net/tlsdial: fix TLS cert validation of HTTPS proxies

If you had HTTPS_PROXY=https://some-valid-cert.example.com running a CONNECT proxy, we should've been able to do a TLS CONNECT request to e.g. controlplane.tailscale.com:443 through that, and I'm pretty sure it used to work, but refactorings and lack of integration tests made it regress. It probably regressed when we added the baked-in LetsEncrypt root cert validation fallback code, which was testing against the wrong hostname (the ultimate one, not the one which we were being asked to validate) Fixes #16222 Change-Id: If014e395f830e2f87f056f588edacad5c15e91bc Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-12-23 09:06:24 +00:00 · 2025-06-08 18:51:41 -07:00
parent 4979ce7a94
commit e92eb6b17b
17 changed files with 672 additions and 49 deletions
--- a/net/tlsdial/tlsdial_test.go
+++ b/net/tlsdial/tlsdial_test.go
@@ -86,7 +86,7 @@ func TestFallbackRootWorks(t *testing.T) {
 		DisableKeepAlives: true, // for test cleanup ease
 	}
 	ht := new(health.Tracker)
-	tr.TLSClientConfig = Config("tlsdial.test", ht, tr.TLSClientConfig)
+	tr.TLSClientConfig = Config(ht, tr.TLSClientConfig)
 	c := &http.Client{Transport: tr}

 	ctr0 := atomic.LoadInt32(&counterFallbackOK)