| 165 | } |
| 166 | |
| 167 | func LoadClientTLS(config *util.ViperProxy, component string) grpc.DialOption { |
| 168 | if config == nil { |
| 169 | return grpc.WithTransportCredentials(insecure.NewCredentials()) |
| 170 | } |
| 171 | |
| 172 | certFileName, keyFileName, caFileName := config.GetString(component+".cert"), config.GetString(component+".key"), config.GetString("grpc.ca") |
| 173 | if certFileName == "" || keyFileName == "" || caFileName == "" { |
| 174 | return grpc.WithTransportCredentials(insecure.NewCredentials()) |
| 175 | } |
| 176 | |
| 177 | clientOptions := pemfile.Options{ |
| 178 | CertFile: certFileName, |
| 179 | KeyFile: keyFileName, |
| 180 | RefreshDuration: CredRefreshingInterval, |
| 181 | } |
| 182 | clientProvider, err := pemfile.NewProvider(clientOptions) |
| 183 | if err != nil { |
| 184 | glog.Warningf("pemfile.NewProvider(%v) failed %v", clientOptions, err) |
| 185 | return grpc.WithTransportCredentials(insecure.NewCredentials()) |
| 186 | } |
| 187 | clientRootOptions := pemfile.Options{ |
| 188 | RootFile: config.GetString("grpc.ca"), |
| 189 | RefreshDuration: CredRefreshingInterval, |
| 190 | } |
| 191 | clientRootProvider, err := pemfile.NewProvider(clientRootOptions) |
| 192 | if err != nil { |
| 193 | glog.Warningf("pemfile.NewProvider(%v) failed: %v", clientRootOptions, err) |
| 194 | return grpc.WithTransportCredentials(insecure.NewCredentials()) |
| 195 | } |
| 196 | options := &advancedtls.Options{ |
| 197 | IdentityOptions: advancedtls.IdentityCertificateOptions{ |
| 198 | IdentityProvider: clientProvider, |
| 199 | }, |
| 200 | AdditionalPeerVerification: func(params *advancedtls.HandshakeVerificationInfo) (*advancedtls.PostHandshakeVerificationResults, error) { |
| 201 | return &advancedtls.PostHandshakeVerificationResults{}, nil |
| 202 | }, |
| 203 | RootOptions: advancedtls.RootCertificateOptions{ |
| 204 | RootProvider: clientRootProvider, |
| 205 | }, |
| 206 | VerificationType: advancedtls.CertVerification, |
| 207 | } |
| 208 | ta, err := advancedtls.NewClientCreds(options) |
| 209 | if err != nil { |
| 210 | glog.Warningf("advancedtls.NewClientCreds(%v) failed: %v", options, err) |
| 211 | return grpc.WithTransportCredentials(insecure.NewCredentials()) |
| 212 | } |
| 213 | wrapped := &SNIStrippingTransportCredentials{creds: ta} |
| 214 | return grpc.WithTransportCredentials(wrapped) |
| 215 | } |
| 216 | |
| 217 | // LoadHTTPClientFromFile creates an HTTP client using the https.client TLS |
| 218 | // settings from the given security config file. Returns nil if HTTPS is not |