TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-08-25 12:47:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

net/tlsdial, derp/derphttp: finish DERPNode.CertName validation

Browse Source
This commit is contained in:
Brad Fitzpatrick
2020-06-01 09:01:37 -07:00
parent 722673f307
commit cf0d19f0ab
2 changed files with 57 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
derp/derphttp/derphttp_client.go
View File

@@ -142,14 +142,11 @@ func (c *Client) useHTTPS() bool {
return true
}
// tlsServerName returns which TLS cert name to expect for the given node.
// tlsServerName returns the tls.Config.ServerName value (for the TLS ClientHello).
func (c *Client) tlsServerName(node *tailcfg.DERPNode) string {
if c.url != nil {
return c.url.Host
}
if node.CertName != "" {
return node.CertName
}
return node.HostName
}
@@ -350,8 +347,13 @@ func (c *Client) dialRegion(ctx context.Context, reg *tailcfg.DERPRegion) (net.C
func (c *Client) tlsClient(nc net.Conn, node *tailcfg.DERPNode) *tls.Conn {
tlsConf := tlsdial.Config(c.tlsServerName(node), c.TLSConfig)
if node != nil && node.DERPTestPort != 0 {
tlsConf.InsecureSkipVerify = true
if node != nil {
if node.DERPTestPort != 0 {
tlsConf.InsecureSkipVerify = true
}
if node.CertName != "" {
tlsdial.SetConfigExpectedCert(tlsConf, node.CertName)
}
}
return tls.Client(nc, tlsConf)
}