beats: github.com/elastic/beats/libbeat/common/transport/tlscommon Index | Files

package tlscommon

import "github.com/elastic/beats/libbeat/common/transport/tlscommon"

Index

Package Files

config.go server_config.go tls.go tls_config.go types.go

Variables

var (
    // ErrNotACertificate indicates a PEM file to be loaded not being a valid
    // PEM file or certificate.
    ErrNotACertificate = errors.New("file is not a certificate")

    // ErrCertificateNoKey indicate a configuration error with missing key file
    ErrCertificateNoKey = errors.New("key file not configured")

    // ErrKeyNoCertificate indicate a configuration error with missing certificate file
    ErrKeyNoCertificate = errors.New("certificate file not configured")
)
var TLSDefaultVersions = []TLSVersion{
    TLSVersion11,
    TLSVersion12,
}

TLSDefaultVersions list of versions of TLS we should support.

func LoadCertificate Uses

func LoadCertificate(config *CertificateConfig) (*tls.Certificate, error)

LoadCertificate will load a certificate from disk and return a tls.Certificate or error

func LoadCertificateAuthorities Uses

func LoadCertificateAuthorities(CAs []string) (*x509.CertPool, []error)

LoadCertificateAuthorities read the slice of CAcert and return a Certpool.

func ReadPEMFile Uses

func ReadPEMFile(path, passphrase string) ([]byte, error)

ReadPEMFile reads a PEM format file on disk and decrypt it with the privided password and return the raw content.

func ResolveCipherSuite Uses

func ResolveCipherSuite(cipher uint16) string

ResolveCipherSuite takes the integer representation and return the cipher name.

func ResolveTLSVersion Uses

func ResolveTLSVersion(v uint16) string

ResolveTLSVersion takes the integer representation and return the name.

type CertificateConfig Uses

type CertificateConfig struct {
    Certificate string `config:"certificate" yaml:"certificate,omitempty"`
    Key         string `config:"key" yaml:"key,omitempty"`
    Passphrase  string `config:"key_passphrase" yaml:"key_passphrase,omitempty"`
}

CertificateConfig define a common set of fields for a certificate.

func (*CertificateConfig) Validate Uses

func (c *CertificateConfig) Validate() error

Validate validates the CertificateConfig

type Config Uses

type Config struct {
    Enabled          *bool                   `config:"enabled" yaml:"enabled,omitempty"`
    VerificationMode TLSVerificationMode     `config:"verification_mode" yaml:"verification_mode"` // one of 'none', 'full'
    Versions         []TLSVersion            `config:"supported_protocols" yaml:"supported_protocols,omitempty"`
    CipherSuites     []tlsCipherSuite        `config:"cipher_suites" yaml:"cipher_suites,omitempty"`
    CAs              []string                `config:"certificate_authorities" yaml:"certificate_authorities,omitempty"`
    Certificate      CertificateConfig       `config:",inline" yaml:",inline"`
    CurveTypes       []tlsCurveType          `config:"curve_types" yaml:"curve_types,omitempty"`
    Renegotiation    tlsRenegotiationSupport `config:"renegotiation" yaml:"renegotiation"`
}

Config defines the user configurable options in the yaml file.

func (*Config) IsEnabled Uses

func (c *Config) IsEnabled() bool

IsEnabled returns true if the `enable` field is set to true in the yaml.

func (*Config) Validate Uses

func (c *Config) Validate() error

Validate values the TLSConfig struct making sure certificate sure we have both a certificate and a key.

type ServerConfig Uses

type ServerConfig struct {
    Enabled          *bool               `config:"enabled"`
    VerificationMode TLSVerificationMode `config:"verification_mode"` // one of 'none', 'full'
    Versions         []TLSVersion        `config:"supported_protocols"`
    CipherSuites     []tlsCipherSuite    `config:"cipher_suites"`
    CAs              []string            `config:"certificate_authorities"`
    Certificate      CertificateConfig   `config:",inline"`
    CurveTypes       []tlsCurveType      `config:"curve_types"`
    ClientAuth       tlsClientAuth       `config:"client_authentication"` //`none`, `optional` or `required`
}

ServerConfig defines the user configurable tls options for any TCP based service.

