// NewListener creates a new listner. func NewListener(addr, scheme string, tlsinfo *TLSInfo) (l net.Listener, err error) { … } // NewListenerWithOpts creates a new listener which accpets listener options. func NewListenerWithOpts(addr, scheme string, opts ...ListenerOption) (net.Listener, error) { … } func newListener(addr, scheme string, opts ...ListenerOption) (net.Listener, error) { … } func newKeepAliveListener(cfg *net.ListenConfig, addr string) (ln net.Listener, err error) { … } func wrapTLS(scheme string, tlsinfo *TLSInfo, l net.Listener) (net.Listener, error) { … } func newListenConfig(sopts *SocketOpts) (net.ListenConfig, error) { … } type TLSInfo … func (info TLSInfo) String() string { … } func (info TLSInfo) Empty() bool { … } func SelfCert(lg *zap.Logger, dirpath string, hosts []string, selfSignedCertValidity uint, additionalUsages ...x509.ExtKeyUsage) (info TLSInfo, err error) { … } // baseConfig is called on initial TLS handshake start. // // Previously, // 1. Server has non-empty (*tls.Config).Certificates on client hello // 2. Server calls (*tls.Config).GetCertificate iff: // - Server's (*tls.Config).Certificates is not empty, or // - Client supplies SNI; non-empty (*tls.ClientHelloInfo).ServerName // // When (*tls.Config).Certificates is always populated on initial handshake, // client is expected to provide a valid matching SNI to pass the TLS // verification, thus trigger server (*tls.Config).GetCertificate to reload // TLS assets. However, a cert whose SAN field does not include domain names // but only IP addresses, has empty (*tls.ClientHelloInfo).ServerName, thus // it was never able to trigger TLS reload on initial handshake; first // ceritifcate object was being used, never being updated. // // Now, (*tls.Config).Certificates is created empty on initial TLS client // handshake, in order to trigger (*tls.Config).GetCertificate and populate // rest of the certificates on every new TLS connection, even when client // SNI is empty (e.g. cert only includes IPs). func (info TLSInfo) baseConfig() (*tls.Config, error) { … } // cafiles returns a list of CA file paths. func (info TLSInfo) cafiles() []string { … } // ServerConfig generates a tls.Config object for use by an HTTP server. func (info TLSInfo) ServerConfig() (*tls.Config, error) { … } // ClientConfig generates a tls.Config object for use by an HTTP client. func (info TLSInfo) ClientConfig() (*tls.Config, error) { … } // IsClosedConnError returns true if the error is from closing listener, cmux. // copied from golang.org/x/net/http2/http2.go func IsClosedConnError(err error) bool { … }