cmd/derper, derp/derphttp: support, generate self-signed IP address certs

For people who can't use LetsEncrypt because it's banned. Per https://github.com/tailscale/tailscale/issues/11776#issuecomment-2520955317 This does two things: 1) if you run derper with --certmode=manual and --hostname=$IP_ADDRESS we previously permitted, but now we also: * auto-generate the self-signed cert for you if it doesn't yet exist on disk * print out the derpmap configuration you need to use that self-signed cert 2) teaches derp/derphttp's derp dialer to verify the signature of self-signed TLS certs, if so declared in the existing DERPNode.CertName field, which previously existed for domain fronting, separating out the dial hostname from how certs are validates, so it's not overloaded much; that's what it was meant for. Fixes #11776 Change-Id: Ie72d12f209416bb7e8325fe0838cd2c66342c5cf Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-08-11 13:18:53 +00:00 · 2025-03-04 13:41:12 -08:00
parent e80d2b4ad1
commit 7fac0175c0
5 changed files with 238 additions and 4 deletions
--- a/net/tlsdial/tlsdial.go
+++ b/net/tlsdial/tlsdial.go
@@ -12,6 +12,7 @@ package tlsdial
 import (
 	"bytes"
 	"context"
+	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
 	"errors"
@@ -246,6 +247,46 @@ func SetConfigExpectedCert(c *tls.Config, certDNSName string) {
 	}
 }

+// SetConfigExpectedCertHash configures c's VerifyPeerCertificate function
+// to require that exactly 1 cert is presented, and that the hex of its SHA256 hash
+// is equal to wantFullCertSHA256Hex and that it's a valid cert for c.ServerName.
+func SetConfigExpectedCertHash(c *tls.Config, wantFullCertSHA256Hex string) {
+	if c.VerifyPeerCertificate != nil {
+		panic("refusing to override tls.Config.VerifyPeerCertificate")
+	}
+	// Set InsecureSkipVerify to prevent crypto/tls from doing its
+	// own cert verification, but do the same work that it'd do
+	// (but using certDNSName) in the VerifyPeerCertificate hook.
+	c.InsecureSkipVerify = true
+	c.VerifyConnection = nil
+	c.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
+		if len(rawCerts) == 0 {
+			return errors.New("no certs presented")
+		}
+		if len(rawCerts) > 1 {
+			return errors.New("unexpected multiple certs presented")
+		}
+		if fmt.Sprintf("%02x", sha256.Sum256(rawCerts[0])) != wantFullCertSHA256Hex {
+			return fmt.Errorf("cert hash does not match expected cert hash")
+		}
+		cert, err := x509.ParseCertificate(rawCerts[0])
+		if err != nil {
+			return fmt.Errorf("ParseCertificate: %w", err)
+		}
+		if err := cert.VerifyHostname(c.ServerName); err != nil {
+			return fmt.Errorf("cert does not match server name %q: %w", c.ServerName, err)
+		}
+		now := time.Now()
+		if now.After(cert.NotAfter) {
+			return fmt.Errorf("cert expired %v", cert.NotAfter)
+		}
+		if now.Before(cert.NotBefore) {
+			return fmt.Errorf("cert not yet valid until %v; is your clock correct?", cert.NotBefore)
+		}
+		return nil
+	}
+}
+
 // NewTransport returns a new HTTP transport that verifies TLS certs using this
 // package, including its baked-in LetsEncrypt fallback roots.
 func NewTransport() *http.Transport {