hyung-hwan/hodu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

attempting to support TLS

Browse Source
This commit is contained in:
hyung-hwan 2024-12-06 00:52:33 +09:00
parent e95d196cc0
commit e144a39c5c
4 changed files with 107 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
client.go
View File

@ -987,6 +987,7 @@ func NewClient(ctx context.Context, ctl_addrs []string, logger Logger, tlscfg *t
c.ctl[i] = &http.Server{ c.ctl[i] = &http.Server{
Addr: ctl_addrs[i], Addr: ctl_addrs[i],
Handler: c.ctl_mux, Handler: c.ctl_mux,
TLSConfig: tlscfg,
// TODO: more settings // TODO: more settings
} }
} }
@ -1183,7 +1184,11 @@ func (c *Client) RunCtlTask(wg *sync.WaitGroup) {
l_wg.Add(1) l_wg.Add(1)
go func(i int, cs *http.Server) { go func(i int, cs *http.Server) {
c.log.Write ("", LOG_INFO, "Control channel[%d] started on %s", i, c.ctl_addr[i]) c.log.Write ("", LOG_INFO, "Control channel[%d] started on %s", i, c.ctl_addr[i])
if c.tlscfg == nil {
err = cs.ListenAndServe() err = cs.ListenAndServe()
} else {
err = cs.ListenAndServeTLS("", "") // c.tlscfg must provide a certificate and a key
}
if errors.Is(err, http.ErrServerClosed) { if errors.Is(err, http.ErrServerClosed) {
c.log.Write("", LOG_DEBUG, "Control channel[%d] ended", i) c.log.Write("", LOG_DEBUG, "Control channel[%d] ended", i)
} else { } else {

80
cmd/main.go
View File

@ -160,13 +160,41 @@ func server_main(ctl_addrs []string, svcaddrs []string) error {
var s *hodu.Server var s *hodu.Server
var err error var err error
var cert tls.Certificate var cert tls.Certificate
var cert_pool *x509.CertPool
var tlscfg *tls.Config
cert, err = tls.X509KeyPair([]byte(rootCert), []byte(rootKey)) cert, err = tls.X509KeyPair([]byte(rootCert), []byte(rootKey))
if err != nil { if err != nil {
return fmt.Errorf("ERROR: failed to load key pair - %s\n", err) return fmt.Errorf("ERROR: failed to load key pair - %s\n", err)
} }
s, err = hodu.NewServer(context.Background(), ctl_addrs, svcaddrs, &AppLogger{id: "server", out: os.Stderr}, &tls.Config{Certificates: []tls.Certificate{cert}}) cert_pool = x509.NewCertPool()
ok := cert_pool.AppendCertsFromPEM([]byte(rootCert))
if !ok {
return fmt.Errorf("ERROR: failed to append root certificate\n")
}
/*
// Don't use `Certificates` it doesn't work with some certificate files.
// See, `getClientCertificate` in ${GOSRC}/src/crypto/tls/handshake_client.go for details
tlsConfig.GetClientCertificate = func(cri *tls.CertificateRequestInfo) (*tls.Certificate, error) {
return clientCert, nil
}
*/
tlscfg = &tls.Config{
Certificates: []tls.Certificate{cert},
ClientAuth: tls.NoClientCert, // tls.RequestClientCert, tls.RequestAnyClientCert, VerifyClientCertIfGiven, RequireAndVerifyClientCert
ClientCAs: cert_pool, // trusted CA certs for client certificate verification
ServerName: "hodu",
}
s, err = hodu.NewServer(
context.Background(),
ctl_addrs,
svcaddrs,
&AppLogger{id: "server", out: os.Stderr},
tlscfg)
if err != nil { if err != nil {
return fmt.Errorf("ERROR: failed to create new server - %s", err.Error()) return fmt.Errorf("ERROR: failed to create new server - %s", err.Error())
} }
@ -181,25 +209,65 @@ func server_main(ctl_addrs []string, svcaddrs []string) error {
// -------------------------------------------------------------------- // --------------------------------------------------------------------
func client_main(ctl_addr []string, server_addr string, peer_addrs []string) error { func client_main(ctl_addrs []string, server_addr string, peer_addrs []string) error {
var c *hodu.Client var c *hodu.Client
var cert tls.Certificate
var cert_pool *x509.CertPool var cert_pool *x509.CertPool
var tlscfg *tls.Config var tlscfg *tls.Config
var cc hodu.ClientConfig var cc hodu.ClientConfig
var err error
/*
cert_pool = x509.NewCertPool() cert_pool = x509.NewCertPool()
ok := cert_pool.AppendCertsFromPEM([]byte(rootCert)) ok := cert_pool.AppendCertsFromPEM([]byte(rootCert))
if !ok { if !ok {
fmt.Printf("failed to parse root certificate") fmt.Printf("failed to parse root certificate")
} }
tlscfg = &tls.Config{ tlscfg = &tls.Config{
RootCAs: cert_pool, RootCAs: cert_pool,
ServerName: "localhost", ClientAuth:
InsecureSkipVerify: true, ServerName: "hodu",
//InsecureSkipVerify: true,
} }
// TODO: support multiple ctl addrs
c = hodu.NewClient(context.Background(), ctl_addr, &AppLogger{id: "client", out: os.Stderr}, tlscfg) tlscfg := &tls.Config{
MinVersion: tls.VersionTLS12,
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
PreferServerCipherSuites: true,
CipherSuites: []uint16{
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
},
}
*/
cert, err = tls.X509KeyPair([]byte(rootCert), []byte(rootKey))
if err != nil {
return fmt.Errorf("ERROR: failed to load key pair - %s\n", err)
}
cert_pool = x509.NewCertPool()
ok := cert_pool.AppendCertsFromPEM([]byte(rootCert))
if !ok {
return fmt.Errorf("ERROR: failed to append root certificate\n")
}
tlscfg = &tls.Config{
Certificates: []tls.Certificate{cert},
ClientAuth: tls.NoClientCert, // tls.RequestClientCert, tls.RequestAnyClientCert, VerifyClientCertIfGiven, RequireAndVerifyClientCert
ClientCAs: cert_pool, // trusted CA certs for client certificate verification
ServerName: "hodu",
}
c = hodu.NewClient(
context.Background(),
ctl_addrs,
&AppLogger{id: "client", out: os.Stderr},
tlscfg)
cc.ServerAddr = server_addr cc.ServerAddr = server_addr
cc.PeerAddrs = peer_addrs cc.PeerAddrs = peer_addrs

