]> Sergey Matveev's repositories - tofuproxy.git/blobdiff - tls.go
projects / tofuproxy.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
TLS client certificates
[tofuproxy.git] / tls.go
diff --git a/tls.go b/tls.go
index 4c29a6ff6bdf541b806fb83f08d4e3b8283e7aa4..2db3ceb87c20a2a9703c8b3e9efb34f056437171 100644 (file)
--- a/tls.go
+++ b/tls.go
@@ -104,6 +104,7 @@ func (h *HTTPSHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 
 func dialTLS(ctx context.Context, network, addr string) (net.Conn, error) {
        host := strings.TrimSuffix(addr, ":443")
+       ccg := ClientCertificateGetter{host}
        cfg := tls.Config{
                VerifyPeerCertificate: func(
                        rawCerts [][]byte,
@@ -111,8 +112,9 @@ func dialTLS(ctx context.Context, network, addr string) (net.Conn, error) {
                ) error {
                        return verifyCert(host, nil, rawCerts, verifiedChains)
                },
-               ClientSessionCache: sessionCache,
-               NextProtos:         []string{"h2", "http/1.1"},
+               ClientSessionCache:   sessionCache,
+               NextProtos:           []string{"h2", "http/1.1"},
+               GetClientCertificate: ccg.get,
        }
        conn, dialErr := tls.Dial(network, addr, &cfg)
        if dialErr != nil {
Flexible HTTP/HTTPS proxy, TLS terminator, X.509 TOFU manager, WARC/geminispace browser