forked from sloum/bombadillo
Handles cert expirations silently
This commit is contained in:
sloum
parent
36ae4a228f
commit
cb151f75aa
|
|
@ -49,8 +49,8 @@ func (t *TofuDigest) Purge(host string) error {
|
||||||
return fmt.Errorf("Invalid host %q", host)
|
return fmt.Errorf("Invalid host %q", host)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (t *TofuDigest) Add(host, hash string) {
|
func (t *TofuDigest) Add(host, hash string, time int64) {
|
||||||
t.certs[strings.ToLower(host)] = hash
|
t.certs[strings.ToLower(host)] = fmt.Sprintf("%s|%d", hash, time)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (t *TofuDigest) Exists(host string) bool {
|
func (t *TofuDigest) Exists(host string) bool {
|
||||||
|
|
@ -70,9 +70,10 @@ func (t *TofuDigest) Find(host string) (string, error) {
|
||||||
func (t *TofuDigest) Match(host string, cState *tls.ConnectionState) error {
|
func (t *TofuDigest) Match(host string, cState *tls.ConnectionState) error {
|
||||||
host = strings.ToLower(host)
|
host = strings.ToLower(host)
|
||||||
now := time.Now()
|
now := time.Now()
|
||||||
|
localCert := strings.SplitN(t.certs[host], "|", -1)[0]
|
||||||
|
|
||||||
for _, cert := range cState.PeerCertificates {
|
for _, cert := range cState.PeerCertificates {
|
||||||
if t.certs[host] != hashCert(cert.Raw) {
|
if localCert != hashCert(cert.Raw) {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -118,7 +119,7 @@ func (t *TofuDigest) newCert(host string, cState *tls.ConnectionState) error {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
t.Add(host, hashCert(cert.Raw))
|
t.Add(host, hashCert(cert.Raw), cert.NotAfter.Unix())
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -132,6 +133,14 @@ func (t *TofuDigest) IniDump() string {
|
||||||
var out strings.Builder
|
var out strings.Builder
|
||||||
out.WriteString("[CERTS]\n")
|
out.WriteString("[CERTS]\n")
|
||||||
for k, v := range t.certs {
|
for k, v := range t.certs {
|
||||||
|
vals := strings.SplitN(v, "|", -1)
|
||||||
|
now := time.Now()
|
||||||
|
if len(vals) > 1 {
|
||||||
|
ts, err := strconv.ParseInt(vals[1], 10, 64)
|
||||||
|
if err != nil || now.Unix() > ts {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
}
|
||||||
out.WriteString(k)
|
out.WriteString(k)
|
||||||
out.WriteString("=")
|
out.WriteString("=")
|
||||||
out.WriteString(v)
|
out.WriteString(v)
|
||||||
|
|
|
||||||
17
main.go
17
main.go
|
|
@ -25,8 +25,10 @@ import (
|
||||||
"os"
|
"os"
|
||||||
"os/signal"
|
"os/signal"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
"syscall"
|
"syscall"
|
||||||
|
"time"
|
||||||
|
|
||||||
"tildegit.org/sloum/bombadillo/config"
|
"tildegit.org/sloum/bombadillo/config"
|
||||||
"tildegit.org/sloum/bombadillo/cui"
|
"tildegit.org/sloum/bombadillo/cui"
|
||||||
|
|
@ -132,7 +134,20 @@ func loadConfig() {
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, v := range settings.Certs {
|
for _, v := range settings.Certs {
|
||||||
bombadillo.Certs.Add(v.Key, v.Value)
|
// Remove expired certs
|
||||||
|
vals := strings.SplitN(v.Value, "|", -1)
|
||||||
|
if len(vals) < 2 {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
ts, err := strconv.ParseInt(vals[1], 10, 64)
|
||||||
|
now := time.Now()
|
||||||
|
if err != nil || now.Unix() > ts {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
// Satisfied that the cert is not expired
|
||||||
|
// or malformed: add to the current client
|
||||||
|
// instance
|
||||||
|
bombadillo.Certs.Add(v.Key, vals[0], ts)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue