- Go 97.7%
- Makefile 2.3%
|
|
||
|---|---|---|
| .github | ||
| test-fixtures | ||
| .go-version | ||
| .golangci.yml | ||
| .travis.yml | ||
| CHANGELOG.md | ||
| doc.go | ||
| go.mod | ||
| go.sum | ||
| LICENSE | ||
| Makefile | ||
| README.md | ||
| rootcerts.go | ||
| rootcerts_base.go | ||
| rootcerts_darwin.go | ||
| rootcerts_darwin_test.go | ||
| rootcerts_test.go | ||
rootcerts
Functions for loading root certificates for TLS connections.
Go's standard library crypto/tls provides a common mechanism for configuring
TLS connections in tls.Config. The RootCAs field on this struct is a pool
of certificates for the client to use as a trust store when verifying server
certificates.
This library contains utility functions for loading certificates destined for that field, as well as one other important thing:
When the RootCAs field is nil, the standard library attempts to load the
host's root CA set. This behavior is OS-specific, and the Darwin
implementation contains a bug that prevents trusted certificates from the
System and Login keychains from being loaded. This library contains
Darwin-specific behavior that works around that bug.
Example Usage
Here's a snippet demonstrating how this library is meant to be used:
func httpClient() (*http.Client, error)
tlsConfig := &tls.Config{}
err := rootcerts.ConfigureTLS(tlsConfig, &rootcerts.Config{
CAFile: os.Getenv("MYAPP_CAFILE"),
CAPath: os.Getenv("MYAPP_CAPATH"),
CACertificate: []byte(os.Getenv("MYAPP_CERTIFICATE")),
})
if err != nil {
return nil, err
}
c := cleanhttp.DefaultClient()
t := cleanhttp.DefaultTransport()
t.TLSClientConfig = tlsConfig
c.Transport = t
return c, nil
}