19
server-ctl.go
View File

@ -30,6 +30,14 @@ type server_ctl_server_conns_id struct {
s *Server s *Server
} }
type server_ctl_server_conns_id_routes struct {
s *Server
}
type server_ctl_server_conns_id_routes_id struct {
s *Server
}
// ------------------------------------ // ------------------------------------
func (ctl *server_ctl_server_conns) ServeHTTP(w http.ResponseWriter, req *http.Request) { func (ctl *server_ctl_server_conns) ServeHTTP(w http.ResponseWriter, req *http.Request) {
@ -168,3 +176,14 @@ oops:
s.log.Write("", LOG_ERROR, "[%s] %s %s - %s", req.RemoteAddr, req.Method, req.URL.String(), err.Error()) s.log.Write("", LOG_ERROR, "[%s] %s %s - %s", req.RemoteAddr, req.Method, req.URL.String(), err.Error())
return return
} }
// ------------------------------------
func (ctl *server_ctl_server_conns_id_routes) ServeHTTP(w http.ResponseWriter, req *http.Request) {
}
// ------------------------------------
func (ctl *server_ctl_server_conns_id_routes_id) ServeHTTP(w http.ResponseWriter, req *http.Request) {
}

7
server.go
View File

@ -852,6 +852,8 @@ func NewServer(ctx context.Context, ctl_addrs []string, rpc_addrs []string, logg
s.ctl_mux.Handle(s.ctl_prefix + "/ws/tty", new_server_ctl_ws_tty(&s)) s.ctl_mux.Handle(s.ctl_prefix + "/ws/tty", new_server_ctl_ws_tty(&s))
s.ctl_mux.Handle(s.ctl_prefix + "/server-conns", &server_ctl_server_conns{s: &s}) s.ctl_mux.Handle(s.ctl_prefix + "/server-conns", &server_ctl_server_conns{s: &s})
s.ctl_mux.Handle(s.ctl_prefix + "/server-conns/{conn_id}", &server_ctl_server_conns_id{s: &s}) s.ctl_mux.Handle(s.ctl_prefix + "/server-conns/{conn_id}", &server_ctl_server_conns_id{s: &s})
s.ctl_mux.Handle(s.ctl_prefix + "/server-conns/{conn_id}/routes", &server_ctl_server_conns_id_routes{s: &s})
s.ctl_mux.Handle(s.ctl_prefix + "/server-conns/{conn_id}/routes/{route_id}", &server_ctl_server_conns_id_routes_id{s: &s})
s.ctl_addr = make([]string, len(ctl_addrs)) s.ctl_addr = make([]string, len(ctl_addrs))
s.ctl = make([]*http.Server, len(ctl_addrs)) s.ctl = make([]*http.Server, len(ctl_addrs))
@ -860,6 +862,7 @@ func NewServer(ctx context.Context, ctl_addrs []string, rpc_addrs []string, logg
s.ctl[i] = &http.Server{ s.ctl[i] = &http.Server{
Addr: ctl_addrs[i], Addr: ctl_addrs[i],
Handler: s.ctl_mux, Handler: s.ctl_mux,
TLSConfig: s.tlscfg,
// TODO: more settings // TODO: more settings
} }
} }
@ -946,7 +949,11 @@ func (s *Server) RunCtlTask(wg *sync.WaitGroup) {
l_wg.Add(1) l_wg.Add(1)
go func(i int, cs *http.Server) { go func(i int, cs *http.Server) {
s.log.Write ("", LOG_INFO, "Control channel[%d] started on %s", i, s.ctl_addr[i]) s.log.Write ("", LOG_INFO, "Control channel[%d] started on %s", i, s.ctl_addr[i])
if s.tlscfg == nil {
err = cs.ListenAndServe() err = cs.ListenAndServe()
} else {
err = cs.ListenAndServeTLS("", "") // c.tlscfg must provide a certificate and a key
}
if errors.Is(err, http.ErrServerClosed) { if errors.Is(err, http.ErrServerClosed) {
s.log.Write("", LOG_DEBUG, "Control channel[%d] ended", i) s.log.Write("", LOG_DEBUG, "Control channel[%d] ended", i)
} else { } else {