var _ … type x509DeprecatedCertificateMetricsRTWrapper … type deprecatedCertificateAttributeChecker … type counterRaiser … func (c *counterRaiser) IncreaseMetricsCounter(req *http.Request) { … } // NewDeprecatedCertificateRoundTripperWrapperConstructor returns a RoundTripper wrapper that's usable within ClientConfig.Wrap. // // It increases the `missingSAN` counter whenever: // 1. we get a x509.HostnameError with string `x509: certificate relies on legacy Common Name field` // which indicates an error caused by the deprecation of Common Name field when veryfing remote // hostname // 2. the server certificate in response contains no SAN. This indicates that this binary run // with the GODEBUG=x509ignoreCN=0 in env // // It increases the `sha1` counter whenever: // 1. we get a x509.InsecureAlgorithmError with string `SHA1` // which indicates an error caused by an insecure SHA1 signature // 2. the server certificate in response contains a SHA1WithRSA or ECDSAWithSHA1 signature. // This indicates that this binary run with the GODEBUG=x509sha1=1 in env func NewDeprecatedCertificateRoundTripperWrapperConstructor(missingSAN, sha1 *metrics.Counter) func(rt http.RoundTripper) http.RoundTripper { … } func (w *x509DeprecatedCertificateMetricsRTWrapper) RoundTrip(req *http.Request) (*http.Response, error) { … } func (w *x509DeprecatedCertificateMetricsRTWrapper) WrappedRoundTripper() http.RoundTripper { … } var _ … type missingSANChecker … func NewSANDeprecatedChecker(counter *metrics.Counter) *missingSANChecker { … } // CheckRoundTripError returns true when we're running w/o GODEBUG=x509ignoreCN=0 // and the client reports a HostnameError about the legacy CN fields func (c *missingSANChecker) CheckRoundTripError(err error) bool { … } // CheckPeerCertificates returns true when the server response contains // a leaf certificate w/o the SAN extension func (c *missingSANChecker) CheckPeerCertificates(peerCertificates []*x509.Certificate) bool { … } func hasSAN(c *x509.Certificate) bool { … } type sha1SignatureChecker … func NewSHA1SignatureDeprecatedChecker(counter *metrics.Counter) *sha1SignatureChecker { … } // CheckRoundTripError returns true when we're running w/o GODEBUG=x509sha1=1 // and the client reports an InsecureAlgorithmError about a SHA1 signature func (c *sha1SignatureChecker) CheckRoundTripError(err error) bool { … } // CheckPeerCertificates returns true when the server response contains // a non-root non-self-signed certificate with a deprecated SHA1 signature func (c *sha1SignatureChecker) CheckPeerCertificates(peerCertificates []*x509.Certificate) bool { … }