TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-11-01 06:04:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

derp/derphttp: fix DERP TLS client server name inclusion in URL form

Browse Source 
When dialed with just an URL and no node, the recent proxy fixes caused
a regression where there was no TLS server name being included.

Updates #16222
Updates #16223

Signed-off-by: James Tucker <james@tailscale.com>
Co-Authored-by: Jordan Whited <jwhited@tailscale.com>
This commit is contained in:
James Tucker
2025-07-02 14:32:21 -07:00
committed by James Tucker
parent eb03d42fe6
commit 77d19604f4
2 changed files with 39 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
derp/derphttp/derphttp_client.go
View File

@@ -648,12 +648,14 @@ func (c *Client) dialRegion(ctx context.Context, reg *tailcfg.DERPRegion) (net.C
func (c *Client) tlsClient(nc net.Conn, node *tailcfg.DERPNode) *tls.Conn {
tlsConf := tlsdial.Config(c.HealthTracker, c.TLSConfig)
// node is allowed to be nil here, tlsServerName falls back to using the URL
// if node is nil.
tlsConf.ServerName = c.tlsServerName(node)
if node != nil {
if node.InsecureForTests {
tlsConf.InsecureSkipVerify = true
tlsConf.VerifyConnection = nil
}
tlsConf.ServerName = c.tlsServerName(node)
if node.CertName != "" {
if suf, ok := strings.CutPrefix(node.CertName, "sha256-raw:"); ok {
tlsdial.SetConfigExpectedCertHash(tlsConf, suf)