Skip to content

Commit d28e66a

Browse files
authored
prepareSTSClientTransport tls function refactor (#244)
- Reading root ca certificates operation will run only once after Console starts, reduce the chance of panics happening during runtime - Fixed bug in which tls.config insecureSkipVerification configuration could get overrided after variable reasignation
1 parent e0ff662 commit d28e66a

File tree

1 file changed

+23
-45
lines changed

1 file changed

+23
-45
lines changed

restapi/tls.go

Lines changed: 23 additions & 45 deletions
Original file line numberDiff line numberDiff line change
@@ -19,35 +19,37 @@ package restapi
1919
import (
2020
"crypto/tls"
2121
"crypto/x509"
22-
"fmt"
2322
"io/ioutil"
23+
"log"
2424
"net"
2525
"net/http"
2626
"time"
2727
)
2828

29-
var (
30-
certDontExists = "File certificate doesn't exists: %s"
31-
)
29+
func getCertPool() *x509.CertPool {
30+
caCertFileNames := getMinioServerTLSRootCAs()
31+
// If CAs certificates are configured we save them to the http.Client RootCAs store
32+
certs := x509.NewCertPool()
33+
for _, caCert := range caCertFileNames {
34+
pemData, err := ioutil.ReadFile(caCert)
35+
if err != nil {
36+
// logging this error
37+
log.Println(err)
38+
continue
39+
}
40+
certs.AppendCertsFromPEM(pemData)
41+
}
42+
return certs
43+
}
44+
45+
var certPool = getCertPool()
3246

3347
func prepareSTSClientTransport(insecure bool) *http.Transport {
3448
// This takes github.com/minio/minio/pkg/madmin/transport.go as an example
3549
//
3650
// DefaultTransport - this default transport is similar to
3751
// http.DefaultTransport but with additional param DisableCompression
3852
// is set to true to avoid decompressing content with 'gzip' encoding.
39-
40-
// Keep TLS config.
41-
tlsConfig := &tls.Config{
42-
// Can't use SSLv3 because of POODLE and BEAST
43-
// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
44-
// Can't use TLSv1.1 because of RC4 cipher usage
45-
MinVersion: tls.VersionTLS12,
46-
}
47-
if insecure {
48-
tlsConfig.InsecureSkipVerify = true
49-
}
50-
5153
DefaultTransport := &http.Transport{
5254
Proxy: http.ProxyFromEnvironment,
5355
DialContext: (&net.Dialer{
@@ -61,38 +63,14 @@ func prepareSTSClientTransport(insecure bool) *http.Transport {
6163
TLSHandshakeTimeout: 10 * time.Second,
6264
ExpectContinueTimeout: 1 * time.Second,
6365
DisableCompression: true,
64-
TLSClientConfig: tlsConfig,
65-
}
66-
// If Minio instance is running with TLS enabled and it's using a self-signed certificate
67-
// or a certificate issued by a custom certificate authority we prepare a new custom *http.Transport
68-
if getMinIOEndpointIsSecure() {
69-
caCertFileNames := getMinioServerTLSRootCAs()
70-
tlsConfig := &tls.Config{
66+
TLSClientConfig: &tls.Config{
7167
// Can't use SSLv3 because of POODLE and BEAST
7268
// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
7369
// Can't use TLSv1.1 because of RC4 cipher usage
74-
MinVersion: tls.VersionTLS12,
75-
}
76-
// If CAs certificates are configured we save them to the http.Client RootCAs store
77-
if len(caCertFileNames) > 0 {
78-
certs := x509.NewCertPool()
79-
for _, caCert := range caCertFileNames {
80-
// Validate certificate exists
81-
if FileExists(caCert) {
82-
pemData, err := ioutil.ReadFile(caCert)
83-
if err != nil {
84-
// if there was an error reading pem file stop console
85-
panic(err)
86-
}
87-
certs.AppendCertsFromPEM(pemData)
88-
} else {
89-
// if provided cert filename doesn't exists stop console
90-
panic(fmt.Sprintf(certDontExists, caCert))
91-
}
92-
}
93-
tlsConfig.RootCAs = certs
94-
}
95-
DefaultTransport.TLSClientConfig = tlsConfig
70+
MinVersion: tls.VersionTLS12,
71+
InsecureSkipVerify: insecure,
72+
RootCAs: certPool,
73+
},
9674
}
9775
return DefaultTransport
9876
}

0 commit comments

Comments
 (0)