]> Sergey Matveev's repositories - tofuproxy.git/blobdiff - main.go
projects / tofuproxy.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
TLS session resumption support
[tofuproxy.git] / main.go
diff --git a/main.go b/main.go
index 79e355ebdc131ae2bc32f9d89607c1a0865ec9cf..69448ce2a66f53860064e9bde6ba3c0b4ed0f73c 100644 (file)
--- a/main.go
+++ b/main.go
@@ -19,10 +19,8 @@ package main
 import (
        "context"
        "crypto"
-       "crypto/sha256"
        "crypto/tls"
        "crypto/x509"
-       "encoding/hex"
        "flag"
        "fmt"
        "io"
@@ -33,7 +31,6 @@ import (
        "os"
        "os/exec"
        "strings"
-       "sync"
        "time"
 
        "github.com/dustin/go-humanize"
@@ -42,51 +39,19 @@ import (
 
 var (
        tlsNextProtoS = make(map[string]func(*http.Server, *tls.Conn, http.Handler))
-       tlsNextProtoC = make(map[string]func(string, *tls.Conn) http.RoundTripper)
        caCert        *x509.Certificate
        caPrv         crypto.PrivateKey
-       certs         *string
-       dnsSrv        *string
        transport     = http.Transport{
-               ForceAttemptHTTP2:   false,
-               DisableKeepAlives:   true,
-               MaxIdleConnsPerHost: 2,
-               TLSNextProto:        tlsNextProtoC,
-               DialTLSContext:      dialTLS,
+               ForceAttemptHTTP2: false,
+               TLSNextProto:      make(map[string]func(string, *tls.Conn) http.RoundTripper),
+               DialTLSContext:    dialTLS,
        }
-
-       accepted  = make(map[string]string)
-       acceptedM sync.RWMutex
-       rejected  = make(map[string]string)
-       rejectedM sync.RWMutex
+       sessionCache = tls.NewLRUClientSessionCache(1024)
 
        CmdDWebP = "dwebp"
        CmdDJXL  = "djxl"
 )
 
-func spkiHash(cert *x509.Certificate) string {
-       hsh := sha256.Sum256(cert.RawSubjectPublicKeyInfo)
-       return hex.EncodeToString(hsh[:])
-}
-
-func acceptedAdd(addr, h string) {
-       acceptedM.Lock()
-       accepted[addr] = h
-       acceptedM.Unlock()
-}
-
-func rejectedAdd(addr, h string) {
-       rejectedM.Lock()
-       rejected[addr] = h
-       rejectedM.Unlock()
-}
-
-type ErrRejected struct {
-       addr string
-}
-
-func (err ErrRejected) Error() string { return err.addr + " was rejected" }
-
 func dialTLS(ctx context.Context, network, addr string) (net.Conn, error) {
        host := strings.TrimSuffix(addr, ":443")
        cfg := tls.Config{
@@ -96,6 +61,7 @@ func dialTLS(ctx context.Context, network, addr string) (net.Conn, error) {
                ) error {
                        return verifyCert(host, nil, rawCerts, verifiedChains)
                },
+               ClientSessionCache: sessionCache,
        }
        conn, dialErr := tls.Dial(network, addr, &cfg)
        if dialErr != nil {
@@ -117,13 +83,17 @@ func dialTLS(ctx context.Context, network, addr string) (net.Conn, error) {
                }
        }
        connState := conn.ConnectionState()
-       sinkTLS <- fmt.Sprintf(
+       msg := fmt.Sprintf(
                "%s\t%s %s\t%s",
                strings.TrimSuffix(addr, ":443"),
                ucspi.TLSVersion(connState.Version),
                tls.CipherSuiteName(connState.CipherSuite),
                spkiHash(connState.PeerCertificates[0]),
        )
+       if connState.DidResume {
+               msg += "\tresumed"
+       }
+       sinkTLS <- msg
        return conn, nil
 }
 
@@ -411,7 +381,6 @@ func main() {
                Handler:      &Handler{},
                TLSNextProto: tlsNextProtoS,
        }
-       srv.SetKeepAlivesEnabled(false)
        log.Println("listening:", *bind)
        if err := srv.Serve(ln); err != nil {
                log.Fatalln(err)
Flexible HTTP/HTTPS proxy, TLS terminator, X.509 TOFU manager, WARC/geminispace browser