From 9baca36b2c2af1b45f8d24c8ee433bd7f57c7a60 Mon Sep 17 00:00:00 2001 From: Douglas De Toni Machado Date: Thu, 24 Jun 2021 11:54:12 -0300 Subject: [PATCH] Add mutual TLS support --- app.go | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/app.go b/app.go index dc4fdf9..96163ff 100644 --- a/app.go +++ b/app.go @@ -2,10 +2,13 @@ package main import ( "bytes" + "crypto/tls" + "crypto/x509" "encoding/json" "flag" "fmt" "io" + "io/ioutil" "log" "net" "net/http" @@ -31,6 +34,7 @@ const ( var ( cert string key string + ca string port string name string ) @@ -38,6 +42,7 @@ var ( func init() { flag.StringVar(&cert, "cert", "", "give me a certificate") flag.StringVar(&key, "key", "", "give me a key") + flag.StringVar(&ca, "cacert", "", "give me a CA chain, enforces mutual TLS") flag.StringVar(&port, "port", "80", "give me a port number") flag.StringVar(&name, "name", os.Getenv("WHOAMI_NAME"), "give me a name") } @@ -60,11 +65,38 @@ func main() { fmt.Println("Starting up on port " + port) if len(cert) > 0 && len(key) > 0 { - log.Fatal(http.ListenAndServeTLS(":"+port, cert, key, nil)) + server := &http.Server{ + Addr: ":" + port, + } + + if len(ca) > 0 { + server.TLSConfig = setupMutualTLS(ca) + } + + log.Fatal(server.ListenAndServeTLS(cert, key)) } log.Fatal(http.ListenAndServe(":"+port, nil)) } +func setupMutualTLS(ca string) *tls.Config { + clientCACert, err := ioutil.ReadFile(ca) + if err != nil { + log.Fatal(err) + } + + clientCertPool := x509.NewCertPool() + clientCertPool.AppendCertsFromPEM(clientCACert) + + tlsConfig := &tls.Config{ + ClientAuth: tls.RequireAndVerifyClientCert, + ClientCAs: clientCertPool, + PreferServerCipherSuites: true, + MinVersion: tls.VersionTLS12, + } + + return tlsConfig +} + func benchHandler(w http.ResponseWriter, _ *http.Request) { w.Header().Set("Connection", "keep-alive") w.Header().Set("Content-Type", "text/plain")