getPeerCertificates creates a connection to a remote server and returns the list of server certificates. If the address does not contain a port then default to port 443. Params *addr*: can be a host (e.g. smallstep.com) or an IP (e.g. 127.0.0.1) *serverName*: use a specific Server Name In
(addr, serverName, roots string, insecure bool)
| 33 | // *insecure*: do not verify that the server's certificate has been signed by |
| 34 | // a trusted root |
| 35 | func getPeerCertificates(addr, serverName, roots string, insecure bool) ([]*x509.Certificate, error) { |
| 36 | var ( |
| 37 | err error |
| 38 | rootCAs *x509.CertPool |
| 39 | ) |
| 40 | if roots != "" { |
| 41 | rootCAs, err = x509util.ReadCertPool(roots) |
| 42 | if err != nil { |
| 43 | return nil, errors.Wrapf(err, "failure to load root certificate pool from input path '%s'", roots) |
| 44 | } |
| 45 | } |
| 46 | if _, _, err := net.SplitHostPort(addr); err != nil { |
| 47 | addr = net.JoinHostPort(addr, "443") |
| 48 | } |
| 49 | tlsConfig := &tls.Config{ |
| 50 | MinVersion: tls.VersionTLS12, |
| 51 | RootCAs: rootCAs, |
| 52 | } |
| 53 | if insecure { |
| 54 | tlsConfig.InsecureSkipVerify = true |
| 55 | } |
| 56 | if serverName != "" { |
| 57 | tlsConfig.ServerName = serverName |
| 58 | } |
| 59 | conn, err := tls.Dial("tcp", addr, tlsConfig) |
| 60 | if err != nil { |
| 61 | return nil, errors.Wrapf(err, "failed to connect") |
| 62 | } |
| 63 | conn.Close() |
| 64 | return conn.ConnectionState().PeerCertificates, nil |
| 65 | } |
| 66 | |
| 67 | // trimURL returns the host[:port] if the input is a URL, otherwise returns an |
| 68 | // empty string (and 'isURL:false'). |
searching dependent graphs…