OLD | NEW |
1 // Copyright 2009 The Go Authors. All rights reserved. | 1 // Copyright 2009 The Go Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style | 2 // Use of this source code is governed by a BSD-style |
3 // license that can be found in the LICENSE file. | 3 // license that can be found in the LICENSE file. |
4 | 4 |
5 package tls | 5 package tls |
6 | 6 |
7 import ( | 7 import ( |
8 "crypto/rand" | 8 "crypto/rand" |
9 "crypto/rsa" | 9 "crypto/rsa" |
10 "crypto/x509" | 10 "crypto/x509" |
11 "io" | 11 "io" |
12 "io/ioutil" | |
13 "strings" | 12 "strings" |
14 "sync" | 13 "sync" |
15 "time" | 14 "time" |
16 ) | 15 ) |
17 | 16 |
18 const ( | 17 const ( |
19 maxPlaintext = 16384 // maximum plaintext payload length | 18 maxPlaintext = 16384 // maximum plaintext payload length |
20 maxCiphertext = 16384 + 2048 // maximum ciphertext payload length | 19 maxCiphertext = 16384 + 2048 // maximum ciphertext payload length |
21 recordHeaderLen = 5 // record header length | 20 recordHeaderLen = 5 // record header length |
22 maxHandshake = 65536 // maximum handshake we support (protocol
max is 16 MB) | 21 maxHandshake = 65536 // maximum handshake we support (protocol
max is 16 MB) |
(...skipping 125 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
148 // ServerName is included in the client's handshake to support virtual | 147 // ServerName is included in the client's handshake to support virtual |
149 // hosting. | 148 // hosting. |
150 ServerName string | 149 ServerName string |
151 | 150 |
152 // AuthenticateClient controls whether a server will request a certifica
te | 151 // AuthenticateClient controls whether a server will request a certifica
te |
153 // from the client. It does not require that the client send a | 152 // from the client. It does not require that the client send a |
154 // certificate nor does it require that the certificate sent be | 153 // certificate nor does it require that the certificate sent be |
155 // anything more than self-signed. | 154 // anything more than self-signed. |
156 AuthenticateClient bool | 155 AuthenticateClient bool |
157 | 156 |
| 157 // InsecureSkipVerify controls whether a client verifies the |
| 158 // server's certificate chain and host name. |
| 159 // If InsecureSkipVerify is true, TLS accepts any certificate |
| 160 // presented by the server and any host name in that certificate. |
| 161 // In this mode, TLS is susceptible to man-in-the-middle attacks. |
| 162 // This should be used only for testing. |
| 163 InsecureSkipVerify bool |
| 164 |
158 // CipherSuites is a list of supported cipher suites. If CipherSuites | 165 // CipherSuites is a list of supported cipher suites. If CipherSuites |
159 // is nil, TLS uses a list of suites supported by the implementation. | 166 // is nil, TLS uses a list of suites supported by the implementation. |
160 CipherSuites []uint16 | 167 CipherSuites []uint16 |
161 } | 168 } |
162 | 169 |
163 func (c *Config) rand() io.Reader { | 170 func (c *Config) rand() io.Reader { |
164 r := c.Rand | 171 r := c.Rand |
165 if r == nil { | 172 if r == nil { |
166 return rand.Reader | 173 return rand.Reader |
167 } | 174 } |
(...skipping 109 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
277 } | 284 } |
278 return vers, true | 285 return vers, true |
279 } | 286 } |
280 | 287 |
281 var emptyConfig Config | 288 var emptyConfig Config |
282 | 289 |
283 func defaultConfig() *Config { | 290 func defaultConfig() *Config { |
284 return &emptyConfig | 291 return &emptyConfig |
285 } | 292 } |
286 | 293 |
287 // Possible certificate files; stop after finding one. | |
288 // On OS X we should really be using the Directory Services keychain | |
289 // but that requires a lot of Mach goo to get at. Instead we use | |
290 // the same root set that curl uses. | |
291 var certFiles = []string{ | |
292 "/etc/ssl/certs/ca-certificates.crt", // Linux etc | |
293 "/usr/share/curl/curl-ca-bundle.crt", // OS X | |
294 } | |
295 | |
296 var once sync.Once | 294 var once sync.Once |
297 | 295 |
298 func defaultRoots() *x509.CertPool { | 296 func defaultRoots() *x509.CertPool { |
299 once.Do(initDefaults) | 297 once.Do(initDefaults) |
300 return varDefaultRoots | 298 return varDefaultRoots |
301 } | 299 } |
302 | 300 |
303 func defaultCipherSuites() []uint16 { | 301 func defaultCipherSuites() []uint16 { |
304 once.Do(initDefaults) | 302 once.Do(initDefaults) |
305 return varDefaultCipherSuites | 303 return varDefaultCipherSuites |
306 } | 304 } |
307 | 305 |
308 func initDefaults() { | 306 func initDefaults() { |
309 initDefaultRoots() | 307 initDefaultRoots() |
310 initDefaultCipherSuites() | 308 initDefaultCipherSuites() |
311 } | 309 } |
312 | 310 |
313 var varDefaultRoots *x509.CertPool | 311 var ( |
314 | 312 » varDefaultRoots *x509.CertPool |
315 func initDefaultRoots() { | 313 » varDefaultCipherSuites []uint16 |
316 » roots := x509.NewCertPool() | 314 ) |
317 » for _, file := range certFiles { | |
318 » » data, err := ioutil.ReadFile(file) | |
319 » » if err == nil { | |
320 » » » roots.AppendCertsFromPEM(data) | |
321 » » » break | |
322 » » } | |
323 » } | |
324 » varDefaultRoots = roots | |
325 } | |
326 | |
327 var varDefaultCipherSuites []uint16 | |
328 | 315 |
329 func initDefaultCipherSuites() { | 316 func initDefaultCipherSuites() { |
330 varDefaultCipherSuites = make([]uint16, len(cipherSuites)) | 317 varDefaultCipherSuites = make([]uint16, len(cipherSuites)) |
331 i := 0 | 318 i := 0 |
332 for id := range cipherSuites { | 319 for id := range cipherSuites { |
333 varDefaultCipherSuites[i] = id | 320 varDefaultCipherSuites[i] = id |
334 i++ | 321 i++ |
335 } | 322 } |
336 } | 323 } |
OLD | NEW |