Skip to content
Snippets Groups Projects
Commit c1d9fafd authored by Jonah Husson's avatar Jonah Husson
Browse files

Swap to using GetCertificate in tlsconf so the cert can be changed

parent 3a63a373
No related branches found
No related tags found
4 merge requests!47Project/https support,!46Swap to using GetCertificate in tlsconf so the cert can be changed,!45re-enable https for servewithweb, add function to provide certs when available,!39Merge release into master
Show whitespace changes
Inline Side-by-side
Showing
with 30 additions and 13 deletions
connect/comms.go
+ 30
13
View file @ c1d9fafd
...@@ -99,6 +99,8 @@ type ProtoComms struct { ...@@ -99,6 +99,8 @@ type ProtoComms struct {
salt []byte salt []byte
httpsCredChan chan tls.Certificate httpsCredChan chan tls.Certificate
httpsCertificate *tls.Certificate
httpsCertificateLock sync.RWMutex
// ------------------------------------------------------------------------- // -------------------------------------------------------------------------
} }
...@@ -260,24 +262,20 @@ func (c *ProtoComms) ServeWithWeb() { ...@@ -260,24 +262,20 @@ func (c *ProtoComms) ServeWithWeb() {
c.httpsCredChan = make(chan tls.Certificate, 1) c.httpsCredChan = make(chan tls.Certificate, 1)
wg.Done() wg.Done()
creds := <-c.httpsCredChan creds := <-c.httpsCredChan
var err error
tlsConf.Certificates = make([]tls.Certificate, 1) c.httpsCertificate = &creds
tlsConf.Certificates[0] = creds tlsConf.GetCertificate = c.GetCertificateFunc()
var serverName string var serverName string
if tlsConf.Certificates[0].Leaf == nil { cert, err := x509.ParseCertificate(creds.Certificate[0])
var cert *x509.Certificate
cert, err = x509.ParseCertificate(creds.Certificate[0])
if err != nil { if err != nil {
jww.FATAL.Panicf("Failed to load TLS certificate: %+v", err) jww.FATAL.Panicf("Failed to load TLS certificate: %+v", err)
} }
serverName = cert.DNSNames[0] serverName = cert.DNSNames[0]
} else {
serverName = tlsConf.Certificates[0].Leaf.DNSNames[0]
}
tlsConf.ServerName = serverName tlsConf.ServerName = serverName
go c.startUpdateCertificate()
tlsLis := tls.NewListener(l, tlsConf) tlsLis := tls.NewListener(l, tlsConf)
if err := http.Serve(tlsLis, httpServer); err != nil { if err := http.Serve(tlsLis, httpServer); err != nil {
// Cannot panic here due to shared net.Listener // Cannot panic here due to shared net.Listener
...@@ -383,6 +381,25 @@ func (c *ProtoComms) Stream(host *Host, f func(conn Connection) ( ...@@ -383,6 +381,25 @@ func (c *ProtoComms) Stream(host *Host, f func(conn Connection) (
return c.transmit(host, f) return c.transmit(host, f)
} }
func (c *ProtoComms) GetCertificateFunc() func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
return func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
c.httpsCertificateLock.RLock()
defer c.httpsCertificateLock.RUnlock()
return c.httpsCertificate, nil
}
}
func (c *ProtoComms) startUpdateCertificate() {
for {
select {
case creds := <-c.httpsCredChan:
c.httpsCertificateLock.Lock()
c.httpsCertificate = &creds
c.httpsCertificateLock.Unlock()
}
}
}
// returns true if the connection error is one of the connection errors which // returns true if the connection error is one of the connection errors which
// should be retried // should be retried
func isConnError(err error) bool { func isConnError(err error) bool {
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment