5
0
mirror of https://github.com/cwinfo/yggdrasil-go.git synced 2024-11-09 17:30:26 +00:00

Update SNI code

This commit is contained in:
Neil Alexander 2021-08-01 21:36:51 +01:00
parent f094cf34bf
commit bbdff033ce
2 changed files with 15 additions and 9 deletions

View File

@ -98,10 +98,18 @@ func (l *links) call(u *url.URL, sintf string) error {
l.tcp.call(pathtokens[0], tcpOpts, sintf) l.tcp.call(pathtokens[0], tcpOpts, sintf)
case "tls": case "tls":
tcpOpts.upgrade = l.tcp.tls.forDialer tcpOpts.upgrade = l.tcp.tls.forDialer
tcpOpts.tlsSNI = u.Query().Get("sni") // SNI headers must contain hostnames and not IP addresses, so we must make sure
// that we do not populate the SNI with an IP literal. We do this by splitting
// the host-port combo from the query option and then seeing if it parses to an
// IP address successfully or not.
if sni := u.Query().Get("sni"); sni != "" {
if host, _, err := net.SplitHostPort(sni); err == nil && net.ParseIP(host) == nil {
tcpOpts.tlsSNI = host
}
}
// If the SNI is not configured still because the above failed then we'll try
// again but this time we'll use the host part of the peering URI instead.
if tcpOpts.tlsSNI == "" { if tcpOpts.tlsSNI == "" {
// SNI headers must contain hostnames and not IP addresses, so we must make sure
// that we do not populate the SNI with an IP literal.
if host, _, err := net.SplitHostPort(u.Host); err == nil && net.ParseIP(host) == nil { if host, _, err := net.SplitHostPort(u.Host); err == nil && net.ParseIP(host) == nil {
tcpOpts.tlsSNI = host tcpOpts.tlsSNI = host
} }

View File

@ -77,7 +77,7 @@ func (t *tcptls) init(tcp *tcp) {
} }
} }
func (t *tcptls) configForOptions(options *tcpOptions, serverName string) *tls.Config { func (t *tcptls) configForOptions(options *tcpOptions) *tls.Config {
config := t.config.Clone() config := t.config.Clone()
config.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error { config.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
if len(rawCerts) != 1 { if len(rawCerts) != 1 {
@ -103,14 +103,11 @@ func (t *tcptls) configForOptions(options *tcpOptions, serverName string) *tls.C
} }
return nil return nil
} }
if serverName != "" {
config.ServerName = serverName
}
return config return config
} }
func (t *tcptls) upgradeListener(c net.Conn, options *tcpOptions) (net.Conn, error) { func (t *tcptls) upgradeListener(c net.Conn, options *tcpOptions) (net.Conn, error) {
config := t.configForOptions(options, "") config := t.configForOptions(options)
conn := tls.Server(c, config) conn := tls.Server(c, config)
if err := conn.Handshake(); err != nil { if err := conn.Handshake(); err != nil {
return c, err return c, err
@ -119,7 +116,8 @@ func (t *tcptls) upgradeListener(c net.Conn, options *tcpOptions) (net.Conn, err
} }
func (t *tcptls) upgradeDialer(c net.Conn, options *tcpOptions) (net.Conn, error) { func (t *tcptls) upgradeDialer(c net.Conn, options *tcpOptions) (net.Conn, error) {
config := t.configForOptions(options, options.tlsSNI) config := t.configForOptions(options)
config.ServerName = options.tlsSNI
conn := tls.Client(c, config) conn := tls.Client(c, config)
if err := conn.Handshake(); err != nil { if err := conn.Handshake(); err != nil {
return c, err return c, err