mirror of
https://github.com/cwinfo/yggdrasil-go.git
synced 2024-11-09 17:30:26 +00:00
Update SNI code
This commit is contained in:
parent
f094cf34bf
commit
bbdff033ce
@ -98,10 +98,18 @@ func (l *links) call(u *url.URL, sintf string) error {
|
|||||||
l.tcp.call(pathtokens[0], tcpOpts, sintf)
|
l.tcp.call(pathtokens[0], tcpOpts, sintf)
|
||||||
case "tls":
|
case "tls":
|
||||||
tcpOpts.upgrade = l.tcp.tls.forDialer
|
tcpOpts.upgrade = l.tcp.tls.forDialer
|
||||||
tcpOpts.tlsSNI = u.Query().Get("sni")
|
// SNI headers must contain hostnames and not IP addresses, so we must make sure
|
||||||
|
// that we do not populate the SNI with an IP literal. We do this by splitting
|
||||||
|
// the host-port combo from the query option and then seeing if it parses to an
|
||||||
|
// IP address successfully or not.
|
||||||
|
if sni := u.Query().Get("sni"); sni != "" {
|
||||||
|
if host, _, err := net.SplitHostPort(sni); err == nil && net.ParseIP(host) == nil {
|
||||||
|
tcpOpts.tlsSNI = host
|
||||||
|
}
|
||||||
|
}
|
||||||
|
// If the SNI is not configured still because the above failed then we'll try
|
||||||
|
// again but this time we'll use the host part of the peering URI instead.
|
||||||
if tcpOpts.tlsSNI == "" {
|
if tcpOpts.tlsSNI == "" {
|
||||||
// SNI headers must contain hostnames and not IP addresses, so we must make sure
|
|
||||||
// that we do not populate the SNI with an IP literal.
|
|
||||||
if host, _, err := net.SplitHostPort(u.Host); err == nil && net.ParseIP(host) == nil {
|
if host, _, err := net.SplitHostPort(u.Host); err == nil && net.ParseIP(host) == nil {
|
||||||
tcpOpts.tlsSNI = host
|
tcpOpts.tlsSNI = host
|
||||||
}
|
}
|
||||||
|
@ -77,7 +77,7 @@ func (t *tcptls) init(tcp *tcp) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (t *tcptls) configForOptions(options *tcpOptions, serverName string) *tls.Config {
|
func (t *tcptls) configForOptions(options *tcpOptions) *tls.Config {
|
||||||
config := t.config.Clone()
|
config := t.config.Clone()
|
||||||
config.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
|
config.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
|
||||||
if len(rawCerts) != 1 {
|
if len(rawCerts) != 1 {
|
||||||
@ -103,14 +103,11 @@ func (t *tcptls) configForOptions(options *tcpOptions, serverName string) *tls.C
|
|||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
if serverName != "" {
|
|
||||||
config.ServerName = serverName
|
|
||||||
}
|
|
||||||
return config
|
return config
|
||||||
}
|
}
|
||||||
|
|
||||||
func (t *tcptls) upgradeListener(c net.Conn, options *tcpOptions) (net.Conn, error) {
|
func (t *tcptls) upgradeListener(c net.Conn, options *tcpOptions) (net.Conn, error) {
|
||||||
config := t.configForOptions(options, "")
|
config := t.configForOptions(options)
|
||||||
conn := tls.Server(c, config)
|
conn := tls.Server(c, config)
|
||||||
if err := conn.Handshake(); err != nil {
|
if err := conn.Handshake(); err != nil {
|
||||||
return c, err
|
return c, err
|
||||||
@ -119,7 +116,8 @@ func (t *tcptls) upgradeListener(c net.Conn, options *tcpOptions) (net.Conn, err
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (t *tcptls) upgradeDialer(c net.Conn, options *tcpOptions) (net.Conn, error) {
|
func (t *tcptls) upgradeDialer(c net.Conn, options *tcpOptions) (net.Conn, error) {
|
||||||
config := t.configForOptions(options, options.tlsSNI)
|
config := t.configForOptions(options)
|
||||||
|
config.ServerName = options.tlsSNI
|
||||||
conn := tls.Client(c, config)
|
conn := tls.Client(c, config)
|
||||||
if err := conn.Handshake(); err != nil {
|
if err := conn.Handshake(); err != nil {
|
||||||
return c, err
|
return c, err
|
||||||
|
Loading…
Reference in New Issue
Block a user