ipn/ipnlocal: add optional TLS termination on proxied TCP connections

Updates tailscale/corp#7515 Change-Id: Ib250fa20275971563adccfa72db48e0cec02b7a5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-08-12 05:37:32 +00:00 · 2022-11-10 21:24:22 -08:00
parent 56dfdbe190
commit c9d6a9cb4d
4 changed files with 28 additions and 14 deletions
--- a/ipn/ipnlocal/serve.go
+++ b/ipn/ipnlocal/serve.go
@@ -112,11 +112,6 @@ func (b *LocalBackend) HandleInterceptedTCPConn(dport uint16, srcAddr netip.Addr
 	}

 	if backDst := tcph.TCPForward(); backDst != "" {
-		if tcph.TerminateTLS() {
-			b.logf("TODO(bradfitz): finish")
-			sendRST()
-			return
-		}
 		ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 		backConn, err := b.dialer.SystemDial(ctx, "tcp", backDst)
 		cancel()
@@ -134,6 +129,24 @@ func (b *LocalBackend) HandleInterceptedTCPConn(dport uint16, srcAddr netip.Addr
 		defer conn.Close()
 		defer backConn.Close()

+		if sni := tcph.TerminateTLS(); sni != "" {
+			conn = tls.Server(conn, &tls.Config{
+				GetCertificate: func(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
+					ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
+					defer cancel()
+					pair, err := b.GetCertPEM(ctx, sni)
+					if err != nil {
+						return nil, err
+					}
+					cert, err := tls.X509KeyPair(pair.CertPEM, pair.KeyPEM)
+					if err != nil {
+						return nil, err
+					}
+					return &cert, nil
+				},
+			})
+		}
+
 		// TODO(bradfitz): do the RegisterIPPortIdentity and
 		// UnregisterIPPortIdentity stuff that netstack does