Skip to content

Add SecureOptions.VerifyConnection #236

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bestbeforetoday merged 1 commit into from
Mar 8, 2026
Merged

Add SecureOptions.VerifyConnection #236

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 0 additions & 5 deletions .golangci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,11 +33,6 @@ linters:
presets:
- common-false-positives
- std-error-handling
rules:
- path: "_test.go$"
text: "^G703:"
linters:
- gosec
formatters:
enable:
- gofmt
Expand Down
31 changes: 29 additions & 2 deletions pkg/network/network.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -178,25 +178,51 @@ func NewGRPCClient(config ClientConfig) (*GRPCClient, error) {
// GRPCServer or GRPCClient instance
type SecureOptions struct {
// VerifyCertificate, if not nil, is called after normal
// certificate verification by either a TLS client or server.
// If it returns a non-nil error, the handshake is aborted and that error results.
// certificate verification by either a TLS client or server. It
// receives the raw ASN.1 certificates provided by the peer and also
// any verified chains that normal processing found. If it returns a
// non-nil error, the handshake is aborted and that error results.
//
// This callback is not invoked on resumed connections. It is recommended
// to use [SecureOptions.VerifyConnection] instead.
VerifyCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error

// VerifyConnection, if not nil, is called after normal certificate
// verification and after VerifyPeerCertificate by either a TLS client
// or server. If it returns a non-nil error, the handshake is aborted
// and that error results.
//
// If normal verification fails then the handshake will abort before
// considering this callback. This callback will run for all connections,
// including resumptions, regardless of InsecureSkipVerify or ClientAuth
// settings.
//
// For a usage example, see: https://pkg.go.dev/crypto/tls#example-Config-VerifyConnection
VerifyConnection func(tls.ConnectionState) error

// PEM-encoded X509 public key to be used for TLS communication
Certificate []byte

// PEM-encoded private key to be used for TLS communication
Key []byte

// Set of PEM-encoded X509 certificate authorities used by clients to
// verify server certificates
ServerRootCAs [][]byte

// Set of PEM-encoded X509 certificate authorities used by servers to
// verify client certificates
ClientRootCAs [][]byte

// Whether or not to use TLS for communication
UseTLS bool

// Whether or not TLS client must present certificates for authentication
RequireClientCert bool

// CipherSuites is a list of supported cipher suites for TLS
CipherSuites []uint16

// TimeShift makes TLS handshakes time sampling shift to the past by a given duration
TimeShift time.Duration
}
Expand All @@ -209,6 +235,7 @@ func (client *GRPCClient) parseSecureOptions(opts SecureOptions) error {

client.tlsConfig = &tls.Config{
VerifyPeerCertificate: opts.VerifyCertificate,
VerifyConnection: opts.VerifyConnection,
MinVersion: tls.VersionTLS12} // TLS 1.2 only

if serverRootCAs, err := newRootCACertPool(opts); err == nil {
Expand Down