本文整理汇总了Golang中crypto/tls.Config.SessionTicketsDisabled方法的典型用法代码示例。如果您正苦于以下问题:Golang Config.SessionTicketsDisabled方法的具体用法?Golang Config.SessionTicketsDisabled怎么用?Golang Config.SessionTicketsDisabled使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类crypto/tls.Config
的用法示例。
在下文中一共展示了Config.SessionTicketsDisabled方法的4个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Golang代码示例。
示例1: initConfig
func (l *TLSLog) initConfig(config *tls.Config) {
l.log = ""
l.logRand = newLogRand(config.Rand)
config.Rand = l.logRand
config.SessionTicketsDisabled = false
if config.ClientSessionCache == nil {
config.ClientSessionCache = tls.NewLRUClientSessionCache(1)
}
}
示例2: standaloneTLSTicketKeyRotation
// standaloneTLSTicketKeyRotation governs over the array of TLS ticket keys used to de/crypt TLS tickets.
// It periodically sets a new ticket key as the first one, used to encrypt (and decrypt),
// pushing any old ticket keys to the back, where they are considered for decryption only.
//
// Lack of entropy for the very first ticket key results in the feature being disabled (as does Go),
// later lack of entropy temporarily disables ticket key rotation.
// Old ticket keys are still phased out, though.
//
// Stops the ticker when returning.
func standaloneTLSTicketKeyRotation(c *tls.Config, ticker *time.Ticker, exitChan chan struct{}) {
defer ticker.Stop()
// The entire page should be marked as sticky, but Go cannot do that
// without resorting to syscall#Mlock. And, we don't have madvise (for NODUMP), too. ☹
keys := make([][32]byte, 1, NumTickets)
rng := c.Rand
if rng == nil {
rng = rand.Reader
}
if _, err := io.ReadFull(rng, keys[0][:]); err != nil {
c.SessionTicketsDisabled = true // bail if we don't have the entropy for the first one
return
}
c.SessionTicketKey = keys[0] // SetSessionTicketKeys doesn't set a 'tls.keysAlreadySet'
c.SetSessionTicketKeys(setSessionTicketKeysTestHook(keys))
for {
select {
case _, isOpen := <-exitChan:
if !isOpen {
return
}
case <-ticker.C:
rng = c.Rand // could've changed since the start
if rng == nil {
rng = rand.Reader
}
var newTicketKey [32]byte
_, err := io.ReadFull(rng, newTicketKey[:])
if len(keys) < NumTickets {
keys = append(keys, keys[0]) // manipulates the internal length
}
for idx := len(keys) - 1; idx >= 1; idx-- {
keys[idx] = keys[idx-1] // yes, this makes copies
}
if err == nil {
keys[0] = newTicketKey
}
// pushes the last key out, doesn't matter that we don't have a new one
c.SetSessionTicketKeys(setSessionTicketKeysTestHook(keys))
}
}
}
示例3: setupTLSConfig
// setupTLSConfig returns a tls.Config for a credential set
func setupTLSConfig(cert []byte, key []byte, ca []byte) (*tls.Config, error) {
// TLS config
var tlsConfig tls.Config
//Use only modern ciphers
tlsConfig.CipherSuites = []uint16{
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
}
// Use only TLS v1.2
tlsConfig.MinVersion = tls.VersionTLS12
// Don't allow session resumption
tlsConfig.SessionTicketsDisabled = true
certPool := x509.NewCertPool()
certPool.AppendCertsFromPEM(ca)
tlsConfig.RootCAs = certPool
tlsConfig.ClientCAs = certPool
tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
keypair, err := tls.X509KeyPair(cert, key)
if err != nil {
return &tlsConfig, err
}
tlsConfig.Certificates = []tls.Certificate{keypair}
return &tlsConfig, nil
}
示例4: process
//.........这里部分代码省略.........
// stalled conversations are always slow, even if -S is not set.
// TODO: make them even slower than this? I probably don't care.
if goslow || stall {
cfg.Delay = time.Second / 10
}
// Don't offer TLS to hosts that have too many TLS failures.
// We give hosts *two* tries at setting up TLS because some
// hosts start by offering SSLv2, which is an instant-fail,
// even if they support stuff that we do. We hope that their
// SSLv2 failure will cause them to try again in another
// connection with TLS only.
// See https://code.google.com/p/go/issues/detail?id=3930
blocktls, blcount := notls.Lookup(trans.rip, tlsTimeout)
if len(certs) > 0 && !(blocktls && blcount >= 2) {
var tlsc tls.Config
tlsc.Certificates = certs
// if there is already one TLS failure for this host,
// it might be because of a bad client certificate.
// so on the second time around we don't ask for one.
// (More precisely we only ask for a client cert if
// there are no failures so far.)
// Another reason for failure here is a SSLv3 only
// host without a client certificate. This produces
// the error:
// tls: received unexpected handshake message of type *tls.clientKeyExchangeMsg when waiting for *tls.certificateMsg
//if blcount == 0 {
// tlsc.ClientAuth = tls.VerifyClientCertIfGiven
//}
// Now generally disabled since I discovered it causes
// SSLv3 handshakes to always fail. TODO: better fix with
// config-file control or something.
tlsc.SessionTicketsDisabled = true
tlsc.ServerName = sname
tlsc.BuildNameToCertificate()
cfg.TLSConfig = &tlsc
}
// With everything set up we can now create the connection.
convo = smtpd.NewConn(nc, cfg, l2)
// Yes, we do rDNS lookup before our initial greeting banner and
// thus can pause a bit here. Clients will cope, or at least we
// don't care if impatient ones don't.
trans.rdns, _ = LookupAddrVerified(trans.rip)
// Check for an immediate result on the initial connection. This
// may disable TLS or refuse things immediately.
if decider(pConnect, evt, c, convo, "") {
// TODO: somehow write a message and maybe log it.
// this probably needs smtpd.go cooperation.
// Right now we just close abruptly.
if !stall {
writeLog(logger, "! %s dropped on connect due to rule at %s\n", trans.rip, time.Now().Format(smtpd.TimeFmt))
}
return
}
// Main transaction loop. We gather up email messages as they come
// in, possibly failing various operations as we're told to.
for {
evt = convo.Next()
switch evt.What {
case smtpd.COMMAND:
switch evt.Cmd {