1 // tofuproxy -- flexible HTTP/HTTPS proxy, TLS terminator, X.509 TOFU
2 // manager, WARC/geminispace browser
3 // Copyright (C) 2021-2024 Sergey Matveev <stargrave@stargrave.org>
5 // This program is free software: you can redistribute it and/or modify
6 // it under the terms of the GNU General Public License as published by
7 // the Free Software Foundation, version 3 of the License.
9 // This program is distributed in the hope that it will be useful,
10 // but WITHOUT ANY WARRANTY; without even the implied warranty of
11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 // GNU General Public License for more details.
14 // You should have received a copy of the GNU General Public License
15 // along with this program. If not, see <http://www.gnu.org/licenses/>.
26 "go.cypherpunks.ru/ucspi"
27 "go.stargrave.org/tofuproxy/fifos"
30 var sessionCache = tls.NewLRUClientSessionCache(1024)
32 func DialTLS(ctx context.Context, network, addr string) (net.Conn, error) {
33 host, _, _ := SplitHostPort(addr)
34 host = toLowerCaseASCII(host)
35 ccg := ClientCertificateGetter{host: host}
37 VerifyPeerCertificate: func(
39 verifiedChains [][]*x509.Certificate,
41 return verifyCert(host, nil, rawCerts, verifiedChains)
43 ClientSessionCache: sessionCache,
44 NextProtos: []string{"h2", "http/1.1"},
45 GetClientCertificate: ccg.get,
47 conn, dialErr := tls.Dial(network, addr, &cfg)
49 if _, ok := dialErr.(ErrRejected); ok {
52 cfg.InsecureSkipVerify = true
53 cfg.VerifyPeerCertificate = func(
55 verifiedChains [][]*x509.Certificate,
57 return verifyCert(host, dialErr, rawCerts, verifiedChains)
60 conn, err = tls.Dial(network, addr, &cfg)
62 fifos.LogErr <- fmt.Sprintf("%s\t%s", addr, dialErr.Error())
66 connState := conn.ConnectionState()
67 if !connState.DidResume {
68 fifos.LogTLS <- fmt.Sprintf(
69 "%s\t%s %s %s\t%s\t%s",
71 ucspi.TLSVersion(connState.Version),
72 tls.CipherSuiteName(connState.CipherSuite),
73 connState.PeerCertificates[0].SignatureAlgorithm,
74 spkiHash(connState.PeerCertificates[0]),
75 connState.NegotiatedProtocol,