Browse code
Merge pull request #31977 from cyli/bump-go-connections-17.04
Bump go connections for 17.04 and use either system pool or custom CA pool when connecting from client->daemon [17.04]
Victor Vieux authored on 2017/03/24 09:07:28Showing 3 changed files
| ... | ... |
@@ -250,8 +250,9 @@ func newHTTPClient(host string, tlsOptions *tlsconfig.Options) (*http.Client, er |
| 250 | 250 |
// let the api client configure the default transport. |
| 251 | 251 |
return nil, nil |
| 252 | 252 |
} |
| 253 |
- |
|
| 254 |
- config, err := tlsconfig.Client(*tlsOptions) |
|
| 253 |
+ opts := *tlsOptions |
|
| 254 |
+ opts.ExclusiveRootPools = true |
|
| 255 |
+ config, err := tlsconfig.Client(opts) |
|
| 255 | 256 |
if err != nil {
|
| 256 | 257 |
return nil, err |
| 257 | 258 |
} |
| ... | ... |
@@ -17,7 +17,7 @@ github.com/vdemeester/shakers 24d7f1d6a71aa5d9cbe7390e4afb66b7eef9e1b3 |
| 17 | 17 |
golang.org/x/net c427ad74c6d7a814201695e9ffde0c5d400a7674 |
| 18 | 18 |
golang.org/x/sys 8f0908ab3b2457e2e15403d3697c9ef5cb4b57a9 |
| 19 | 19 |
github.com/docker/go-units 9e638d38cf6977a37a8ea0078f3ee75a7cdb2dd1 |
| 20 |
-github.com/docker/go-connections 7da10c8c50cad14494ec818dcdfb6506265c0086 |
|
| 20 |
+github.com/docker/go-connections d217f8e36aba4dbc397981e692a65d3f13b9a46d |
|
| 21 | 21 |
golang.org/x/text f72d8390a633d5dfb0cc84043294db9f6c935756 |
| 22 | 22 |
|
| 23 | 23 |
github.com/RackSec/srslog 456df3a81436d29ba874f3590eeeee25d666f8a5 |
| ... | ... |
@@ -29,6 +29,11 @@ type Options struct {
|
| 29 | 29 |
InsecureSkipVerify bool |
| 30 | 30 |
// server-only option |
| 31 | 31 |
ClientAuth tls.ClientAuthType |
| 32 |
+ |
|
| 33 |
+ // If ExclusiveRootPools is set, then if a CA file is provided, the root pool used for TLS |
|
| 34 |
+ // creds will include exclusively the roots in that CA file. If no CA file is provided, |
|
| 35 |
+ // the system pool will be used. |
|
| 36 |
+ ExclusiveRootPools bool |
|
| 32 | 37 |
} |
| 33 | 38 |
|
| 34 | 39 |
// Extra (server-side) accepted CBC cipher suites - will phase out in the future |
| ... | ... |
@@ -66,11 +71,19 @@ func ClientDefault() *tls.Config {
|
| 66 | 66 |
} |
| 67 | 67 |
|
| 68 | 68 |
// certPool returns an X.509 certificate pool from `caFile`, the certificate file. |
| 69 |
-func certPool(caFile string) (*x509.CertPool, error) {
|
|
| 69 |
+func certPool(caFile string, exclusivePool bool) (*x509.CertPool, error) {
|
|
| 70 | 70 |
// If we should verify the server, we need to load a trusted ca |
| 71 |
- certPool, err := SystemCertPool() |
|
| 72 |
- if err != nil {
|
|
| 73 |
- return nil, fmt.Errorf("failed to read system certificates: %v", err)
|
|
| 71 |
+ var ( |
|
| 72 |
+ certPool *x509.CertPool |
|
| 73 |
+ err error |
|
| 74 |
+ ) |
|
| 75 |
+ if exclusivePool {
|
|
| 76 |
+ certPool = x509.NewCertPool() |
|
| 77 |
+ } else {
|
|
| 78 |
+ certPool, err = SystemCertPool() |
|
| 79 |
+ if err != nil {
|
|
| 80 |
+ return nil, fmt.Errorf("failed to read system certificates: %v", err)
|
|
| 81 |
+ } |
|
| 74 | 82 |
} |
| 75 | 83 |
pem, err := ioutil.ReadFile(caFile) |
| 76 | 84 |
if err != nil {
|
| ... | ... |
@@ -88,7 +101,7 @@ func Client(options Options) (*tls.Config, error) {
|
| 88 | 88 |
tlsConfig := ClientDefault() |
| 89 | 89 |
tlsConfig.InsecureSkipVerify = options.InsecureSkipVerify |
| 90 | 90 |
if !options.InsecureSkipVerify && options.CAFile != "" {
|
| 91 |
- CAs, err := certPool(options.CAFile) |
|
| 91 |
+ CAs, err := certPool(options.CAFile, options.ExclusiveRootPools) |
|
| 92 | 92 |
if err != nil {
|
| 93 | 93 |
return nil, err |
| 94 | 94 |
} |
| ... | ... |
@@ -119,7 +132,7 @@ func Server(options Options) (*tls.Config, error) {
|
| 119 | 119 |
} |
| 120 | 120 |
tlsConfig.Certificates = []tls.Certificate{tlsCert}
|
| 121 | 121 |
if options.ClientAuth >= tls.VerifyClientCertIfGiven && options.CAFile != "" {
|
| 122 |
- CAs, err := certPool(options.CAFile) |
|
| 122 |
+ CAs, err := certPool(options.CAFile, options.ExclusiveRootPools) |
|
| 123 | 123 |
if err != nil {
|
| 124 | 124 |
return nil, err |
| 125 | 125 |
} |