Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow user to specify TLS ciphers an min/max TLS version #1041

Merged
merged 1 commit into from
Jun 27, 2023
Merged

Allow user to specify TLS ciphers an min/max TLS version #1041

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions pulsar/client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,15 @@ type ClientOptions struct {
// Configure whether the Pulsar client verify the validity of the host name from broker (default: false)
TLSValidateHostname bool

// TLSCipherSuites is a list of enabled TLS 1.0–1.2 cipher suites. See tls.Config CipherSuites for more information.
TLSCipherSuites []uint16

// TLSMinVersion contains the minimum TLS version that is acceptable. See tls.Config MinVersion for more information.
TLSMinVersion uint16

// TLSMaxVersion contains the maximum TLS version that is acceptable. See tls.Config MaxVersion for more information.
TLSMaxVersion uint16

// Configure the net model for vpc user to connect the pulsar broker
ListenerName string

Expand Down
3 changes: 3 additions & 0 deletions pulsar/client_impl.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,9 @@ func newClient(options ClientOptions) (Client, error) {
TrustCertsFilePath: options.TLSTrustCertsFilePath,
ValidateHostname: options.TLSValidateHostname,
ServerName: url.Hostname(),
CipherSuites: options.TLSCipherSuites,
MinVersion: options.TLSMinVersion,
MaxVersion: options.TLSMaxVersion,
}
default:
return nil, newError(InvalidConfiguration, fmt.Sprintf("Invalid URL scheme '%s'", url.Scheme))
Expand Down
6 changes: 6 additions & 0 deletions pulsar/internal/connection.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,9 @@ type TLSOptions struct {
AllowInsecureConnection bool
ValidateHostname bool
ServerName string
CipherSuites []uint16
MinVersion uint16
MaxVersion uint16
}

var (
Expand Down Expand Up @@ -1046,6 +1049,9 @@ func (c *connection) closed() bool {
func (c *connection) getTLSConfig() (*tls.Config, error) {
tlsConfig := &tls.Config{
InsecureSkipVerify: c.tlsOptions.AllowInsecureConnection,
CipherSuites: c.tlsOptions.CipherSuites,
MinVersion: c.tlsOptions.MinVersion,
MaxVersion: c.tlsOptions.MaxVersion,
}

if c.tlsOptions.TrustCertsFilePath != "" {
Expand Down
3 changes: 3 additions & 0 deletions pulsar/internal/http_client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -339,6 +339,9 @@ func getDefaultTransport(tlsConfig *TLSOptions) (http.RoundTripper, error) {
if tlsConfig != nil {
cfg := &tls.Config{
InsecureSkipVerify: tlsConfig.AllowInsecureConnection,
CipherSuites: tlsConfig.CipherSuites,
MinVersion: tlsConfig.MinVersion,
MaxVersion: tlsConfig.MaxVersion,
}
if len(tlsConfig.TrustCertsFilePath) > 0 {
rootCA, err := os.ReadFile(tlsConfig.TrustCertsFilePath)
Expand Down