forked from TrueCloudLab/distribution
registry: don't iterate through certs
the golang tls.Conn does a fine job of that. http://golang.org/src/pkg/crypto/tls/handshake_client.go?#L334 Signed-off-by: Vincent Batts <vbatts@redhat.com>
This commit is contained in:
parent
eba996acfb
commit
7dd4199fe8
1 changed files with 8 additions and 21 deletions
|
@ -36,15 +36,12 @@ const (
|
|||
ConnectTimeout
|
||||
)
|
||||
|
||||
func newClient(jar http.CookieJar, roots *x509.CertPool, cert *tls.Certificate, timeout TimeoutType, secure bool) *http.Client {
|
||||
func newClient(jar http.CookieJar, roots *x509.CertPool, certs []tls.Certificate, timeout TimeoutType, secure bool) *http.Client {
|
||||
tlsConfig := tls.Config{
|
||||
RootCAs: roots,
|
||||
// Avoid fallback to SSL protocols < TLS1.0
|
||||
MinVersion: tls.VersionTLS10,
|
||||
}
|
||||
|
||||
if cert != nil {
|
||||
tlsConfig.Certificates = append(tlsConfig.Certificates, *cert)
|
||||
MinVersion: tls.VersionTLS10,
|
||||
Certificates: certs,
|
||||
}
|
||||
|
||||
if !secure {
|
||||
|
@ -94,7 +91,7 @@ func newClient(jar http.CookieJar, roots *x509.CertPool, cert *tls.Certificate,
|
|||
func doRequest(req *http.Request, jar http.CookieJar, timeout TimeoutType, secure bool) (*http.Response, *http.Client, error) {
|
||||
var (
|
||||
pool *x509.CertPool
|
||||
certs []*tls.Certificate
|
||||
certs []tls.Certificate
|
||||
)
|
||||
|
||||
if secure && req.URL.Scheme == "https" {
|
||||
|
@ -137,7 +134,7 @@ func doRequest(req *http.Request, jar http.CookieJar, timeout TimeoutType, secur
|
|||
if err != nil {
|
||||
return nil, nil, err
|
||||
}
|
||||
certs = append(certs, &cert)
|
||||
certs = append(certs, cert)
|
||||
}
|
||||
if strings.HasSuffix(f.Name(), ".key") {
|
||||
keyName := f.Name()
|
||||
|
@ -159,19 +156,9 @@ func doRequest(req *http.Request, jar http.CookieJar, timeout TimeoutType, secur
|
|||
return res, client, nil
|
||||
}
|
||||
|
||||
for i, cert := range certs {
|
||||
client := newClient(jar, pool, cert, timeout, secure)
|
||||
res, err := client.Do(req)
|
||||
// If this is the last cert, otherwise, continue to next cert if 403 or 5xx
|
||||
if i == len(certs)-1 || err == nil &&
|
||||
res.StatusCode != 403 &&
|
||||
res.StatusCode != 404 &&
|
||||
res.StatusCode < 500 {
|
||||
return res, client, err
|
||||
}
|
||||
}
|
||||
|
||||
return nil, nil, nil
|
||||
client := newClient(jar, pool, certs, timeout, secure)
|
||||
res, err := client.Do(req)
|
||||
return res, client, err
|
||||
}
|
||||
|
||||
func validateRepositoryName(repositoryName string) error {
|
||||
|
|
Loading…
Reference in a new issue