Commit ea410b38 authored by k8s-merge-robot's avatar k8s-merge-robot

Merge pull request #14063 from deads2k/enable-system-ca

Auto commit by PR queue bot
parents 62d8cfb6 a093ea34
...@@ -171,30 +171,41 @@ func NewClientCertTLSConfig(certData, keyData, caData []byte) (*tls.Config, erro ...@@ -171,30 +171,41 @@ func NewClientCertTLSConfig(certData, keyData, caData []byte) (*tls.Config, erro
if err != nil { if err != nil {
return nil, err return nil, err
} }
certPool := x509.NewCertPool()
certPool.AppendCertsFromPEM(caData)
return &tls.Config{ return &tls.Config{
// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability) // Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
MinVersion: tls.VersionTLS10, MinVersion: tls.VersionTLS10,
Certificates: []tls.Certificate{ Certificates: []tls.Certificate{
cert, cert,
}, },
RootCAs: certPool, RootCAs: rootCertPool(caData),
ClientCAs: certPool,
ClientAuth: tls.RequireAndVerifyClientCert,
}, nil }, nil
} }
func NewTLSConfig(caData []byte) (*tls.Config, error) { func NewTLSConfig(caData []byte) (*tls.Config, error) {
certPool := x509.NewCertPool()
certPool.AppendCertsFromPEM(caData)
return &tls.Config{ return &tls.Config{
// Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability) // Change default from SSLv3 to TLSv1.0 (because of POODLE vulnerability)
MinVersion: tls.VersionTLS10, MinVersion: tls.VersionTLS10,
RootCAs: certPool, RootCAs: rootCertPool(caData),
}, nil }, nil
} }
// rootCertPool returns nil if caData is empty. When passed along, this will mean "use system CAs".
// When caData is not empty, it will be the ONLY information used in the CertPool.
func rootCertPool(caData []byte) *x509.CertPool {
// What we really want is a copy of x509.systemRootsPool, but that isn't exposed. It's difficult to build (see the go
// code for a look at the platform specific insanity), so we'll use the fact that RootCAs == nil gives us the system values
// It doesn't allow trusting either/or, but hopefully that won't be an issue
if len(caData) == 0 {
return nil
}
// if we have caData, use it
certPool := x509.NewCertPool()
certPool.AppendCertsFromPEM(caData)
return certPool
}
func NewUnsafeTLSConfig() *tls.Config { func NewUnsafeTLSConfig() *tls.Config {
return &tls.Config{ return &tls.Config{
InsecureSkipVerify: true, InsecureSkipVerify: true,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment