TUN-1982: Load custom origin CA when OriginCAPool is specified

This commit is contained in:
Chung-Ting Huang 2019-06-20 19:29:18 -05:00
parent 2fa09e1cc6
commit c2a3ac3991
2 changed files with 27 additions and 8 deletions

View File

@ -89,16 +89,35 @@ func LoadOriginCA(c *cli.Context, logger *logrus.Logger) (*x509.CertPool, error)
return originCertPool, nil return originCertPool, nil
} }
func LoadCustomCertPool(customCertFilename string) (*x509.CertPool, error) { func LoadCustomOriginCA(originCAFilename string) (*x509.CertPool, error) {
pool := x509.NewCertPool() // First, obtain the system certificate pool
customCAPoolPEM, err := ioutil.ReadFile(customCertFilename) certPool, err := x509.SystemCertPool()
if err != nil { if err != nil {
return nil, errors.Wrap(err, fmt.Sprintf("unable to read the file %s", customCertFilename)) certPool = x509.NewCertPool()
} }
if !pool.AppendCertsFromPEM(customCAPoolPEM) {
// Next, append the Cloudflare CAs into the system pool
cfRootCA, err := GetCloudflareRootCA()
if err != nil {
return nil, errors.Wrap(err, "could not append Cloudflare Root CAs to cloudflared certificate pool")
}
for _, cert := range cfRootCA {
certPool.AddCert(cert)
}
if originCAFilename == "" {
return certPool, nil
}
customOriginCA, err := ioutil.ReadFile(originCAFilename)
if err != nil {
return nil, errors.Wrap(err, fmt.Sprintf("unable to read the file %s", originCAFilename))
}
if !certPool.AppendCertsFromPEM(customOriginCA) {
return nil, fmt.Errorf("error appending custom CA to cert pool") return nil, fmt.Errorf("error appending custom CA to cert pool")
} }
return pool, nil return certPool, nil
} }
func CreateTunnelConfig(c *cli.Context) (*tls.Config, error) { func CreateTunnelConfig(c *cli.Context) (*tls.Config, error) {

View File

@ -180,7 +180,7 @@ func (up *UnixPath) Addr() string {
} }
func (hc *HTTPOriginConfig) Service() (originservice.OriginService, error) { func (hc *HTTPOriginConfig) Service() (originservice.OriginService, error) {
rootCAs, err := tlsconfig.LoadCustomCertPool(hc.OriginCAPool) rootCAs, err := tlsconfig.LoadCustomOriginCA(hc.OriginCAPool)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -220,7 +220,7 @@ type WebSocketOriginConfig struct {
} }
func (wsc *WebSocketOriginConfig) Service() (originservice.OriginService, error) { func (wsc *WebSocketOriginConfig) Service() (originservice.OriginService, error) {
rootCAs, err := tlsconfig.LoadCustomCertPool(wsc.OriginCAPool) rootCAs, err := tlsconfig.LoadCustomOriginCA(wsc.OriginCAPool)
if err != nil { if err != nil {
return nil, err return nil, err
} }