tailscale

TheArchive/tailscale

Fork 0

mirror of https://github.com/tailscale/tailscale.git synced 2025-06-24 17:18:40 +00:00

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	a64ca7a5b4	tstest/tlstest: simplify, don't even bake in any keys I earlier thought this saved a second of CPU even on a fast machine, but I think when I was previously measuring, I still had a 4096 bit RSA key being generated in the code I was measuring. Measuring again for this, it's plenty fast. Prep for using this package more, for derp, etc. Updates #16315 Change-Id: I4c9008efa9aa88a3d65409d6ffd7b3807f4d75e9 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2025-06-19 16:12:32 -07:00
Brad Fitzpatrick	e92eb6b17b	net/tlsdial: fix TLS cert validation of HTTPS proxies If you had HTTPS_PROXY=https://some-valid-cert.example.com running a CONNECT proxy, we should've been able to do a TLS CONNECT request to e.g. controlplane.tailscale.com:443 through that, and I'm pretty sure it used to work, but refactorings and lack of integration tests made it regress. It probably regressed when we added the baked-in LetsEncrypt root cert validation fallback code, which was testing against the wrong hostname (the ultimate one, not the one which we were being asked to validate) Fixes #16222 Change-Id: If014e395f830e2f87f056f588edacad5c15e91bc Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2025-06-18 14:20:39 -07:00

Author

SHA1

Message

Date

Brad Fitzpatrick

a64ca7a5b4

tstest/tlstest: simplify, don't even bake in any keys

I earlier thought this saved a second of CPU even on a fast machine,
but I think when I was previously measuring, I still had a 4096 bit
RSA key being generated in the code I was measuring.

Measuring again for this, it's plenty fast.

Prep for using this package more, for derp, etc.

Updates #16315

Change-Id: I4c9008efa9aa88a3d65409d6ffd7b3807f4d75e9
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

2025-06-19 16:12:32 -07:00

Brad Fitzpatrick

e92eb6b17b

net/tlsdial: fix TLS cert validation of HTTPS proxies

If you had HTTPS_PROXY=https://some-valid-cert.example.com running a
CONNECT proxy, we should've been able to do a TLS CONNECT request to
e.g. controlplane.tailscale.com:443 through that, and I'm pretty sure
it used to work, but refactorings and lack of integration tests made
it regress.

It probably regressed when we added the baked-in LetsEncrypt root cert
validation fallback code, which was testing against the wrong hostname
(the ultimate one, not the one which we were being asked to validate)

Fixes #16222

Change-Id: If014e395f830e2f87f056f588edacad5c15e91bc
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

2025-06-18 14:20:39 -07:00

2 Commits