Add client side TLS/SSL flags --ca-cert/--client-cert/--client-key
Fixes #2966
This commit is contained in:
parent
ec59760d9c
commit
b167d30420
4 changed files with 83 additions and 13 deletions
|
@ -991,6 +991,47 @@ with this setting.
|
|||
|
||||
Prints the version number
|
||||
|
||||
SSL/TLS options
|
||||
---------------
|
||||
|
||||
The outoing SSL/TLS connections rclone makes can be controlled with
|
||||
these options. For example this can be very useful with the HTTP or
|
||||
WebDAV backends. Rclone HTTP servers have their own set of
|
||||
configuration for SSL/TLS which you can find in their documentation.
|
||||
|
||||
### --ca-cert string
|
||||
|
||||
This loads the PEM encoded certificate authority certificate and uses
|
||||
it to verify the certificates of the servers rclone connects to.
|
||||
|
||||
If you have generated certificates signed with a local CA then you
|
||||
will need this flag to connect to servers using those certificates.
|
||||
|
||||
### --client-cert string
|
||||
|
||||
This loads the PEM encoded client side certificate.
|
||||
|
||||
This is used for [mutual TLS authentication](https://en.wikipedia.org/wiki/Mutual_authentication).
|
||||
|
||||
The `--client-key` flag is required too when using this.
|
||||
|
||||
### --client-key string
|
||||
|
||||
This loads the PEM encoded client side private key used for mutual TLS
|
||||
authentication. Used in conjunction with `--client-cert`.
|
||||
|
||||
### --no-check-certificate=true/false ###
|
||||
|
||||
`--no-check-certificate` controls whether a client verifies the
|
||||
server's certificate chain and host name.
|
||||
If `--no-check-certificate` is true, TLS accepts any certificate
|
||||
presented by the server and any host name in that certificate.
|
||||
In this mode, TLS is susceptible to man-in-the-middle attacks.
|
||||
|
||||
This option defaults to `false`.
|
||||
|
||||
**This should be used only for testing.**
|
||||
|
||||
Configuration Encryption
|
||||
------------------------
|
||||
Your configuration file contains information for logging in to
|
||||
|
@ -1147,18 +1188,6 @@ use it.
|
|||
|
||||
Write memory profile to file. This can be analysed with `go tool pprof`.
|
||||
|
||||
### --no-check-certificate=true/false ###
|
||||
|
||||
`--no-check-certificate` controls whether a client verifies the
|
||||
server's certificate chain and host name.
|
||||
If `--no-check-certificate` is true, TLS accepts any certificate
|
||||
presented by the server and any host name in that certificate.
|
||||
In this mode, TLS is susceptible to man-in-the-middle attacks.
|
||||
|
||||
This option defaults to `false`.
|
||||
|
||||
**This should be used only for testing.**
|
||||
|
||||
### --no-traverse ###
|
||||
|
||||
The `--no-traverse` flag controls whether the destination file system
|
||||
|
|
|
@ -87,6 +87,9 @@ type ConfigInfo struct {
|
|||
Progress bool
|
||||
Cookie bool
|
||||
UseMmap bool
|
||||
CaCert string // Client Side CA
|
||||
ClientCert string // Client Side Cert
|
||||
ClientKey string // Client Side Key
|
||||
}
|
||||
|
||||
// NewConfig creates a new config with everything set to the default
|
||||
|
|
|
@ -89,6 +89,9 @@ func AddFlags(flagSet *pflag.FlagSet) {
|
|||
flags.BoolVarP(flagSet, &fs.Config.Progress, "progress", "P", fs.Config.Progress, "Show progress during transfer.")
|
||||
flags.BoolVarP(flagSet, &fs.Config.Cookie, "use-cookies", "", fs.Config.Cookie, "Enable session cookiejar.")
|
||||
flags.BoolVarP(flagSet, &fs.Config.UseMmap, "use-mmap", "", fs.Config.UseMmap, "Use mmap allocator (see docs).")
|
||||
flags.StringVarP(flagSet, &fs.Config.CaCert, "ca-cert", "", fs.Config.CaCert, "CA certificate used to verify servers")
|
||||
flags.StringVarP(flagSet, &fs.Config.ClientCert, "client-cert", "", fs.Config.ClientCert, "Client SSL certificate (PEM) for mutual TLS auth")
|
||||
flags.StringVarP(flagSet, &fs.Config.ClientKey, "client-key", "", fs.Config.ClientKey, "Client SSL private key (PEM) for mutual TLS auth")
|
||||
}
|
||||
|
||||
// SetFlags converts any flags into config which weren't straight foward
|
||||
|
|
|
@ -5,6 +5,9 @@ import (
|
|||
"bytes"
|
||||
"context"
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"io/ioutil"
|
||||
"log"
|
||||
"net"
|
||||
"net/http"
|
||||
"net/http/cookiejar"
|
||||
|
@ -130,7 +133,39 @@ func NewTransport(ci *fs.ConfigInfo) http.RoundTripper {
|
|||
t.MaxIdleConns = 2 * t.MaxIdleConnsPerHost
|
||||
t.TLSHandshakeTimeout = ci.ConnectTimeout
|
||||
t.ResponseHeaderTimeout = ci.Timeout
|
||||
t.TLSClientConfig = &tls.Config{InsecureSkipVerify: ci.InsecureSkipVerify}
|
||||
|
||||
// TLS Config
|
||||
t.TLSClientConfig = &tls.Config{
|
||||
InsecureSkipVerify: ci.InsecureSkipVerify,
|
||||
}
|
||||
|
||||
// Load client certs
|
||||
if ci.ClientCert != "" || ci.ClientKey != "" {
|
||||
if ci.ClientCert == "" || ci.ClientKey == "" {
|
||||
log.Fatalf("Both --client-cert and --client-key must be set")
|
||||
}
|
||||
cert, err := tls.LoadX509KeyPair(ci.ClientCert, ci.ClientKey)
|
||||
if err != nil {
|
||||
log.Fatalf("Failed to load --client-cert/--client-key pair: %v", err)
|
||||
}
|
||||
t.TLSClientConfig.Certificates = []tls.Certificate{cert}
|
||||
t.TLSClientConfig.BuildNameToCertificate()
|
||||
}
|
||||
|
||||
// Load CA cert
|
||||
if ci.CaCert != "" {
|
||||
caCert, err := ioutil.ReadFile(ci.CaCert)
|
||||
if err != nil {
|
||||
log.Fatalf("Failed to read --ca-cert: %v", err)
|
||||
}
|
||||
caCertPool := x509.NewCertPool()
|
||||
ok := caCertPool.AppendCertsFromPEM(caCert)
|
||||
if !ok {
|
||||
log.Fatalf("Failed to add certificates from --ca-cert")
|
||||
}
|
||||
t.TLSClientConfig.RootCAs = caCertPool
|
||||
}
|
||||
|
||||
t.DisableCompression = ci.NoGzip
|
||||
t.DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
|
||||
return dialContextTimeout(ctx, network, addr, ci)
|
||||
|
|
Loading…
Reference in a new issue