MCPcopy
hub / github.com/perkeep/perkeep / DialTLSFunc

Method DialTLSFunc

pkg/client/client.go:1288–1354  ·  view source on GitHub ↗

DialTLSFunc returns the adequate dial function, when using SSL, depending on whether we're using insecure TLS (certificate verification is disabled), or we have some trusted certs, or we're on android. If the client's config has some trusted certs, the server's certificate will be checked against th

()

Source from the content-addressed store, hash-verified

1286// If the client's config has some trusted certs, the server's certificate will
1287// be checked against those in the config after the TLS handshake.
1288func (c *Client) DialTLSFunc() func(network, addr string) (net.Conn, error) {
1289 if !c.useTLS() {
1290 return nil
1291 }
1292 trustedCerts := c.getTrustedCerts()
1293 var stdTLS bool
1294 if !c.insecureAnyTLSCert && len(trustedCerts) == 0 {
1295 // TLS with normal/full verification.
1296 stdTLS = true
1297 if !android.IsChild() {
1298 // Not android, so let the stdlib deal with it
1299 return nil
1300 }
1301 }
1302
1303 return func(network, addr string) (net.Conn, error) {
1304 var conn *tls.Conn
1305 var err error
1306 if android.IsChild() {
1307 ac, err := android.Dial(network, addr)
1308 if err != nil {
1309 return nil, err
1310 }
1311 var tlsConfig *tls.Config
1312 if stdTLS {
1313 tlsConfig, err = android.TLSConfig()
1314 if err != nil {
1315 return nil, err
1316 }
1317 } else {
1318 tlsConfig = &tls.Config{InsecureSkipVerify: true}
1319 }
1320 // Since we're doing the TLS handshake ourselves, we need to set the ServerName,
1321 // in case the server uses SNI (as is the case if it's relying on Let's Encrypt,
1322 // for example).
1323 tlsConfig.ServerName = c.serverNameOfAddr(addr)
1324 conn = tls.Client(ac, tlsConfig)
1325 if err := conn.Handshake(); err != nil {
1326 return nil, err
1327 }
1328 if stdTLS {
1329 // Normal TLS verification succeeded and we do not have
1330 // additional trusted certificate fingerprints to check for.
1331 return conn, nil
1332 }
1333 } else {
1334 conn, err = tls.Dial(network, addr, &tls.Config{InsecureSkipVerify: true})
1335 if err != nil {
1336 return nil, err
1337 }
1338 }
1339 if c.insecureAnyTLSCert {
1340 return conn, nil
1341 }
1342 certs := conn.ConnectionState().PeerCertificates
1343 if len(certs) < 1 {
1344 return nil, fmt.Errorf("no TLS peer certificates from %s", addr)
1345 }

Callers 1

transportForConfigMethod · 0.95

Calls 7

useTLSMethod · 0.95
getTrustedCertsMethod · 0.95
serverNameOfAddrMethod · 0.95
IsChildFunction · 0.92
DialFunction · 0.92
TLSConfigFunction · 0.92
SHA256PrefixFunction · 0.92

Tested by

no test coverage detected