beats: github.com/elastic/beats/libbeat/common/transport/tlscommon Index | Files

package tlscommon

import "github.com/elastic/beats/libbeat/common/transport/tlscommon"

Index

Package Files

ca_pinning.go config.go server_config.go tls.go tls_config.go types.go verify.go versions.go versions_default.go

Constants

const (
    TLSVersionSSL30 TLSVersion = tls.VersionSSL30
    TLSVersion10    TLSVersion = tls.VersionTLS10
    TLSVersion11    TLSVersion = tls.VersionTLS11
    TLSVersion12    TLSVersion = tls.VersionTLS12
    TLSVersion13    TLSVersion = tls.VersionTLS13

    // TLSVersionMin is the min TLS version supported.
    TLSVersionMin = TLSVersionSSL30

    // TLSVersionMax is the max TLS version supported.
    TLSVersionMax = TLSVersion13

    // TLSVersionDefaultMin is the minimal default TLS version that is
    // enabled by default. TLSVersionDefaultMin is >= TLSVersionMin
    TLSVersionDefaultMin = TLSVersion11

    // TLSVersionDefaultMax is the max default TLS version that
    // is enabled by default.
    TLSVersionDefaultMax = TLSVersionMax
)

Define all the possible TLS version.

Variables

var (
    // ErrNotACertificate indicates a PEM file to be loaded not being a valid
    // PEM file or certificate.
    ErrNotACertificate = errors.New("file is not a certificate")

    // ErrCertificateNoKey indicate a configuration error with missing key file
    ErrKeyUnspecified = errors.New("key file not configured")

    // ErrKeyNoCertificate indicate a configuration error with missing certificate file
    ErrCertificateUnspecified = errors.New("certificate file not configured")
)
var ErrCAPinMissmatch = errors.New("provided CA certificate pins doesn't match any of the certificate authorities used to validate the certificate")

ErrCAPinMissmatch is returned when no pin is matched in the verified chain.

var TLSDefaultVersions = []TLSVersion{
    TLSVersion11,
    TLSVersion12,
    TLSVersion13,
}

TLSDefaultVersions list of versions of TLS we should support.

func Fingerprint Uses

func Fingerprint(certificate *x509.Certificate) string

Fingerprint takes a certificate and create a hash of the DER encoded public key.

func LoadCertificate Uses

func LoadCertificate(config *CertificateConfig) (*tls.Certificate, error)

LoadCertificate will load a certificate from disk and return a tls.Certificate or error

func LoadCertificateAuthorities Uses

func LoadCertificateAuthorities(CAs []string) (*x509.CertPool, []error)

LoadCertificateAuthorities read the slice of CAcert and return a Certpool.

func ReadPEMFile Uses

func ReadPEMFile(log *logp.Logger, path, passphrase string) ([]byte, error)

ReadPEMFile reads a PEM format file on disk and decrypt it with the privided password and return the raw content.

func ResolveCipherSuite Uses

func ResolveCipherSuite(cipher uint16) string

ResolveCipherSuite takes the integer representation and return the cipher name.

func ResolveTLSVersion Uses

func ResolveTLSVersion(v uint16) string

ResolveTLSVersion takes the integer representation and return the name.

type CertificateConfig Uses

type CertificateConfig struct {
    Certificate string `config:"certificate" yaml:"certificate,omitempty"`
    Key         string `config:"key" yaml:"key,omitempty"`
    Passphrase  string `config:"key_passphrase" yaml:"key_passphrase,omitempty"`
}

CertificateConfig define a common set of fields for a certificate.

func (*CertificateConfig) Validate Uses

func (c *CertificateConfig) Validate() error

Validate validates the CertificateConfig

type Config Uses

type Config struct {
    Enabled          *bool                   `config:"enabled" yaml:"enabled,omitempty"`
    VerificationMode TLSVerificationMode     `config:"verification_mode" yaml:"verification_mode"` // one of 'none', 'full'
    Versions         []TLSVersion            `config:"supported_protocols" yaml:"supported_protocols,omitempty"`
    CipherSuites     []tlsCipherSuite        `config:"cipher_suites" yaml:"cipher_suites,omitempty"`
    CAs              []string                `config:"certificate_authorities" yaml:"certificate_authorities,omitempty"`
    Certificate      CertificateConfig       `config:",inline" yaml:",inline"`
    CurveTypes       []tlsCurveType          `config:"curve_types" yaml:"curve_types,omitempty"`
    Renegotiation    tlsRenegotiationSupport `config:"renegotiation" yaml:"renegotiation"`
    CASha256         []string                `config:"ca_sha256" yaml:"ca_sha256,omitempty"`
}

Config defines the user configurable options in the yaml file.

func (*Config) IsEnabled Uses

func (c *Config) IsEnabled() bool

IsEnabled returns true if the `enable` field is set to true in the yaml.

func (*Config) Validate Uses

func (c *Config) Validate() error

Validate values the TLSConfig struct making sure certificate sure we have both a certificate and a key.

