github.com/ava-labs/avalanchego@v1.11.11/network/peer/tls_config.go (about)

     1  // Copyright (C) 2019-2024, Ava Labs, Inc. All rights reserved.
     2  // See the file LICENSE for licensing terms.
     3  
     4  package peer
     5  
     6  import (
     7  	"crypto/tls"
     8  	"io"
     9  )
    10  
    11  // TLSConfig returns the TLS config that will allow secure connections to other
    12  // peers.
    13  //
    14  // It is safe, and typically expected, for [keyLogWriter] to be [nil].
    15  // [keyLogWriter] should only be enabled for debugging.
    16  func TLSConfig(cert tls.Certificate, keyLogWriter io.Writer) *tls.Config {
    17  	return &tls.Config{
    18  		Certificates: []tls.Certificate{cert},
    19  		ClientAuth:   tls.RequireAnyClientCert,
    20  		// We do not use the TLS CA functionality to authenticate a
    21  		// hostname. We only require an authenticated channel based on the
    22  		// peer's public key. Therefore, we can safely skip CA verification.
    23  		//
    24  		// During our security audit by Quantstamp, this was investigated
    25  		// and confirmed to be safe and correct.
    26  		InsecureSkipVerify: true, //#nosec G402
    27  		MinVersion:         tls.VersionTLS13,
    28  		KeyLogWriter:       keyLogWriter,
    29  	}
    30  }