
{
// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
MinVersion
:
tls
.
VersionTLS10
,
Certificates
:
[]
tls
.
Certificate
{
cert
,
},
RootCAs
:
rootCertPool
(
caData
),
},
nil
}
func
NewTLSConfig
(
caData
[]
byte
)
(
*
tls
.
Config
,
error
)
{
return
&
tls
.
Config
{
// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
MinVersion
:
tls
.
VersionTLS10
,
RootCAs
:
rootCertPool
(
caData
),
},
nil
}
// rootCertPool returns nil if caData is empty. When passed along, this will mean "use system CAs".
// rootCertPool returns nil if caData is empty. When passed along, this will mean "use system CAs".
// When caData is not empty, it will be the ONLY information used in the CertPool.
// When caData is not empty, it will be the ONLY information used in the CertPool.
func
rootCertPool
(
caData
[]
byte
)
*
x509
.
CertPool
{
func
rootCertPool
(
caData
[]
byte
)
*
x509
.
CertPool
{
...
@@ -226,12 +206,6 @@ func rootCertPool(caData []byte) *x509.CertPool {
...
@@ -226,12 +206,6 @@ func rootCertPool(caData []byte) *x509.CertPool {
return
certPool
return
certPool
}
}
func
NewUnsafeTLSConfig
()
*
tls
.
Config
{
return
&
tls
.
Config
{
InsecureSkipVerify
:
true
,
}
}
// cloneRequest returns a clone of the provided *http.Request.
// cloneRequest returns a clone of the provided *http.Request.
// The clone is a shallow copy of the struct and its Header map.
// The clone is a shallow copy of the struct and its Header map.
func
cloneRequest
(
r
*
http
.
Request
)
*
http
.
Request
{
func
cloneRequest
(
r
*
http
.
Request
)
*
http
.
Request
{
...
...
pkg/client/unversioned/transport_test.go
View file @
de1a9e31
...
@@ -24,13 +24,6 @@ import (
...
@@ -24,13 +24,6 @@ import (
"k8s.io/kubernetes/pkg/api/testapi"
"k8s.io/kubernetes/pkg/api/testapi"
)
)
func
TestUnsecuredTLSTransport
(
t
*
testing
.
T
)
{
cfg
:=
NewUnsafeTLSConfig
()
if
!
cfg
.
InsecureSkipVerify
{
t
.
Errorf
(
"expected config to be insecure"
)
}
}
type
testRoundTripper
struct
{
type
testRoundTripper
struct
{
Request
*
http
.
Request
Request
*
http
.
Request
Response
*
http
.
Response
Response
*
http
.
Response
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment