github.com/tw-bc-group/fabric-ca@v2.0.0-alpha+incompatible/lib/server/operations/tls.go (about) 1 /* 2 Copyright IBM Corp All Rights Reserved. 3 4 SPDX-License-Identifier: Apache-2.0 5 */ 6 7 package operations 8 9 import ( 10 "crypto/tls" 11 "crypto/x509" 12 "io/ioutil" 13 ) 14 15 var ( 16 // DefaultTLSCipherSuites is the list of default cipher suites 17 DefaultTLSCipherSuites = []uint16{ 18 tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 19 tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 20 tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 21 tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 22 tls.TLS_RSA_WITH_AES_128_GCM_SHA256, 23 tls.TLS_RSA_WITH_AES_256_GCM_SHA384, 24 } 25 ) 26 27 // TLS contains the TLS configuration for the operations system serve 28 type TLS struct { 29 Enabled bool 30 CertFile string 31 KeyFile string 32 ClientCertRequired bool 33 ClientCACertFiles []string 34 } 35 36 // Config returns TLS configuration 37 func (t *TLS) Config() (*tls.Config, error) { 38 var tlsConfig *tls.Config 39 40 if t.Enabled { 41 cert, err := tls.LoadX509KeyPair(t.CertFile, t.KeyFile) 42 if err != nil { 43 return nil, err 44 } 45 caCertPool := x509.NewCertPool() 46 for _, caPath := range t.ClientCACertFiles { 47 caPem, err := ioutil.ReadFile(caPath) 48 if err != nil { 49 return nil, err 50 } 51 caCertPool.AppendCertsFromPEM(caPem) 52 } 53 tlsConfig = &tls.Config{ 54 Certificates: []tls.Certificate{cert}, 55 CipherSuites: DefaultTLSCipherSuites, 56 ClientCAs: caCertPool, 57 } 58 if t.ClientCertRequired { 59 tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert 60 } else { 61 tlsConfig.ClientAuth = tls.VerifyClientCertIfGiven 62 } 63 } 64 65 return tlsConfig, nil 66 }