From 0288b3151bb999171fd87cedd4a54873cb613939 Mon Sep 17 00:00:00 2001 From: Tom Wilkie Date: Fri, 23 Oct 2015 16:16:48 +0000 Subject: [PATCH] Use gocertifi instead of random ca-certs. --- Makefile | 5 +---- docker/Dockerfile | 1 - xfer/http_publisher.go | 43 +++++++++++++++++++++++++++++------------- 3 files changed, 31 insertions(+), 18 deletions(-) diff --git a/Makefile b/Makefile index 17a0e4cf7..b0fafc72f 100644 --- a/Makefile +++ b/Makefile @@ -29,16 +29,13 @@ docker/weave: curl -L git.io/weave -o docker/weave chmod u+x docker/weave -$(SCOPE_EXPORT): backend $(DOCKER_DISTRIB) docker/weave $(RUNSVINIT) docker/Dockerfile docker/run-app docker/run-probe docker/entrypoint.sh docker/ca-certificates.crt +$(SCOPE_EXPORT): backend $(DOCKER_DISTRIB) docker/weave $(RUNSVINIT) docker/Dockerfile docker/run-app docker/run-probe docker/entrypoint.sh @if [ -z '$(DOCKER_SQUASH)' ] ; then echo "Please install docker-squash by running 'make deps' (and make sure GOPATH/bin is in your PATH)." && exit 1 ; fi cp $(APP_EXE) $(PROBE_EXE) docker/ cp $(DOCKER_DISTRIB) docker/docker.tgz $(SUDO) docker build -t $(SCOPE_IMAGE) docker/ $(SUDO) docker save $(SCOPE_IMAGE):latest | sudo $(DOCKER_SQUASH) -t $(SCOPE_IMAGE) | tee $@ | $(SUDO) docker load -docker/ca-certificates.crt: /etc/ssl/certs/ca-certificates.crt - cp $? $@ - $(RUNSVINIT): vendor/runsvinit/*.go go build -o $@ github.com/weaveworks/scope/vendor/runsvinit diff --git a/docker/Dockerfile b/docker/Dockerfile index aa94c7732..c794b56ce 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -10,6 +10,5 @@ ADD ./weave /usr/bin/ COPY ./scope-app ./scope-probe ./runsvinit ./entrypoint.sh /home/weave/ COPY ./run-app /etc/service/app/run COPY ./run-probe /etc/service/probe/run -COPY ./ca-certificates.crt /etc/ssl/certs/ EXPOSE 4040 ENTRYPOINT ["/home/weave/entrypoint.sh"] diff --git a/xfer/http_publisher.go b/xfer/http_publisher.go index bbd6aea54..f50895d74 100644 --- a/xfer/http_publisher.go +++ b/xfer/http_publisher.go @@ -8,6 +8,8 @@ import ( "net/http" "time" + "github.com/certifi/gocertifi" + "github.com/weaveworks/scope/common/sanitize" ) @@ -19,22 +21,43 @@ type HTTPPublisher struct { client *http.Client } -var fastClient = &http.Client{ - Timeout: 5 * time.Second, +func getHTTPTransport(insecure bool) (*http.Transport, error) { + if insecure { + return &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + }, nil + } + + certPool, err := gocertifi.CACerts() + if err != nil { + return nil, err + } + return &http.Transport{ + TLSClientConfig: &tls.Config{ + RootCAs: certPool, + }, + }, nil } // NewHTTPPublisher returns an HTTPPublisher ready for use. func NewHTTPPublisher(target, token, probeID string, insecure bool) (string, *HTTPPublisher, error) { + httpTransport, err := getHTTPTransport(insecure) + if err != nil { + return "", nil, err + } + p := &HTTPPublisher{ url: sanitize.URL("", 0, "/api/report")(target), token: token, probeID: probeID, - client: http.DefaultClient, + client: &http.Client{ + Transport: httpTransport, + }, } - client := fastClient - if insecure { - allowInsecure(fastClient) - allowInsecure(p.client) + + client := &http.Client{ + Timeout: 5 * time.Second, + Transport: httpTransport, } req, err := p.authorizedRequest("GET", sanitize.URL("", 0, "/api")(target), nil) if err != nil { @@ -97,12 +120,6 @@ func AuthorizationHeader(token string) string { return fmt.Sprintf("Scope-Probe token=%s", token) } -func allowInsecure(c *http.Client) { - c.Transport = &http.Transport{ - TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, - } -} - // ScopeProbeIDHeader is the header we use to carry the probe's unique ID. The // ID is currently set to the probe's hostname. It's designed to deduplicate // reports from the same probe to the same receiver, in case the probe is