(opt Option)
| 85 | } |
| 86 | |
| 87 | func GetTLSConfig(opt Option) (tlsConfig *tls.Config, err error) { |
| 88 | tlsConfig = opt.TLSConfig |
| 89 | if tlsConfig == nil { |
| 90 | tlsConfig = &tls.Config{} |
| 91 | } |
| 92 | tlsConfig.Time = ntp.Now |
| 93 | |
| 94 | if opt.ZeroTrust { |
| 95 | tlsConfig.RootCAs = zeroTrustCertPool() |
| 96 | } else { |
| 97 | tlsConfig.RootCAs = GetCertPool() |
| 98 | } |
| 99 | |
| 100 | if len(opt.Fingerprint) > 0 { |
| 101 | verifier, err := NewFingerprintVerifier(opt.Fingerprint, tlsConfig.Time) |
| 102 | if err != nil { |
| 103 | return nil, err |
| 104 | } |
| 105 | tlsConfig.VerifyConnection = func(state tls.ConnectionState) error { |
| 106 | // [ConnectionState.ServerName] can return the actual ServerName needed for verification, |
| 107 | // avoiding inconsistencies caused by [tlsConfig.ServerName] being modified after the [NewFingerprintVerifier] call. |
| 108 | // https://github.com/golang/go/issues/36736#issuecomment-587925536 |
| 109 | return verifier(state.PeerCertificates, state.ServerName) |
| 110 | } |
| 111 | tlsConfig.InsecureSkipVerify = true |
| 112 | } |
| 113 | |
| 114 | if len(opt.Certificate) > 0 || len(opt.PrivateKey) > 0 { |
| 115 | certLoader, err := NewTLSKeyPairLoader(opt.Certificate, opt.PrivateKey) |
| 116 | if err != nil { |
| 117 | return nil, err |
| 118 | } |
| 119 | tlsConfig.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) { |
| 120 | return certLoader() |
| 121 | } |
| 122 | } |
| 123 | return tlsConfig, nil |
| 124 | } |
| 125 | |
| 126 | var zeroTrustCertPool = once.OnceValue(func() *x509.CertPool { |
| 127 | if len(_CaCertificates) != 0 { // always using embed cert first |
no test coverage detected