MCPcopy Index your code
hub / github.com/perkeep/perkeep / http2DialTLSFunc

Method http2DialTLSFunc

pkg/client/client.go:1248–1281  ·  view source on GitHub ↗
()

Source from the content-addressed store, hash-verified

1246}
1247
1248func (c *Client) http2DialTLSFunc() func(network, addr string, cfg *tls.Config) (net.Conn, error) {
1249 trustedCerts := c.getTrustedCerts()
1250 if !c.insecureAnyTLSCert && len(trustedCerts) == 0 {
1251 // TLS with normal/full verification.
1252 // nil means http2 uses its default dialer.
1253 return nil
1254 }
1255 return func(network, addr string, cfg *tls.Config) (net.Conn, error) {
1256 // we own cfg, so we can mutate it:
1257 cfg.InsecureSkipVerify = true
1258 conn, err := tls.Dial(network, addr, cfg)
1259 if err != nil {
1260 return nil, err
1261 }
1262 if c.insecureAnyTLSCert {
1263 return conn, err
1264 }
1265 state := conn.ConnectionState()
1266 if p := state.NegotiatedProtocol; p != http2.NextProtoTLS {
1267 return nil, fmt.Errorf("http2: unexpected ALPN protocol %q; want %q", p, http2.NextProtoTLS)
1268 }
1269 certs := state.PeerCertificates
1270 if len(certs) < 1 {
1271 return nil, fmt.Errorf("no TLS peer certificates from %s", addr)
1272 }
1273 sig := hashutil.SHA256Prefix(certs[0].Raw)
1274 for _, v := range trustedCerts {
1275 if v == sig {
1276 return conn, nil
1277 }
1278 }
1279 return nil, fmt.Errorf("TLS server at %v presented untrusted certificate (signature %q)", addr, sig)
1280 }
1281}
1282
1283// DialTLSFunc returns the adequate dial function, when using SSL, depending on
1284// whether we're using insecure TLS (certificate verification is disabled), or we

Callers 1

transportForConfigMethod · 0.95

Calls 2

getTrustedCertsMethod · 0.95
SHA256PrefixFunction · 0.92

Tested by

no test coverage detected