From 464b65a3580fffc5c7b9b0c47db0915f0584940e Mon Sep 17 00:00:00 2001 From: Anshul Khandelwal Date: Tue, 18 Jun 2024 18:10:26 +0530 Subject: [PATCH 1/4] tls config as a option --- handshake.go | 17 +++++++++++------ options.go | 10 ++++++++++ wire.go | 1 + 3 files changed, 22 insertions(+), 6 deletions(-) diff --git a/handshake.go b/handshake.go index 721bfb7..6d8c8a0 100644 --- a/handshake.go +++ b/handshake.go @@ -146,7 +146,7 @@ func (srv *Server) potentialConnUpgrade(conn net.Conn, reader *buffer.Reader, ve srv.logger.Debug("attempting to upgrade the client to a TLS connection") - if len(srv.Certificates) == 0 { + if len(srv.Certificates) == 0 && srv.TLSConfig == nil { srv.logger.Debug("no TLS certificates available continuing with a insecure connection") return srv.sslUnsupported(conn, reader, version) } @@ -156,15 +156,20 @@ func (srv *Server) potentialConnUpgrade(conn net.Conn, reader *buffer.Reader, ve return conn, reader, version, err } - tlsConfig := tls.Config{ - Certificates: srv.Certificates, - ClientAuth: srv.ClientAuth, - ClientCAs: srv.ClientCAs, + var tlsConfig *tls.Config + if srv.TLSConfig != nil { + tlsConfig = srv.TLSConfig + } else { + tlsConfig = &tls.Config{ + Certificates: srv.Certificates, + ClientAuth: srv.ClientAuth, + ClientCAs: srv.ClientCAs, + } } // NOTE: initialize the TLS connection and construct a new buffered // reader for the constructed TLS connection. - conn = tls.Server(conn, &tlsConfig) + conn = tls.Server(conn, tlsConfig) reader = buffer.NewReader(srv.logger, conn, srv.BufferedMsgSize) version, err = srv.readVersion(reader) diff --git a/options.go b/options.go index 29b6b9b..0c84d91 100644 --- a/options.go +++ b/options.go @@ -146,6 +146,16 @@ func MessageBufferSize(size int) OptionFn { } } +// Certificates sets the given TLS config to be used to initialize a +// secure connection between the front-end (client) and back-end (server). +// Prefer TLSConfig over Certificates and ClientCAs. +func TLSConfig(config *tls.Config) OptionFn { + return func(srv *Server) error { + srv.TLSConfig = config + return nil + } +} + // Certificates sets the given TLS certificates to be used to initialize a // secure connection between the front-end (client) and back-end (server). func Certificates(certs []tls.Certificate) OptionFn { diff --git a/wire.go b/wire.go index 474b038..158f19e 100644 --- a/wire.go +++ b/wire.go @@ -61,6 +61,7 @@ type Server struct { Auth AuthStrategy BufferedMsgSize int Parameters Parameters + TLSConfig *tls.Config Certificates []tls.Certificate ClientCAs *x509.CertPool ClientAuth tls.ClientAuthType From 8f9cac59a66a08772cf374de5bcbaf516c3dd44f Mon Sep 17 00:00:00 2001 From: Anshul Khandelwal Date: Tue, 18 Jun 2024 18:13:22 +0530 Subject: [PATCH 2/4] tls config as a option --- options.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/options.go b/options.go index 0c84d91..5f58c58 100644 --- a/options.go +++ b/options.go @@ -146,9 +146,8 @@ func MessageBufferSize(size int) OptionFn { } } -// Certificates sets the given TLS config to be used to initialize a +// TLSConfig sets the given TLS config to be used to initialize a // secure connection between the front-end (client) and back-end (server). -// Prefer TLSConfig over Certificates and ClientCAs. func TLSConfig(config *tls.Config) OptionFn { return func(srv *Server) error { srv.TLSConfig = config From cfbb3f64518be22a9ad26d4c71ffe6c9a2cc0ab4 Mon Sep 17 00:00:00 2001 From: Jeroen Rinzema Date: Mon, 11 Nov 2024 22:40:56 +0100 Subject: [PATCH 3/4] feat: support TLS config --- handshake.go | 15 ++------------- options.go | 28 ---------------------------- wire.go | 4 ---- 3 files changed, 2 insertions(+), 45 deletions(-) diff --git a/handshake.go b/handshake.go index 