TUN-1982: Load custom origin CA when OriginCAPool is specified
This commit is contained in:
Chung-Ting Huang
parent
2fa09e1cc6
commit
c2a3ac3991
|
|
@ -89,16 +89,35 @@ func LoadOriginCA(c *cli.Context, logger *logrus.Logger) (*x509.CertPool, error)
|
|||
return originCertPool, nil
|
||||
}
|
||||
|
||||
func LoadCustomCertPool(customCertFilename string) (*x509.CertPool, error) {
|
||||
pool := x509.NewCertPool()
|
||||
customCAPoolPEM, err := ioutil.ReadFile(customCertFilename)
|
||||
func LoadCustomOriginCA(originCAFilename string) (*x509.CertPool, error) {
|
||||
// First, obtain the system certificate pool
|
||||
certPool, err := x509.SystemCertPool()
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, fmt.Sprintf("unable to read the file %s", customCertFilename))
|
||||
certPool = x509.NewCertPool()
|
||||
}
|
||||
if !pool.AppendCertsFromPEM(customCAPoolPEM) {
|
||||
|
||||
// Next, append the Cloudflare CAs into the system pool
|
||||
cfRootCA, err := GetCloudflareRootCA()
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "could not append Cloudflare Root CAs to cloudflared certificate pool")
|
||||
}
|
||||
for _, cert := range cfRootCA {
|
||||
certPool.AddCert(cert)
|
||||
}
|
||||
|
||||
if originCAFilename == "" {
|
||||
return certPool, nil
|
||||
}
|
||||
|
||||
customOriginCA, err := ioutil.ReadFile(originCAFilename)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, fmt.Sprintf("unable to read the file %s", originCAFilename))
|
||||
}
|
||||
|
||||
if !certPool.AppendCertsFromPEM(customOriginCA) {
|
||||
return nil, fmt.Errorf("error appending custom CA to cert pool")
|
||||
}
|
||||
return pool, nil
|
||||
return certPool, nil
|
||||
}
|
||||
|
||||
func CreateTunnelConfig(c *cli.Context) (*tls.Config, error) {
|
||||
|
|
|
|||
|
|
@ -180,7 +180,7 @@ func (up *UnixPath) Addr() string {
|
|||
}
|
||||
|
||||
func (hc *HTTPOriginConfig) Service() (originservice.OriginService, error) {
|
||||
rootCAs, err := tlsconfig.LoadCustomCertPool(hc.OriginCAPool)
|
||||
rootCAs, err := tlsconfig.LoadCustomOriginCA(hc.OriginCAPool)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -220,7 +220,7 @@ type WebSocketOriginConfig struct {
|
|||
}
|
||||
|
||||
func (wsc *WebSocketOriginConfig) Service() (originservice.OriginService, error) {
|
||||
rootCAs, err := tlsconfig.LoadCustomCertPool(wsc.OriginCAPool)
|
||||
rootCAs, err := tlsconfig.LoadCustomOriginCA(wsc.OriginCAPool)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue