Skip to content
This repository has been archived by the owner on Aug 31, 2022. It is now read-only.

Support NonTLS option for testing purpose only. #67

Merged
merged 5 commits into from
Feb 3, 2021
Merged

Support NonTLS option for testing purpose only. #67

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
f7a81c9
server changes
pra-moh Feb 2, 2021
32cfa23
remove opts declaration
pra-moh Feb 2, 2021
379b292
working server with noTLS
pra-moh Feb 2, 2021
027be1e
add proper spaceing
pra-moh Feb 3, 2021
8423e87
fix build failure
pra-moh Feb 3, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 31 additions & 26 deletions telemetry/telemetry.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ var (
serverCert = flag.String("server_crt", "", "TLS server certificate")
serverKey = flag.String("server_key", "", "TLS server private key")
insecure = flag.Bool("insecure", false, "Skip providing TLS cert and key, for testing only!")
noTLS = flag.Bool("noTLS", false, "disable TLS, for testing only!")
allowNoClientCert = flag.Bool("allow_no_client_auth", false, "When set, telemetry server will request but not require a client certificate.")
)

Expand All @@ -32,46 +33,50 @@ func main() {
log.Errorf("port must be > 0.")
return
}
var certificate tls.Certificate
var err error

if *insecure {
certificate, err = testcert.NewCert()
if err != nil {
log.Exitf("could not load server key pair: %s", err)
}
} else {
switch {
case *serverCert == "":
log.Errorf("serverCert must be set.")
return
case *serverKey == "":
log.Errorf("serverKey must be set.")
return
}
certificate, err = tls.LoadX509KeyPair(*serverCert, *serverKey)
if err != nil {
log.Exitf("could not load server key pair: %s", err)
cfg := &gnmi.Config{}
cfg.Port = int64(*port)
var opts []grpc.ServerOption

if !*noTLS {
var certificate tls.Certificate
var err error
if *insecure {
certificate, err = testcert.NewCert()
if err != nil {
log.Exitf("could not load server key pair: %s", err)
}
} else {
switch {
case *serverCert == "":
log.Errorf("serverCert must be set.")
return
case *serverKey == "":
log.Errorf("serverKey must be set.")
return
}
certificate, err = tls.LoadX509KeyPair(*serverCert, *serverKey)
if err != nil {
log.Exitf("could not load server key pair: %s", err)
}
}
}

tlsCfg := &tls.Config{
tlsCfg := &tls.Config{
ClientAuth: tls.RequireAndVerifyClientCert,
Certificates: []tls.Certificate{certificate},
MinVersion: tls.VersionTLS12,
CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
PreferServerCipherSuites: true,
CipherSuites: []uint16{

tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
},

}

if *allowNoClientCert {
// RequestClientCert will ask client for a certificate but won't
// require it to proceed. If certificate is provided, it will be
Expand All @@ -91,9 +96,9 @@ func main() {
tlsCfg.ClientCAs = certPool
}

opts := []grpc.ServerOption{grpc.Creds(credentials.NewTLS(tlsCfg))}
cfg := &gnmi.Config{}
cfg.Port = int64(*port)
opts = []grpc.ServerOption{grpc.Creds(credentials.NewTLS(tlsCfg))}
}

s, err := gnmi.NewServer(cfg, opts)
if err != nil {
log.Errorf("Failed to create gNMI server: %v", err)
Expand Down