yggdrasil-network/yggdrasil-go
1
0
Fork 0
mirror of https://github.com/yggdrasil-network/yggdrasil-go.git synced 2025-11-04 03:05:07 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #822 from yggdrasil-network/sni

Browse source 
TLS Server Name Indication
This commit is contained in:
Arceliar 2021-09-24 05:14:28 -05:00 committed by GitHub
commit f92d812f3c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 20 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

16
src/core/link.go
View file

@ -98,6 +98,22 @@ func (l *links) call(u *url.URL, sintf string) error {
l.tcp.call(pathtokens[0], tcpOpts, sintf)
case "tls":
tcpOpts.upgrade = l.tcp.tls.forDialer
// SNI headers must contain hostnames and not IP addresses, so we must make sure
// that we do not populate the SNI with an IP literal. We do this by splitting
// the host-port combo from the query option and then seeing if it parses to an
// IP address successfully or not.
if sni := u.Query().Get("sni"); sni != "" {
if net.ParseIP(sni) == nil {
tcpOpts.tlsSNI = sni
}
}
// If the SNI is not configured still because the above failed then we'll try
// again but this time we'll use the host part of the peering URI instead.
if tcpOpts.tlsSNI == "" {
if host, _, err := net.SplitHostPort(u.Host); err == nil && net.ParseIP(host) == nil {
tcpOpts.tlsSNI = host
}
}
l.tcp.call(u.Host, tcpOpts, sintf)
default:
return errors.New("unknown call scheme: " + u.Scheme)

1
src/core/tcp.go
View file

@ -64,6 +64,7 @@ type tcpOptions struct {
socksProxyAddr string
socksProxyAuth *proxy.Auth
socksPeerAddr string
tlsSNI string
}
func (l *TcpListener) Stop() {

5
src/core/tls.go
View file

@ -78,7 +78,7 @@ func (t *tcptls) init(tcp *tcp) {
}
func (t *tcptls) configForOptions(options *tcpOptions) *tls.Config {
config := *t.config
config := t.config.Clone()
config.VerifyPeerCertificate = func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
if len(rawCerts) != 1 {
return errors.New("tls not exactly 1 cert")
@ -103,7 +103,7 @@ func (t *tcptls) configForOptions(options *tcpOptions) *tls.Config {
}
return nil
}
return &config
return config
}
func (t *tcptls) upgradeListener(c net.Conn, options *tcpOptions) (net.Conn, error) {
@ -117,6 +117,7 @@ func (t *tcptls) upgradeListener(c net.Conn, options *tcpOptions) (net.Conn, err
func (t *tcptls) upgradeDialer(c net.Conn, options *tcpOptions) (net.Conn, error) {
config := t.configForOptions(options)
config.ServerName = options.tlsSNI
conn := tls.Client(c, config)
if err := conn.Handshake(); err != nil {
return c, err