mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
10f78974ca
remove sslv3 from server's TLS supported versions
119 lines
2.7 KiB
Go
119 lines
2.7 KiB
Go
package main
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"os"
|
|
"strings"
|
|
|
|
"github.com/docker/docker/api"
|
|
"github.com/docker/docker/api/client"
|
|
"github.com/docker/docker/dockerversion"
|
|
"github.com/docker/docker/pkg/log"
|
|
flag "github.com/docker/docker/pkg/mflag"
|
|
"github.com/docker/docker/reexec"
|
|
"github.com/docker/docker/utils"
|
|
)
|
|
|
|
const (
|
|
defaultTrustKeyFile = "key.json"
|
|
defaultCaFile = "ca.pem"
|
|
defaultKeyFile = "key.pem"
|
|
defaultCertFile = "cert.pem"
|
|
)
|
|
|
|
func main() {
|
|
if reexec.Init() {
|
|
return
|
|
}
|
|
flag.Parse()
|
|
// FIXME: validate daemon flags here
|
|
|
|
if *flVersion {
|
|
showVersion()
|
|
return
|
|
}
|
|
if *flDebug {
|
|
os.Setenv("DEBUG", "1")
|
|
}
|
|
|
|
if len(flHosts) == 0 {
|
|
defaultHost := os.Getenv("DOCKER_HOST")
|
|
if defaultHost == "" || *flDaemon {
|
|
// If we do not have a host, default to unix socket
|
|
defaultHost = fmt.Sprintf("unix://%s", api.DEFAULTUNIXSOCKET)
|
|
}
|
|
defaultHost, err := api.ValidateHost(defaultHost)
|
|
if err != nil {
|
|
log.Fatal(err)
|
|
}
|
|
flHosts = append(flHosts, defaultHost)
|
|
}
|
|
|
|
if *flDaemon {
|
|
mainDaemon()
|
|
return
|
|
}
|
|
|
|
if len(flHosts) > 1 {
|
|
log.Fatal("Please specify only one -H")
|
|
}
|
|
protoAddrParts := strings.SplitN(flHosts[0], "://", 2)
|
|
|
|
var (
|
|
cli *client.DockerCli
|
|
tlsConfig tls.Config
|
|
)
|
|
tlsConfig.InsecureSkipVerify = true
|
|
|
|
// If we should verify the server, we need to load a trusted ca
|
|
if *flTlsVerify {
|
|
*flTls = true
|
|
certPool := x509.NewCertPool()
|
|
file, err := ioutil.ReadFile(*flCa)
|
|
if err != nil {
|
|
log.Fatalf("Couldn't read ca cert %s: %s", *flCa, err)
|
|
}
|
|
certPool.AppendCertsFromPEM(file)
|
|
tlsConfig.RootCAs = certPool
|
|
tlsConfig.InsecureSkipVerify = false
|
|
}
|
|
|
|
// If tls is enabled, try to load and send client certificates
|
|
if *flTls || *flTlsVerify {
|
|
_, errCert := os.Stat(*flCert)
|
|
_, errKey := os.Stat(*flKey)
|
|
if errCert == nil && errKey == nil {
|
|
*flTls = true
|
|
cert, err := tls.LoadX509KeyPair(*flCert, *flKey)
|
|
if err != nil {
|
|
log.Fatalf("Couldn't load X509 key pair: %s. Key encrypted?", err)
|
|
}
|
|
tlsConfig.Certificates = []tls.Certificate{cert}
|
|
}
|
|
// Avoid fallback to SSL protocols < TLS1.0
|
|
tlsConfig.MinVersion = tls.VersionTLS10
|
|
}
|
|
|
|
if *flTls || *flTlsVerify {
|
|
cli = client.NewDockerCli(os.Stdin, os.Stdout, os.Stderr, nil, protoAddrParts[0], protoAddrParts[1], &tlsConfig)
|
|
} else {
|
|
cli = client.NewDockerCli(os.Stdin, os.Stdout, os.Stderr, nil, protoAddrParts[0], protoAddrParts[1], nil)
|
|
}
|
|
|
|
if err := cli.Cmd(flag.Args()...); err != nil {
|
|
if sterr, ok := err.(*utils.StatusError); ok {
|
|
if sterr.Status != "" {
|
|
log.Infof("%s", sterr.Status)
|
|
}
|
|
os.Exit(sterr.StatusCode)
|
|
}
|
|
log.Fatal(err)
|
|
}
|
|
}
|
|
|
|
func showVersion() {
|
|
fmt.Printf("Docker version %s, build %s\n", dockerversion.VERSION, dockerversion.GITCOMMIT)
|
|
}
|