Skip to content

Commit

Permalink
Support NonTLS option for testing purpose only. (#67)
Browse files Browse the repository at this point in the history
* server changes

* remove opts declaration

* working server with noTLS

* add proper spaceing

* fix build failure
  • Loading branch information
pra-moh authored Feb 3, 2021
1 parent 915c71f commit c9a0cb2
Showing 1 changed file with 31 additions and 26 deletions.
57 changes: 31 additions & 26 deletions telemetry/telemetry.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ var (
serverCert = flag.String("server_crt", "", "TLS server certificate")
serverKey = flag.String("server_key", "", "TLS server private key")
insecure = flag.Bool("insecure", false, "Skip providing TLS cert and key, for testing only!")
noTLS = flag.Bool("noTLS", false, "disable TLS, for testing only!")
allowNoClientCert = flag.Bool("allow_no_client_auth", false, "When set, telemetry server will request but not require a client certificate.")
)

Expand All @@ -32,46 +33,50 @@ func main() {
log.Errorf("port must be > 0.")
return
}
var certificate tls.Certificate
var err error

if *insecure {
certificate, err = testcert.NewCert()
if err != nil {
log.Exitf("could not load server key pair: %s", err)
}
} else {
switch {
case *serverCert == "":
log.Errorf("serverCert must be set.")
return
case *serverKey == "":
log.Errorf("serverKey must be set.")
return
}
certificate, err = tls.LoadX509KeyPair(*serverCert, *serverKey)
if err != nil {
log.Exitf("could not load server key pair: %s", err)
cfg := &gnmi.Config{}
cfg.Port = int64(*port)
var opts []grpc.ServerOption

if !*noTLS {
var certificate tls.Certificate
var err error
if *insecure {
certificate, err = testcert.NewCert()
if err != nil {
log.Exitf("could not load server key pair: %s", err)
}
} else {
switch {
case *serverCert == "":
log.Errorf("serverCert must be set.")
return
case *serverKey == "":
log.Errorf("serverKey must be set.")
return
}
certificate, err = tls.LoadX509KeyPair(*serverCert, *serverKey)
if err != nil {
log.Exitf("could not load server key pair: %s", err)
}
}
}

tlsCfg := &tls.Config{
tlsCfg := &tls.Config{
ClientAuth: tls.RequireAndVerifyClientCert,
Certificates: []tls.Certificate{certificate},
MinVersion: tls.VersionTLS12,
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
PreferServerCipherSuites: true,
CipherSuites: []uint16{

tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
},

}

if *allowNoClientCert {
// RequestClientCert will ask client for a certificate but won't
// require it to proceed. If certificate is provided, it will be
Expand All @@ -91,9 +96,9 @@ func main() {
tlsCfg.ClientCAs = certPool
}

opts := []grpc.ServerOption{grpc.Creds(credentials.NewTLS(tlsCfg))}
cfg := &gnmi.Config{}
cfg.Port = int64(*port)
opts = []grpc.ServerOption{grpc.Creds(credentials.NewTLS(tlsCfg))}
}

s, err := gnmi.NewServer(cfg, opts)
if err != nil {
log.Errorf("Failed to create gNMI server: %v", err)
Expand Down

0 comments on commit c9a0cb2

Please sign in to comment.