6d8c8a0..cc29717 100644 --- a/handshake.go +++ b/handshake.go @@ -146,7 +146,7 @@ func (srv *Server) potentialConnUpgrade(conn net.Conn, reader *buffer.Reader, ve srv.logger.Debug("attempting to upgrade the client to a TLS connection") - if len(srv.Certificates) == 0 && srv.TLSConfig == nil { + if srv.TLSConfig == nil || len(srv.TLSConfig.Certificates) == 0 { srv.logger.Debug("no TLS certificates available continuing with a insecure connection") return srv.sslUnsupported(conn, reader, version) } @@ -156,20 +156,9 @@ func (srv *Server) potentialConnUpgrade(conn net.Conn, reader *buffer.Reader, ve return conn, reader, version, err } - var tlsConfig *tls.Config - if srv.TLSConfig != nil { - tlsConfig = srv.TLSConfig - } else { - tlsConfig = &tls.Config{ - Certificates: srv.Certificates, - ClientAuth: srv.ClientAuth, - ClientCAs: srv.ClientCAs, - } - } - // NOTE: initialize the TLS connection and construct a new buffered // reader for the constructed TLS connection. - conn = tls.Server(conn, tlsConfig) + conn = tls.Server(conn, srv.TLSConfig) reader = buffer.NewReader(srv.logger, conn, srv.BufferedMsgSize) version, err = srv.readVersion(reader) diff --git a/options.go b/options.go index 5f58c58..b655c3f 100644 --- a/options.go +++ b/options.go @@ -3,7 +3,6 @@ package wire import ( "context" "crypto/tls" - "crypto/x509" "regexp" "strconv" @@ -155,33 +154,6 @@ func TLSConfig(config *tls.Config) OptionFn { } } -// Certificates sets the given TLS certificates to be used to initialize a -// secure connection between the front-end (client) and back-end (server). -func Certificates(certs []tls.Certificate) OptionFn { - return func(srv *Server) error { - srv.Certificates = certs - return nil - } -} - -// ClientCAs sets the given Client CAs to be used, by the server, to verify a -// secure connection between the front-end (client) and back-end (server). -func ClientCAs(cas *x509.CertPool) OptionFn { - return func(srv *Server) error { - srv.ClientCAs = cas - return nil - } -} - -// ClientAuth sets the given Client Auth to be used, by the server, to verify a -// secure connection between the front-end (client) and back-end (server). -func ClientAuth(authType tls.ClientAuthType) OptionFn { - return func(srv *Server) error { - srv.ClientAuth = authType - return nil - } -} - // SessionAuthStrategy sets the given authentication strategy within the given // server. The authentication strategy is called when a handshake is initiated. func SessionAuthStrategy(fn AuthStrategy) OptionFn { diff --git a/wire.go b/wire.go index 158f19e..fe5f0c9 100644 --- a/wire.go +++ b/wire.go @@ -3,7 +3,6 @@ package wire import ( "context" "crypto/tls" - "crypto/x509" "errors" "fmt" "net" @@ -62,9 +61,6 @@ type Server struct { BufferedMsgSize int Parameters Parameters TLSConfig *tls.Config - Certificates []tls.Certificate - ClientCAs *x509.CertPool - ClientAuth tls.ClientAuthType parse ParseFn Session SessionHandler Statements StatementCache From 4cec9c98fe3194a465c1e12420d3ae67a7578365 Mon Sep 17 00:00:00 2001 From: Jeroen Rinzema Date: Mon, 11 Nov 2024 22:43:46 +0100 Subject: [PATCH 4/4] updated tls example --- examples/tls/main.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/tls/main.go b/examples/tls/main.go index 627de54..dbaff3a 100644 --- a/examples/tls/main.go +++ b/examples/tls/main.go @@ -23,8 +23,8 @@ func run() error { return err } - certs := []tls.Certificate{cert} - server, err := wire.NewServer(handler, wire.Certificates(certs), wire.Logger(logger), wire.MessageBufferSize(100)) + config := &tls.Config{Certificates: []tls.Certificate{cert}} + server, err := wire.NewServer(handler, wire.TLSConfig(config), wire.Logger(logger), wire.MessageBufferSize(100)) if err != nil { return err }