mirror of
https://github.com/yggdrasil-network/yggdrasil-go.git
synced 2024-11-23 18:15:24 +00:00
Merge pull request #822 from yggdrasil-network/sni
TLS Server Name Indication
This commit is contained in:
commit
f92d812f3c
@ -98,6 +98,22 @@ func (l *links) call(u *url.URL, sintf string) error {
|
|||||||
l.tcp.call(pathtokens[0], tcpOpts, sintf)
|
l.tcp.call(pathtokens[0], tcpOpts, sintf)
|
||||||
case "tls":
|
case "tls":
|
||||||
tcpOpts.upgrade = l.tcp.tls.forDialer
|
tcpOpts.upgrade = l.tcp.tls.forDialer
|
||||||
|
// SNI headers must contain hostnames and not IP addresses, so we must make sure
|
||||||
|
// that we do not populate the SNI with an IP literal. We do this by splitting
|
||||||
|
// the host-port combo from the query option and then seeing if it parses to an
|
||||||
|
// IP address successfully or not.
|
||||||
|
if sni := u.Query().Get("sni"); sni != "" {
|
||||||
|
if net.ParseIP(sni) == nil {
|
||||||
|
tcpOpts.tlsSNI = sni
|
||||||
|
}
|
||||||
|
}
|
||||||
|
// If the SNI is not configured still because the above failed then we'll try
|
||||||
|
// again but this time we'll use the host part of the peering URI instead.
|
||||||
|
if tcpOpts.tlsSNI == "" {
|
||||||
|
if host, _, err := net.SplitHostPort(u.Host); err == nil && net.ParseIP(host) == nil {
|
||||||
|
tcpOpts.tlsSNI = host
|
||||||
|
}
|
||||||
|
}
|
||||||
l.tcp.call(u.Host, tcpOpts, sintf)
|
l.tcp.call(u.Host, tcpOpts, sintf)
|
||||||
default:
|
default:
|
||||||
return errors.New("unknown call scheme: " + u.Scheme)
|
return errors.New("unknown call scheme: " + u.Scheme)
|
||||||
|
@ -64,6 +64,7 @@ type tcpOptions struct {
|
|||||||
socksProxyAddr string
|
socksProxyAddr string
|
||||||
socksProxyAuth *proxy.Auth
|
socksProxyAuth *proxy.Auth
|
||||||
socksPeerAddr string
|
socksPeerAddr string
|
||||||
|
tlsSNI string
|
||||||
}
|
}
|
||||||
|
|
||||||
func (l *TcpListener) Stop() {
|
func (l *TcpListener) Stop() {
|
||||||
|
@ -78,7 +78,7 @@ func (t *tcptls) init(tcp *tcp) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (t *tcptls) configForOptions(options *tcpOptions) *tls.Config {
|
func (t *tcptls) configForOptions(options *tcpOptions) *tls.Config {
|
||||||
config := *t.config
|
config := t.config.Clone()
|
||||||
config.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
|
config.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
|
||||||
if len(rawCerts) != 1 {
|
if len(rawCerts) != 1 {
|
||||||
return errors.New("tls not exactly 1 cert")
|
return errors.New("tls not exactly 1 cert")
|
||||||
@ -103,7 +103,7 @@ func (t *tcptls) configForOptions(options *tcpOptions) *tls.Config {
|
|||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
return &config
|
return config
|
||||||
}
|
}
|
||||||
|
|
||||||
func (t *tcptls) upgradeListener(c net.Conn, options *tcpOptions) (net.Conn, error) {
|
func (t *tcptls) upgradeListener(c net.Conn, options *tcpOptions) (net.Conn, error) {
|
||||||
@ -117,6 +117,7 @@ func (t *tcptls) upgradeListener(c net.Conn, options *tcpOptions) (net.Conn, err
|
|||||||
|
|
||||||
func (t *tcptls) upgradeDialer(c net.Conn, options *tcpOptions) (net.Conn, error) {
|
func (t *tcptls) upgradeDialer(c net.Conn, options *tcpOptions) (net.Conn, error) {
|
||||||
config := t.configForOptions(options)
|
config := t.configForOptions(options)
|
||||||
|
config.ServerName = options.tlsSNI
|
||||||
conn := tls.Client(c, config)
|
conn := tls.Client(c, config)
|
||||||
if err := conn.Handshake(); err != nil {
|
if err := conn.Handshake(); err != nil {
|
||||||
return c, err
|
return c, err
|
||||||
|
Loading…
Reference in New Issue
Block a user