@@ -19,35 +19,37 @@ package restapi
19
19
import (
20
20
"crypto/tls"
21
21
"crypto/x509"
22
- "fmt"
23
22
"io/ioutil"
23
+ "log"
24
24
"net"
25
25
"net/http"
26
26
"time"
27
27
)
28
28
29
- var (
30
- certDontExists = "File certificate doesn't exists: %s"
31
- )
29
+ func getCertPool () * x509.CertPool {
30
+ caCertFileNames := getMinioServerTLSRootCAs ()
31
+ // If CAs certificates are configured we save them to the http.Client RootCAs store
32
+ certs := x509 .NewCertPool ()
33
+ for _ , caCert := range caCertFileNames {
34
+ pemData , err := ioutil .ReadFile (caCert )
35
+ if err != nil {
36
+ // logging this error
37
+ log .Println (err )
38
+ continue
39
+ }
40
+ certs .AppendCertsFromPEM (pemData )
41
+ }
42
+ return certs
43
+ }
44
+
45
+ var certPool = getCertPool ()
32
46
33
47
func prepareSTSClientTransport (insecure bool ) * http.Transport {
34
48
// This takes github.com/minio/minio/pkg/madmin/transport.go as an example
35
49
//
36
50
// DefaultTransport - this default transport is similar to
37
51
// http.DefaultTransport but with additional param DisableCompression
38
52
// is set to true to avoid decompressing content with 'gzip' encoding.
39
-
40
- // Keep TLS config.
41
- tlsConfig := & tls.Config {
42
- // Can't use SSLv3 because of POODLE and BEAST
43
- // Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
44
- // Can't use TLSv1.1 because of RC4 cipher usage
45
- MinVersion : tls .VersionTLS12 ,
46
- }
47
- if insecure {
48
- tlsConfig .InsecureSkipVerify = true
49
- }
50
-
51
53
DefaultTransport := & http.Transport {
52
54
Proxy : http .ProxyFromEnvironment ,
53
55
DialContext : (& net.Dialer {
@@ -61,38 +63,14 @@ func prepareSTSClientTransport(insecure bool) *http.Transport {
61
63
TLSHandshakeTimeout : 10 * time .Second ,
62
64
ExpectContinueTimeout : 1 * time .Second ,
63
65
DisableCompression : true ,
64
- TLSClientConfig : tlsConfig ,
65
- }
66
- // If Minio instance is running with TLS enabled and it's using a self-signed certificate
67
- // or a certificate issued by a custom certificate authority we prepare a new custom *http.Transport
68
- if getMinIOEndpointIsSecure () {
69
- caCertFileNames := getMinioServerTLSRootCAs ()
70
- tlsConfig := & tls.Config {
66
+ TLSClientConfig : & tls.Config {
71
67
// Can't use SSLv3 because of POODLE and BEAST
72
68
// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
73
69
// Can't use TLSv1.1 because of RC4 cipher usage
74
- MinVersion : tls .VersionTLS12 ,
75
- }
76
- // If CAs certificates are configured we save them to the http.Client RootCAs store
77
- if len (caCertFileNames ) > 0 {
78
- certs := x509 .NewCertPool ()
79
- for _ , caCert := range caCertFileNames {
80
- // Validate certificate exists
81
- if FileExists (caCert ) {
82
- pemData , err := ioutil .ReadFile (caCert )
83
- if err != nil {
84
- // if there was an error reading pem file stop console
85
- panic (err )
86
- }
87
- certs .AppendCertsFromPEM (pemData )
88
- } else {
89
- // if provided cert filename doesn't exists stop console
90
- panic (fmt .Sprintf (certDontExists , caCert ))
91
- }
92
- }
93
- tlsConfig .RootCAs = certs
94
- }
95
- DefaultTransport .TLSClientConfig = tlsConfig
70
+ MinVersion : tls .VersionTLS12 ,
71
+ InsecureSkipVerify : insecure ,
72
+ RootCAs : certPool ,
73
+ },
96
74
}
97
75
return DefaultTransport
98
76
}
0 commit comments