in transport/tlscommon/tls_config.go [226:298]
func makeVerifyConnection(cfg *TLSConfig) func(tls.ConnectionState) error {
serverName := cfg.ServerName
switch cfg.Verification {
case VerifyFull:
// Cert is trusted by CA
// Hostname or IP matches the certificate
// tls.Config.InsecureSkipVerify is set to true
return func(cs tls.ConnectionState) error {
if cfg.CATrustedFingerprint != "" {
if err := trustRootCA(cfg, cs.PeerCertificates); err != nil {
return err
}
}
// On the client side, PeerCertificates can't be empty.
if len(cs.PeerCertificates) == 0 {
return ErrMissingPeerCertificate
}
opts := x509.VerifyOptions{
Roots: cfg.RootCAs,
Intermediates: x509.NewCertPool(),
}
err := verifyCertsWithOpts(cs.PeerCertificates, cfg.CASha256, opts)
if err != nil {
return err
}
return verifyHostname(cs.PeerCertificates[0], serverName)
}
case VerifyCertificate:
// Cert is trusted by CA
// Does NOT validate hostname or IP addresses
// tls.Config.InsecureSkipVerify is set to true
return func(cs tls.ConnectionState) error {
if cfg.CATrustedFingerprint != "" {
if err := trustRootCA(cfg, cs.PeerCertificates); err != nil {
return err
}
}
// On the client side, PeerCertificates can't be empty.
if len(cs.PeerCertificates) == 0 {
return ErrMissingPeerCertificate
}
opts := x509.VerifyOptions{
Roots: cfg.RootCAs,
Intermediates: x509.NewCertPool(),
}
return verifyCertsWithOpts(cs.PeerCertificates, cfg.CASha256, opts)
}
case VerifyStrict:
// Cert is trusted by CA
// Hostname or IP matches the certificate
// Returns error if SNA is empty
// The whole validation is done by Go's standard library default
// SSL/TLS verification (tls.Config.InsecureSkipVerify is set to false)
// so we only need to check the pin
if len(cfg.CASha256) > 0 {
return func(cs tls.ConnectionState) error {
if cfg.CATrustedFingerprint != "" {
if err := trustRootCA(cfg, cs.PeerCertificates); err != nil {
return err
}
}
return verifyCAPin(cfg.CASha256, cs.VerifiedChains)
}
}
default:
}
return nil
}