func newSecureSessionClient()

in client/securesession/securesession.go [229:272]

• 34 lines of code
• 4 McCabe index (conditional complexity)

func newSecureSessionClient(addr, authToken string, httpCertPool *x509.CertPool, skipTLSVerify bool) (*SecureSessionClient, error) {
	c := &SecureSessionClient{}

	c.client = ekmclient.ConfidentialEKMClient{URI: addr, AuthToken: authToken, CertPool: httpCertPool}
	c.shim = transportshim.NewTransportShim()
	c.handshakeState = &atomic.Value{}

	cfg := &tls.Config{
		CipherSuites: constants.AllowableCipherSuites,
		MinVersion:   tls.VersionTLS12,
		MaxVersion:   tls.VersionTLS13,
		RootCAs:      httpCertPool,
	}

	// If in testing mode, skip verification. Otherwise, set ServerName based on key URI.
	if skipTLSVerify {
		cfg.InsecureSkipVerify = true
		glog.Warningln("Skipping inner TLS verification.")
	} else {
		u, err := url.Parse(addr)
		if err != nil {
			return nil, fmt.Errorf("failed to parse address for secure session client: %v", err)
		}
		cfg.ServerName = u.Hostname()
	}

	c.tls = tls.Client(c.shim, cfg)

	// Kick off inner TLS session handshake and wait for a write.
	c.handshakeState.Store(handshakeInitiated)
	go func() {
		if err := c.tls.Handshake(); err != nil {
			glog.Errorf("Inner TLS handshake failed: %v", err.Error())
			c.handshakeState.Store(handshakeFailed)
			return
		}
		glog.Infof("Inner TLS handshake succeeded")
	}()

	// Set state.
	c.state = clientStateUninitialized

	return c, nil
}