diff options
Diffstat (limited to 'client')
-rw-r--r-- | client/dial.go | 4 | ||||
-rw-r--r-- | client/pool-darwin.go | 58 | ||||
-rw-r--r-- | client/pool.go | 8 |
3 files changed, 67 insertions, 3 deletions
diff --git a/client/dial.go b/client/dial.go index e8a3a5f44..d0a51c0c1 100644 --- a/client/dial.go +++ b/client/dial.go @@ -1,8 +1,6 @@ package client import ( - "crypto/x509" - "google.golang.org/grpc/credentials" "net/url" @@ -21,7 +19,7 @@ func Dial(rawAddress string, connOpts []grpc.DialOption) (*grpc.ClientConn, erro } if isTLS(rawAddress) { - certPool, err := x509.SystemCertPool() + certPool, err := systemCertPool() if err != nil { return nil, err } diff --git a/client/pool-darwin.go b/client/pool-darwin.go new file mode 100644 index 000000000..e392a4d70 --- /dev/null +++ b/client/pool-darwin.go @@ -0,0 +1,58 @@ +// +build darwin + +package client + +import ( + "crypto/x509" + "io/ioutil" + "os" + "path" +) + +// systemCertPool circumvents the fact that Go on macOS does not support +// SSL_CERT_{DIR,FILE}. +func systemCertPool() (*x509.CertPool, error) { + var certPem []byte + count := 0 + + if f := os.Getenv("SSL_CERT_FILE"); len(f) > 0 { + pem, err := ioutil.ReadFile(f) + if err != nil { + return nil, err + } + + pem = append(pem, '\n') + certPem = append(certPem, pem...) + count++ + } + + if d := os.Getenv("SSL_CERT_DIR"); len(d) > 0 { + entries, err := ioutil.ReadDir(d) + if err != nil { + return nil, err + } + + for _, entry := range entries { + if entry.IsDir() { + continue + } + + pem, err := ioutil.ReadFile(path.Join(d, entry.Name())) + if err != nil { + return nil, err + } + + pem = append(pem, '\n') + certPem = append(certPem, pem...) + count++ + } + } + + pool, err := x509.SystemCertPool() + if err != nil { + return nil, err + } + + pool.AppendCertsFromPEM(certPem) + return pool, nil +} diff --git a/client/pool.go b/client/pool.go new file mode 100644 index 000000000..e4d216427 --- /dev/null +++ b/client/pool.go @@ -0,0 +1,8 @@ +// +build !darwin + +package client + +import "crypto/x509" + +// systemCertPool has an override on macOS. +func systemCertPool() (*x509.CertPool, error) { return x509.SystemCertPool() } |