pkg/sockets/tcp_socket.go - third_party/github.com/moby/moby - Git at Google

 package sockets

 import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
 	"io/ioutil"
 	"net"
 	"os"

 	"github.com/docker/docker/pkg/listenbuffer"
 )

 type TlsConfig struct {
 	CA          string
 	Certificate string
 	Key         string
 	Verify      bool
 }

 func NewTlsConfig(tlsCert, tlsKey, tlsCA string, verify bool) *TlsConfig {
 	return &TlsConfig{
 		Verify:      verify,
 		Certificate: tlsCert,
 		Key:         tlsKey,
 		CA:          tlsCA,
 	}
 }

 func NewTcpSocket(addr string, config *TlsConfig, activate <-chan struct{}) (net.Listener, error) {
 	l, err := listenbuffer.NewListenBuffer("tcp", addr, activate)
 	if err != nil {
 		return nil, err
 	}
 	if config != nil {
 		if l, err = setupTls(l, config); err != nil {
 			return nil, err
 		}
 	}
 	return l, nil
 }

 func setupTls(l net.Listener, config *TlsConfig) (net.Listener, error) {
 	tlsCert, err := tls.LoadX509KeyPair(config.Certificate, config.Key)
 	if err != nil {
 		if os.IsNotExist(err) {
 			return nil, fmt.Errorf("Could not load X509 key pair (%s, %s): %v", config.Certificate, config.Key, err)
 		}
 		return nil, fmt.Errorf("Error reading X509 key pair (%s, %s): %q. Make sure the key is encrypted.",
 			config.Certificate, config.Key, err)
 	}
 	tlsConfig := &tls.Config{
 		NextProtos:   []string{"http/1.1"},
 		Certificates: []tls.Certificate{tlsCert},
 		// Avoid fallback on insecure SSL protocols
 		MinVersion: tls.VersionTLS10,
 	}
 	if config.CA != "" {
 		certPool := x509.NewCertPool()
 		file, err := ioutil.ReadFile(config.CA)
 		if err != nil {
 			return nil, fmt.Errorf("Could not read CA certificate: %v", err)
 		}
 		certPool.AppendCertsFromPEM(file)
 		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
 		tlsConfig.ClientCAs = certPool
 	}
 	return tls.NewListener(l, tlsConfig), nil
 }
	package sockets

	import (
	"crypto/tls"
	"crypto/x509"
	"fmt"
	"io/ioutil"
	"net"
	"os"

	"github.com/docker/docker/pkg/listenbuffer"
	)

	type TlsConfig struct {
	CA string
	Certificate string
	Key string
	Verify bool
	}

	func NewTlsConfig(tlsCert, tlsKey, tlsCA string, verify bool) *TlsConfig {
	return &TlsConfig{
	Verify: verify,
	Certificate: tlsCert,
	Key: tlsKey,
	CA: tlsCA,
	}
	}

	func NewTcpSocket(addr string, config *TlsConfig, activate <-chan struct{}) (net.Listener, error) {
	l, err := listenbuffer.NewListenBuffer("tcp", addr, activate)
	if err != nil {
	return nil, err
	}
	if config != nil {
	if l, err = setupTls(l, config); err != nil {
	return nil, err
	}
	}
	return l, nil
	}

	func setupTls(l net.Listener, config *TlsConfig) (net.Listener, error) {
	tlsCert, err := tls.LoadX509KeyPair(config.Certificate, config.Key)
	if err != nil {
	if os.IsNotExist(err) {
	return nil, fmt.Errorf("Could not load X509 key pair (%s, %s): %v", config.Certificate, config.Key, err)
	}
	return nil, fmt.Errorf("Error reading X509 key pair (%s, %s): %q. Make sure the key is encrypted.",
	config.Certificate, config.Key, err)
	}
	tlsConfig := &tls.Config{
	NextProtos: []string{"http/1.1"},
	Certificates: []tls.Certificate{tlsCert},
	// Avoid fallback on insecure SSL protocols
	MinVersion: tls.VersionTLS10,
	}
	if config.CA != "" {
	certPool := x509.NewCertPool()
	file, err := ioutil.ReadFile(config.CA)
	if err != nil {
	return nil, fmt.Errorf("Could not read CA certificate: %v", err)
	}
	certPool.AppendCertsFromPEM(file)
	tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
	tlsConfig.ClientCAs = certPool
	}
	return tls.NewListener(l, tlsConfig), nil
	}