lib/httpserver: move the code, which creates tls.Config, into lib/netutil/tls.go

This syncs the corresponding code with cluster branch
2026-05-17 08:36:55 +03:00 · 2022-04-16 15:51:34 +03:00
parent 7e4bdf31ba
commit 7810375c5f
8 changed files with 98 additions and 61 deletions
--- a/lib/httpserver/httpserver.go
+++ b/lib/httpserver/httpserver.go
@@ -91,44 +91,17 @@ func Serve(addr string, rh RequestHandler) {
 	}
 	logger.Infof("starting http server at %s://%s/", scheme, hostAddr)
 	logger.Infof("pprof handlers are exposed at %s://%s/debug/pprof/", scheme, hostAddr)
-	lnTmp, err := netutil.NewTCPListener(scheme, addr)
-	if err != nil {
-		logger.Fatalf("cannot start http server at %s: %s", addr, err)
-	}
-	ln := net.Listener(lnTmp)
-
+	var tlsConfig *tls.Config
 	if *tlsEnable {
-		var certLock sync.Mutex
-		var certDeadline uint64
-		var cert *tls.Certificate
-		c, err := tls.LoadX509KeyPair(*tlsCertFile, *tlsKeyFile)
+		tc, err := netutil.GetServerTLSConfig("", *tlsCertFile, *tlsKeyFile, *tlsCipherSuites)
 		if err != nil {
 			logger.Fatalf("cannot load TLS cert from -tlsCertFile=%q, -tlsKeyFile=%q: %s", *tlsCertFile, *tlsKeyFile, err)
 		}
-		cipherSuites, err := cipherSuitesFromNames(*tlsCipherSuites)
-		if err != nil {
-			logger.Fatalf("cannot use TLS cipher suites from -tlsCipherSuites=%q: %s", *tlsCipherSuites, err)
-		}
-		cert = &c
-		cfg := &tls.Config{
-			MinVersion:               tls.VersionTLS12,
-			PreferServerCipherSuites: true,
-			GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
-				certLock.Lock()
-				defer certLock.Unlock()
-				if fasttime.UnixTimestamp() > certDeadline {
-					c, err = tls.LoadX509KeyPair(*tlsCertFile, *tlsKeyFile)
-					if err != nil {
-						return nil, fmt.Errorf("cannot load TLS cert from -tlsCertFile=%q, -tlsKeyFile=%q: %w", *tlsCertFile, *tlsKeyFile, err)
-					}
-					certDeadline = fasttime.UnixTimestamp() + 1
-					cert = &c
-				}
-				return cert, nil
-			},
-			CipherSuites: cipherSuites,
-		}
-		ln = tls.NewListener(ln, cfg)
+		tlsConfig = tc
+	}
+	ln, err := netutil.NewTCPListener(scheme, addr, tlsConfig)
+	if err != nil {
+		logger.Fatalf("cannot start http server at %s: %s", addr, err)
 	}
 	serveWithListener(addr, ln, rh)
 }
@@ -693,23 +666,3 @@ func GetRequestURI(r *http.Request) string {
 	}
 	return requestURI + delimiter + queryArgs
 }
-
-func cipherSuitesFromNames(cipherSuiteNames []string) ([]uint16, error) {
-	if len(cipherSuiteNames) == 0 {
-		return nil, nil
-	}
-	css := tls.CipherSuites()
-	cssMap := make(map[string]uint16, len(css))
-	for _, cs := range css {
-		cssMap[strings.ToLower(cs.Name)] = cs.ID
-	}
-	cipherSuites := make([]uint16, 0, len(cipherSuiteNames))
-	for _, name := range cipherSuiteNames {
-		id, ok := cssMap[strings.ToLower(name)]
-		if !ok {
-			return nil, fmt.Errorf("unsupported TLS cipher suite name: %s", name)
-		}
-		cipherSuites = append(cipherSuites, id)
-	}
-	return cipherSuites, nil
-}
--- a/lib/httpserver/httpserver_test.go
+++ b/lib/httpserver/httpserver_test.go
@@ -1,78 +0,0 @@
-package httpserver
-
-import (
-	"reflect"
-	"testing"
-)
-
-func TestCipherSuitesFromNames(t *testing.T) {
-	type args struct {
-		definedCipherSuites []string
-	}
-	tests := []struct {
-		name    string
-		args    args
-		want    []uint16
-		wantErr bool
-	}{
-		{
-			name: "empty cipher suites",
-			args: args{definedCipherSuites: []string{}},
-			want: nil,
-		},
-		{
-			name:    "got wrong string",
-			args:    args{definedCipherSuites: []string{"word"}},
-			want:    nil,
-			wantErr: true,
-		},
-		{
-			name:    "got wrong number",
-			args:    args{definedCipherSuites: []string{"123"}},
-			want:    nil,
-			wantErr: true,
-		},
-		{
-			name:    "got correct string cipher suite",
-			args:    args{definedCipherSuites: []string{"TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA"}},
-			want:    []uint16{0x2f, 0x35},
-			wantErr: false,
-		},
-		{
-			name:    "got correct string with different cases (upper and lower) cipher suite",
-			args:    args{definedCipherSuites: []string{"tls_rsa_with_aes_128_cbc_sha", "TLS_RSA_WITH_AES_256_CBC_SHA"}},
-			want:    []uint16{0x2f, 0x35},
-			wantErr: false,
-		},
-		{
-			name:    "got correct number cipher suite",
-			args:    args{definedCipherSuites: []string{"0x2f", "0x35"}},
-			want:    nil,
-			wantErr: true,
-		},
-		{
-			name:    "got insecure number cipher suite",
-			args:    args{definedCipherSuites: []string{"0x0005", "0x000a"}},
-			want:    nil,
-			wantErr: true,
-		},
-		{
-			name:    "got insecure string cipher suite",
-			args:    args{definedCipherSuites: []string{"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", "TLS_ECDHE_RSA_WITH_RC4_128_SHA"}},
-			want:    nil,
-			wantErr: true,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			got, err := cipherSuitesFromNames(tt.args.definedCipherSuites)
-			if (err != nil) != tt.wantErr {
-				t.Errorf("cipherSuitesFromNames() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
-			if !reflect.DeepEqual(got, tt.want) {
-				t.Errorf("validateCipherSuites() got = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}