func (*ServerConfig) IsEnabled Uses

func (c *ServerConfig) IsEnabled() bool

IsEnabled returns true if the `enable` field is set to true in the yaml.

func (*ServerConfig) Unpack Uses

func (c *ServerConfig) Unpack(cfg common.Config) error

Unpack unpacks the TLS Server configuration.

func (*ServerConfig) Validate Uses

func (c *ServerConfig) Validate() error

Validate values the TLSConfig struct making sure certificate sure we have both a certificate and a key.

type TLSConfig Uses

type TLSConfig struct {

    // List of allowed SSL/TLS protocol versions. Connections might be dropped
    // after handshake succeeded, if TLS version in use is not listed.
    Versions []TLSVersion

    // Configure SSL/TLS verification mode used during handshake. By default
    // VerifyFull will be used.
    Verification TLSVerificationMode

    // List of certificate chains to present to the other side of the
    // connection.
    Certificates []tls.Certificate

    // Set of root certificate authorities use to verify server certificates.
    // If RootCAs is nil, TLS might use the system its root CA set (not supported
    // on MS Windows).
    RootCAs *x509.CertPool

    // Set of root certificate authorities use to verify client certificates.
    // If ClientCAs is nil, TLS might use the system its root CA set (not supported
    // on MS Windows).
    ClientCAs *x509.CertPool

    // List of supported cipher suites. If nil, a default list provided by the
    // implementation will be used.
    CipherSuites []uint16

    // Types of elliptic curves that will be used in an ECDHE handshake. If empty,
    // the implementation will choose a default.
    CurvePreferences []tls.CurveID

    // Renegotiation controls what types of renegotiation are supported.
    // The default, never, is correct for the vast majority of applications.
    Renegotiation tls.RenegotiationSupport

    // ClientAuth controls how we want to verify certificate from a client, `none`, `optional` and
    // `required`, default to required. Do not affect TCP client.
    ClientAuth tls.ClientAuthType
}

TLSConfig is the interface used to configure a tcp client or server from a `Config`

func LoadTLSConfig Uses

func LoadTLSConfig(config *Config) (*TLSConfig, error)

LoadTLSConfig will load a certificate from config with all TLS based keys defined. If Certificate and CertificateKey are configured, client authentication will be configured. If no CAs are configured, the host CA will be used by go built-in TLS support.

func LoadTLSServerConfig Uses

func LoadTLSServerConfig(config *ServerConfig) (*TLSConfig, error)

LoadTLSServerConfig tranforms a ServerConfig into a `tls.Config` to be used directly with golang network types.

func (*TLSConfig) BuildModuleConfig Uses

func (c *TLSConfig) BuildModuleConfig(host string) *tls.Config

BuildModuleConfig takes the TLSConfig and transform it into a `tls.Config`.

type TLSVerificationMode Uses

type TLSVerificationMode uint8

TLSVerificationMode represents the type of verification to do on the remote host, `none` or `full` and we default to `full`, internally this option is transformed into the `insecure` field in the `tls.Config` struct.

const (
    VerifyFull TLSVerificationMode = iota
    VerifyNone
)

Constants of the supported verification mode.

func (TLSVerificationMode) MarshalText Uses

func (m TLSVerificationMode) MarshalText() ([]byte, error)

MarshalText marshal the verification mode into a human readable value.

func (TLSVerificationMode) String Uses

func (m TLSVerificationMode) String() string

func (*TLSVerificationMode) Unpack Uses

func (m *TLSVerificationMode) Unpack(in interface{}) error

Unpack unpacks the string into constants.

type TLSVersion Uses

type TLSVersion uint16

TLSVersion type for TLS version.

const (
    TLSVersionSSL30 TLSVersion = tls.VersionSSL30
    TLSVersion10    TLSVersion = tls.VersionTLS10
    TLSVersion11    TLSVersion = tls.VersionTLS11
    TLSVersion12    TLSVersion = tls.VersionTLS12
)

Define all the possible TLS version.

func (TLSVersion) String Uses

func (v TLSVersion) String() string

func (*TLSVersion) Unpack Uses

func (v *TLSVersion) Unpack(s string) error

Unpack transforms the string into a constant.

Package tlscommon imports 10 packages (graph) and is imported by 161 packages. Updated 2019-06-29. Refresh now. Tools for package owners.