prober,derp/derphttp: make dev-mode DERP probes work without TLS (#14347)

Make dev-mode DERP probes work without TLS. Properly dial port `3340` when not using HTTPS when dialing nodes in `derphttp_client`. Skip verifying TLS state in `newConn` if we are not running a prober. Updates tailscale/corp#24635 Signed-off-by: Percy Wegmann <percy@tailscale.com> Co-authored-by: Percy Wegmann <percy@tailscale.com>
2025-04-30 20:51:02 +00:00 · 2024-12-10 10:51:03 -07:00 · 2024-12-10 10:51:03 -07:00 · ea3d0bcfd4
commit ea3d0bcfd4
parent 24b243c194
2 changed files with 19 additions and 12 deletions
--- a/derp/derphttp/derphttp_client.go
+++ b/derp/derphttp/derphttp_client.go
@ -757,6 +757,9 @@ func (c *Client) dialNode(ctx context.Context, n *tailcfg.DERPNode) (net.Conn, e
 			}
 			dst := cmp.Or(dstPrimary, n.HostName)
 			port := "443"
 			if !c.useHTTPS() {
 				port = "3340"
 			}
 			if n.DERPPort != 0 {
 				port = fmt.Sprint(n.DERPPort)
 			}
--- a/prober/derp.go
+++ b/prober/derp.go
@ -597,18 +597,22 @@ func newConn(ctx context.Context, dm *tailcfg.DERPMap, n *tailcfg.DERPNode, isPr
 	if err != nil {
 		return nil, err
 	}
-	cs, ok := dc.TLSConnectionState()
+
-	if !ok {
+	// Only verify TLS state if this is a prober.
-		dc.Close()
+	if isProber {
-		return nil, errors.New("no TLS state")
+		cs, ok := dc.TLSConnectionState()
-	}
+		if !ok {
-	if len(cs.PeerCertificates) == 0 {
+			dc.Close()
-		dc.Close()
+			return nil, errors.New("no TLS state")
-		return nil, errors.New("no peer certificates")
+		}
-	}
+		if len(cs.PeerCertificates) == 0 {
-	if cs.ServerName != n.HostName {
+			dc.Close()
-		dc.Close()
+			return nil, errors.New("no peer certificates")
-		return nil, fmt.Errorf("TLS server name %q != derp hostname %q", cs.ServerName, n.HostName)
+		}
 		if cs.ServerName != n.HostName {
 			dc.Close()
 			return nil, fmt.Errorf("TLS server name %q != derp hostname %q", cs.ServerName, n.HostName)
 		}
 	}
 	errc := make(chan error, 1)