Merge pull request #822 from yggdrasil-network/sni

TLS Server Name Indication
This commit is contained in:
Arceliar 2021-09-24 05:14:28 -05:00 committed by GitHub
commit f92d812f3c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 20 additions and 2 deletions

View File

@ -98,6 +98,22 @@ func (l *links) call(u *url.URL, sintf string) error {
l.tcp.call(pathtokens[0], tcpOpts, sintf) l.tcp.call(pathtokens[0], tcpOpts, sintf)
case "tls": case "tls":
tcpOpts.upgrade = l.tcp.tls.forDialer tcpOpts.upgrade = l.tcp.tls.forDialer
// SNI headers must contain hostnames and not IP addresses, so we must make sure
// that we do not populate the SNI with an IP literal. We do this by splitting
// the host-port combo from the query option and then seeing if it parses to an
// IP address successfully or not.
if sni := u.Query().Get("sni"); sni != "" {
if net.ParseIP(sni) == nil {
tcpOpts.tlsSNI = sni
}
}
// If the SNI is not configured still because the above failed then we'll try
// again but this time we'll use the host part of the peering URI instead.
if tcpOpts.tlsSNI == "" {
if host, _, err := net.SplitHostPort(u.Host); err == nil && net.ParseIP(host) == nil {
tcpOpts.tlsSNI = host
}
}
l.tcp.call(u.Host, tcpOpts, sintf) l.tcp.call(u.Host, tcpOpts, sintf)
default: default:
return errors.New("unknown call scheme: " + u.Scheme) return errors.New("unknown call scheme: " + u.Scheme)

View File

@ -64,6 +64,7 @@ type tcpOptions struct {
socksProxyAddr string socksProxyAddr string
socksProxyAuth *proxy.Auth socksProxyAuth *proxy.Auth
socksPeerAddr string socksPeerAddr string
tlsSNI string
} }
func (l *TcpListener) Stop() { func (l *TcpListener) Stop() {

View File

@ -78,7 +78,7 @@ func (t *tcptls) init(tcp *tcp) {
} }
func (t *tcptls) configForOptions(options *tcpOptions) *tls.Config { func (t *tcptls) configForOptions(options *tcpOptions) *tls.Config {
config := *t.config config := t.config.Clone()
config.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error { config.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
if len(rawCerts) != 1 { if len(rawCerts) != 1 {
return errors.New("tls not exactly 1 cert") return errors.New("tls not exactly 1 cert")
@ -103,7 +103,7 @@ func (t *tcptls) configForOptions(options *tcpOptions) *tls.Config {
} }
return nil return nil
} }
return &config return config
} }
func (t *tcptls) upgradeListener(c net.Conn, options *tcpOptions) (net.Conn, error) { func (t *tcptls) upgradeListener(c net.Conn, options *tcpOptions) (net.Conn, error) {
@ -117,6 +117,7 @@ func (t *tcptls) upgradeListener(c net.Conn, options *tcpOptions) (net.Conn, err
func (t *tcptls) upgradeDialer(c net.Conn, options *tcpOptions) (net.Conn, error) { func (t *tcptls) upgradeDialer(c net.Conn, options *tcpOptions) (net.Conn, error) {
config := t.configForOptions(options) config := t.configForOptions(options)
config.ServerName = options.tlsSNI
conn := tls.Client(c, config) conn := tls.Client(c, config)
if err := conn.Handshake(); err != nil { if err := conn.Handshake(); err != nil {
return c, err return c, err