mirror of
https://github.com/rcourtman/Pulse.git
synced 2026-07-09 16:00:59 +00:00
47 lines
1.3 KiB
Go
47 lines
1.3 KiB
Go
package agenttls
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"fmt"
|
|
"os"
|
|
"strings"
|
|
|
|
"github.com/rcourtman/pulse-go-rewrite/pkg/tlsutil"
|
|
)
|
|
|
|
// NewClientTLSConfig returns a client TLS config with optional insecure mode
|
|
// and optional custom CA bundle support.
|
|
func NewClientTLSConfig(caBundlePath string, insecureSkipVerify bool, expectedServerFingerprint string) (*tls.Config, error) {
|
|
expectedServerFingerprint = strings.TrimSpace(expectedServerFingerprint)
|
|
|
|
tlsConfig := &tls.Config{MinVersion: tls.VersionTLS12}
|
|
if expectedServerFingerprint != "" {
|
|
tlsConfig = tlsutil.FingerprintVerifier(expectedServerFingerprint)
|
|
tlsConfig.MinVersion = tls.VersionTLS12
|
|
} else if insecureSkipVerify {
|
|
//nolint:gosec // Insecure mode is explicitly user-controlled.
|
|
tlsConfig.InsecureSkipVerify = true
|
|
}
|
|
|
|
caBundlePath = strings.TrimSpace(caBundlePath)
|
|
if caBundlePath == "" {
|
|
return tlsConfig, nil
|
|
}
|
|
|
|
caData, err := os.ReadFile(caBundlePath)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("read CA bundle %s: %w", caBundlePath, err)
|
|
}
|
|
|
|
pool, err := x509.SystemCertPool()
|
|
if err != nil || pool == nil {
|
|
pool = x509.NewCertPool()
|
|
}
|
|
if ok := pool.AppendCertsFromPEM(caData); !ok {
|
|
return nil, fmt.Errorf("CA bundle %s does not contain any certificates", caBundlePath)
|
|
}
|
|
|
|
tlsConfig.RootCAs = pool
|
|
return tlsConfig, nil
|
|
}
|