Root CAs can be used for backend without TLS (#6711)

master
Pontus Leitzler 6 years ago committed by Nitish Tiwari
parent c6ec3fdfba
commit 81d21850ec
  1. 14
      cmd/certs.go
  2. 10
      cmd/gateway-main.go
  3. 8
      cmd/server-main.go

@ -150,24 +150,20 @@ func loadX509KeyPair(certFile, keyFile string) (tls.Certificate, error) {
return cert, nil return cert, nil
} }
func getSSLConfig() (x509Certs []*x509.Certificate, rootCAs *x509.CertPool, c *certs.Certs, secureConn bool, err error) { func getTLSConfig() (x509Certs []*x509.Certificate, c *certs.Certs, secureConn bool, err error) {
if !(isFile(getPublicCertFile()) && isFile(getPrivateKeyFile())) { if !(isFile(getPublicCertFile()) && isFile(getPrivateKeyFile())) {
return nil, nil, nil, false, nil return nil, nil, false, nil
} }
if x509Certs, err = parsePublicCertFile(getPublicCertFile()); err != nil { if x509Certs, err = parsePublicCertFile(getPublicCertFile()); err != nil {
return nil, nil, nil, false, err return nil, nil, false, err
} }
c, err = certs.New(getPublicCertFile(), getPrivateKeyFile(), loadX509KeyPair) c, err = certs.New(getPublicCertFile(), getPrivateKeyFile(), loadX509KeyPair)
if err != nil { if err != nil {
return nil, nil, nil, false, err return nil, nil, false, err
}
if rootCAs, err = getRootCAs(getCADir()); err != nil {
return nil, nil, nil, false, err
} }
secureConn = true secureConn = true
return x509Certs, rootCAs, c, secureConn, nil return x509Certs, c, secureConn, nil
} }

@ -157,10 +157,14 @@ func StartGateway(ctx *cli.Context, gw Gateway) {
// Create certs path. // Create certs path.
logger.FatalIf(createConfigDir(), "Unable to create configuration directories") logger.FatalIf(createConfigDir(), "Unable to create configuration directories")
// Check and load SSL certificates. // Check and load TLS certificates.
var err error var err error
globalPublicCerts, globalRootCAs, globalTLSCerts, globalIsSSL, err = getSSLConfig() globalPublicCerts, globalTLSCerts, globalIsSSL, err = getTLSConfig()
logger.FatalIf(err, "Invalid SSL certificate file") logger.FatalIf(err, "Invalid TLS certificate file")
// Check and load Root CAs.
globalRootCAs, err = getRootCAs(getCADir())
logger.FatalIf(err, "Failed to read root CAs (%v)", err)
// Set system resources to maximum. // Set system resources to maximum.
logger.LogIf(context.Background(), setMaxResources()) logger.LogIf(context.Background(), setMaxResources())

@ -227,11 +227,15 @@ func serverMain(ctx *cli.Context) {
// Create certs path. // Create certs path.
logger.FatalIf(createConfigDir(), "Unable to initialize configuration files") logger.FatalIf(createConfigDir(), "Unable to initialize configuration files")
// Check and load SSL certificates. // Check and load TLS certificates.
var err error var err error
globalPublicCerts, globalRootCAs, globalTLSCerts, globalIsSSL, err = getSSLConfig() globalPublicCerts, globalTLSCerts, globalIsSSL, err = getTLSConfig()
logger.FatalIf(err, "Unable to load the TLS configuration") logger.FatalIf(err, "Unable to load the TLS configuration")
// Check and load Root CAs.
globalRootCAs, err = getRootCAs(getCADir())
logger.FatalIf(err, "Failed to read root CAs (%v)", err)
// Is distributed setup, error out if no certificates are found for HTTPS endpoints. // Is distributed setup, error out if no certificates are found for HTTPS endpoints.
if globalIsDistXL { if globalIsDistXL {
if globalEndpoints.IsHTTPS() && !globalIsSSL { if globalEndpoints.IsHTTPS() && !globalIsSSL {

Loading…
Cancel
Save