github.com/ava-labs/avalanchego@v1.11.11/network/peer/tls_config.go (about) 1 // Copyright (C) 2019-2024, Ava Labs, Inc. All rights reserved. 2 // See the file LICENSE for licensing terms. 3 4 package peer 5 6 import ( 7 "crypto/tls" 8 "io" 9 ) 10 11 // TLSConfig returns the TLS config that will allow secure connections to other 12 // peers. 13 // 14 // It is safe, and typically expected, for [keyLogWriter] to be [nil]. 15 // [keyLogWriter] should only be enabled for debugging. 16 func TLSConfig(cert tls.Certificate, keyLogWriter io.Writer) *tls.Config { 17 return &tls.Config{ 18 Certificates: []tls.Certificate{cert}, 19 ClientAuth: tls.RequireAnyClientCert, 20 // We do not use the TLS CA functionality to authenticate a 21 // hostname. We only require an authenticated channel based on the 22 // peer's public key. Therefore, we can safely skip CA verification. 23 // 24 // During our security audit by Quantstamp, this was investigated 25 // and confirmed to be safe and correct. 26 InsecureSkipVerify: true, //#nosec G402 27 MinVersion: tls.VersionTLS13, 28 KeyLogWriter: keyLogWriter, 29 } 30 }