...

Package tlsconfig

import "github.com/docker/go-connections/tlsconfig"
Overview
Index

Overview ▾

Package tlsconfig provides primitives to retrieve secure-enough TLS configurations for both clients and servers.

As a reminder from https://golang.org/pkg/crypto/tls/#Config: 

A Config structure is used to configure a TLS client or server. After one has been passed to a TLS function it must not be modified.
A Config may be reused; the tls package will also not modify it.

Package tlsconfig provides primitives to retrieve secure-enough TLS configurations for both clients and servers.

Variables

DefaultServerAcceptedCiphers should be uses by code which already has a crypto/tls options struct but wants to use a commonly accepted set of TLS cipher suites, with known weak algorithms removed. 

var DefaultServerAcceptedCiphers = append(clientCipherSuites, acceptedCBCCiphers...)

func Client 

func Client(options Options) (*tls.Config, error)

Client returns a TLS configuration meant to be used by a client.

func ClientDefault 

func ClientDefault(ops ...func(*tls.Config)) *tls.Config

ClientDefault returns a secure-enough TLS configuration for the client TLS configuration.

func IsErrEncryptedKey 

func IsErrEncryptedKey(err error) bool

IsErrEncryptedKey returns true if the 'err' is an error of incorrect password when trying to decrypt a TLS private key.

Deprecated: Use of encrypted TLS private keys has been deprecated, and will be removed in a future release. Golang has deprecated support for legacy PEM encryption (as specified in RFC 1423), as it is insecure by design (see https://go-review.googlesource.com/c/go/+/264159).

func Server 

func Server(options Options) (*tls.Config, error)

Server returns a TLS configuration meant to be used by a server.

func ServerDefault 

func ServerDefault(ops ...func(*tls.Config)) *tls.Config

ServerDefault returns a secure-enough TLS configuration for the server TLS configuration.

func SystemCertPool 

func SystemCertPool() (*x509.CertPool, error)

SystemCertPool returns a copy of the system cert pool, returns an error if failed to load or empty pool on windows.

type Options

Options represents the information needed to create client and server TLS configurations. 

type Options struct {
    CAFile string

    // If either CertFile or KeyFile is empty, Client() will not load them
    // preventing the client from authenticating to the server.
    // However, Server() requires them and will error out if they are empty.
    CertFile string
    KeyFile  string

    // client-only option
    InsecureSkipVerify bool
    // server-only option
    ClientAuth tls.ClientAuthType
    // If ExclusiveRootPools is set, then if a CA file is provided, the root pool used for TLS
    // creds will include exclusively the roots in that CA file.  If no CA file is provided,
    // the system pool will be used.
    ExclusiveRootPools bool
    MinVersion         uint16
    // If Passphrase is set, it will be used to decrypt a TLS private key
    // if the key is encrypted.
    //
    // Deprecated: Use of encrypted TLS private keys has been deprecated, and
    // will be removed in a future release. Golang has deprecated support for
    // legacy PEM encryption (as specified in RFC 1423), as it is insecure by
    // design (see https://go-review.googlesource.com/c/go/+/264159).
    Passphrase string
}