diff options
Diffstat (limited to 'src/daq/s5proxy/src/s5proxy/config.go')
-rw-r--r-- | src/daq/s5proxy/src/s5proxy/config.go | 49 |
1 files changed, 46 insertions, 3 deletions
diff --git a/src/daq/s5proxy/src/s5proxy/config.go b/src/daq/s5proxy/src/s5proxy/config.go index 9bd5b3e..d8c61e0 100644 --- a/src/daq/s5proxy/src/s5proxy/config.go +++ b/src/daq/s5proxy/src/s5proxy/config.go @@ -33,6 +33,7 @@ package main import ( + "crypto/tls" "encoding/json" "errors" "fmt" @@ -170,6 +171,49 @@ func (h *HeaderOperation) Parse() (err error) { return nil } +type TLSProtocolVersion uint16 + +type TLSCipher uint16 + +type TLSCurve tls.CurveID + +type TLSSessionTicketKey [32]byte + +type TLSConfig struct { + CertFile string `json:"certificate"` + KeyFile string `json:"certificate-key"` + MinVersion TLSProtocolVersion `json:"min-protocol-version"` + MaxVersion TLSProtocolVersion `json:"max-protocol-version"` + CipherSuites []TLSCipher `json:"ciphers"` + PreferServerCipherSuites bool `json:"prefer-server-ciphers"` + CurvePreferences []TLSCurve `json:"ecdh-curves"` + SessionTicketsDisabled bool `json:"session-tickets"` + SessionTicketKey TLSSessionTicketKey `json:"session-ticket-key"` +} + +func (t TLSConfig) ToGoTLSConfig() (*tls.Config, error) { + cert, err := tls.LoadX509KeyPair(t.CertFile, t.KeyFile) + if err != nil { + return nil, err + } + + // TODO: generate cfg from t + cfg := &tls.Config{ + Certificates: []tls.Certificate{cert}, + MinVersion: tls.VersionTLS10, + CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256}, + PreferServerCipherSuites: true, + CipherSuites: []uint16{ + tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + tls.TLS_RSA_WITH_AES_256_GCM_SHA384, + tls.TLS_RSA_WITH_AES_256_CBC_SHA, + }, + } + + return cfg, nil +} + type SFiveDuration int64 func (d *SFiveDuration) UnmarshalText(data []byte) error { @@ -198,8 +242,7 @@ type Config struct { Protocol ProtocolType `json:"protocol"` Redirect2HTTPS RedirectCode `json:"redirect2https"` ConnectAddr string `json:"connect"` - CertFile string `json:"cert"` - KeyFile string `json:"key"` + TLS TLSConfig `json:"tls"` RequestHeader []HeaderOperation `json:"request_header"` ResponseHeader []HeaderOperation `json:"response_header"` SFive SFiveConf `json:"sfive"` @@ -232,7 +275,7 @@ func readConfig(configfile string) (conf *Config, err error) { } if conf.Protocol == HTTPAndHTTPS || conf.Protocol == HTTPSOnly { - if conf.CertFile == "" || conf.KeyFile == "" { + if conf.TLS.CertFile == "" || conf.TLS.KeyFile == "" { return nil, errors.New("HTTPs is enabled but no certificate and/or key file is supplied") } } |