type ServerConfig Uses

type ServerConfig struct {
    Enabled          *bool               `config:"enabled"`
    VerificationMode TLSVerificationMode `config:"verification_mode"` // one of 'none', 'full'
    Versions         []TLSVersion        `config:"supported_protocols"`
    CipherSuites     []tlsCipherSuite    `config:"cipher_suites"`
    CAs              []string            `config:"certificate_authorities"`
    Certificate      CertificateConfig   `config:",inline"`
    CurveTypes       []tlsCurveType      `config:"curve_types"`
    ClientAuth       tlsClientAuth       `config:"client_authentication"` //`none`, `optional` or `required`
}

ServerConfig defines the user configurable tls options for any TCP based service.

func (*ServerConfig) IsEnabled Uses

func (c *ServerConfig) IsEnabled() bool

IsEnabled returns true if the `enable` field is set to true in the yaml.

func (*ServerConfig) Unpack Uses

func (c *ServerConfig) Unpack(cfg common.Config) error

Unpack unpacks the TLS Server configuration.

func (*ServerConfig) Validate Uses

func (c *ServerConfig) Validate() error

Validate values the TLSConfig struct making sure certificate sure we have both a certificate and a key.

type TLSConfig Uses

type TLSConfig struct {

    // List of allowed SSL/TLS protocol versions. Connections might be dropped
    // after handshake succeeded, if TLS version in use is not listed.
    Versions []TLSVersion

    // Configure SSL/TLS verification mode used during handshake. By default
    // VerifyFull will be used.
    Verification TLSVerificationMode

    // List of certificate chains to present to the other side of the
    // connection.
    Certificates []tls.Certificate

    // Set of root certificate authorities use to verify server certificates.
    // If RootCAs is nil, TLS might use the system its root CA set (not supported
    // on MS Windows).
    RootCAs *x509.CertPool

    // Set of root certificate authorities use to verify client certificates.
    // If ClientCAs is nil, TLS might use the system its root CA set (not supported
    // on MS Windows).
    ClientCAs *x509.CertPool

    // List of supported cipher suites. If nil, a default list provided by the
    // implementation will be used.
    CipherSuites []uint16

    // Types of elliptic curves that will be used in an ECDHE handshake. If empty,
    // the implementation will choose a default.
    CurvePreferences []tls.CurveID

    // Renegotiation controls what types of renegotiation are supported.
    // The default, never, is correct for the vast majority of applications.
    Renegotiation tls.RenegotiationSupport

    // ClientAuth controls how we want to verify certificate from a client, `none`, `optional` and
    // `required`, default to required. Do not affect TCP client.
    ClientAuth tls.ClientAuthType

    // CASha256 is the CA certificate pin, this is used to validate the CA that will be used to trust
    // the server certificate.
    CASha256 []string
    // contains filtered or unexported fields
}

TLSConfig is the interface used to configure a tcp client or server from a `Config`

func LoadTLSConfig Uses

func LoadTLSConfig(config *Config) (*TLSConfig, error)

LoadTLSConfig will load a certificate from config with all TLS based keys defined. If Certificate and CertificateKey are configured, client authentication will be configured. If no CAs are configured, the host CA will be used by go built-in TLS support.

func LoadTLSServerConfig Uses

func LoadTLSServerConfig(config *ServerConfig) (*TLSConfig, error)

LoadTLSServerConfig tranforms a ServerConfig into a `tls.Config` to be used directly with golang network types.

func (*TLSConfig) BuildModuleConfig Uses

func (c *TLSConfig) BuildModuleConfig(host string) *tls.Config

BuildModuleConfig takes the TLSConfig and transform it into a `tls.Config`.

func (*TLSConfig) ToConfig Uses

func (c *TLSConfig) ToConfig() *tls.Config

ToConfig generates a tls.Config object. Note, you must use BuildModuleConfig to generate a config with ServerName set, use that method for servers with SNI.

type TLSVerificationMode Uses

type TLSVerificationMode uint8

TLSVerificationMode represents the type of verification to do on the remote host: `none`, `certificate`, and `full` and we default to `full`. Internally this option is transformed into the `insecure` field in the `tls.Config` struct.

const (
    VerifyFull TLSVerificationMode = iota
    VerifyNone
    VerifyCertificate
)

Constants of the supported verification mode.

func (TLSVerificationMode) MarshalText Uses

func (m TLSVerificationMode) MarshalText() ([]byte, error)

MarshalText marshal the verification mode into a human readable value.

func (TLSVerificationMode) String Uses

func (m TLSVerificationMode) String() string

func (*TLSVerificationMode) Unpack Uses

func (m *TLSVerificationMode) Unpack(in interface{}) error

Unpack unpacks the string into constants.

type TLSVersion Uses

type TLSVersion uint16

TLSVersion type for TLS version.

func (TLSVersion) Details Uses

func (v TLSVersion) Details() *TLSVersionDetails

Details returns a a ProtocolAndVersions struct containing detailed version metadata.

func (TLSVersion) String Uses

func (v TLSVersion) String() string

func (*TLSVersion) Unpack Uses

func (v *TLSVersion) Unpack(s string) error

Unpack transforms the string into a constant.

type TLSVersionDetails Uses

type TLSVersionDetails struct {
    Version  string
    Protocol string
    Combined string
}

Intended for ECS's tls.version_protocol_field, which does not include numeric version and should be lower case

func (TLSVersionDetails) String Uses

func (pv TLSVersionDetails) String() string

Package tlscommon imports 14 packages (graph) and is imported by 266 packages. Updated 2020-08-23. Refresh now. Tools for package owners.