prepareSTSClientTransport tls function refactor

- Reading root ca certificates operation will run only once after Console
starts, reduce the chance of panics happening during runtime
- Fixed bug in which tls.config insecureSkipVerification configuration
  could get overrided after variable reasignation

Author: Alevsk

restapi/tls.go

@@ -19,35 +19,41 @@ package restapi
 import (
 	"crypto/tls"
 	"crypto/x509"
-	"fmt"
 	"io/ioutil"
 	"net"
 	"net/http"
 	"time"
 )
 
-var (
-	certDontExists = "File certificate doesn't exists: %s"
-)
+func mustGetCertPool() *x509.CertPool {
+	caCertFileNames := getMinioServerTLSRootCAs()
+	// If CAs certificates are configured we save them to the http.Client RootCAs store
+	certs := x509.NewCertPool()
+	for _, caCert := range caCertFileNames {
+		pemData, err := ioutil.ReadFile(caCert)
+		if err != nil {
+			// if there was an error reading pem file stop console
+			panic(err)
+		}
+		certs.AppendCertsFromPEM(pemData)
+	}
+	return certs
+}
 
-func prepareSTSClientTransport(insecure bool) *http.Transport {
-	// This takes github.com/minio/minio/pkg/madmin/transport.go as an example
-	//
-	// DefaultTransport - this default transport is similar to
-	// http.DefaultTransport but with additional param  DisableCompression
-	// is set to true to avoid decompressing content with 'gzip' encoding.
+var certPool = mustGetCertPool()
 
-	// Keep TLS config.
+func prepareSTSClientTransport(insecure bool) *http.Transport {
 	tlsConfig := &tls.Config{
 		// Can't use SSLv3 because of POODLE and BEAST
 		// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
 		// Can't use TLSv1.1 because of RC4 cipher usage
 		MinVersion: tls.VersionTLS12,
 	}
-	if insecure {
-		tlsConfig.InsecureSkipVerify = true
-	}
-
+	// This takes github.com/minio/minio/pkg/madmin/transport.go as an example
+	//
+	// DefaultTransport - this default transport is similar to
+	// http.DefaultTransport but with additional param  DisableCompression
+	// is set to true to avoid decompressing content with 'gzip' encoding.
 	DefaultTransport := &http.Transport{
 		Proxy: http.ProxyFromEnvironment,
 		DialContext: (&net.Dialer{
@@ -63,37 +69,8 @@ func prepareSTSClientTransport(insecure bool) *http.Transport {
 		DisableCompression:    true,
 		TLSClientConfig:       tlsConfig,
 	}
-	// If Minio instance is running with TLS enabled and it's using a self-signed certificate
-	// or a certificate issued by a custom certificate authority we prepare a new custom *http.Transport
-	if getMinIOEndpointIsSecure() {
-		caCertFileNames := getMinioServerTLSRootCAs()
-		tlsConfig := &tls.Config{
-			// Can't use SSLv3 because of POODLE and BEAST
-			// Can't use TLSv1.0 because of POODLE and BEAST using CBC cipher
-			// Can't use TLSv1.1 because of RC4 cipher usage
-			MinVersion: tls.VersionTLS12,
-		}
-		// If CAs certificates are configured we save them to the http.Client RootCAs store
-		if len(caCertFileNames) > 0 {
-			certs := x509.NewCertPool()
-			for _, caCert := range caCertFileNames {
-				// Validate certificate exists
-				if FileExists(caCert) {
-					pemData, err := ioutil.ReadFile(caCert)
-					if err != nil {
-						// if there was an error reading pem file stop console
-						panic(err)
-					}
-					certs.AppendCertsFromPEM(pemData)
-				} else {
-					// if provided cert filename doesn't exists stop console
-					panic(fmt.Sprintf(certDontExists, caCert))
-				}
-			}
-			tlsConfig.RootCAs = certs
-		}
-		DefaultTransport.TLSClientConfig = tlsConfig
-	}
+	tlsConfig.InsecureSkipVerify = insecure
+	tlsConfig.RootCAs = certPool
 	return DefaultTransport
 }