/*
-tofuproxy -- HTTP proxy with TLS certificates management
+tofuproxy -- flexible HTTP/WARC proxy with TLS certificates management
Copyright (C) 2021 Sergey Matveev <stargrave@stargrave.org>
This program is free software: you can redistribute it and/or modify
}
func dialTLS(ctx context.Context, network, addr string) (net.Conn, error) {
- host := strings.TrimSuffix(addr, ":443")
+ host := strings.Split(addr, ":")[0]
+ ccg := ClientCertificateGetter{host: host}
cfg := tls.Config{
VerifyPeerCertificate: func(
rawCerts [][]byte,
) error {
return verifyCert(host, nil, rawCerts, verifiedChains)
},
- ClientSessionCache: sessionCache,
- NextProtos: []string{"h2", "http/1.1"},
+ ClientSessionCache: sessionCache,
+ NextProtos: []string{"h2", "http/1.1"},
+ GetClientCertificate: ccg.get,
}
conn, dialErr := tls.Dial(network, addr, &cfg)
if dialErr != nil {
var err error
conn, err = tls.Dial(network, addr, &cfg)
if err != nil {
- fifos.SinkErr <- fmt.Sprintf("%s\t%s", addr, dialErr.Error())
+ fifos.LogErr <- fmt.Sprintf("%s\t%s", addr, dialErr.Error())
return nil, err
}
}
connState := conn.ConnectionState()
- if connState.DidResume {
- fifos.SinkTLS <- fmt.Sprintf(
- "%s\t%s %s\t%s\t%s",
- strings.TrimSuffix(addr, ":443"),
+ if !connState.DidResume {
+ fifos.LogTLS <- fmt.Sprintf(
+ "%s\t%s %s %s\t%s\t%s",
+ addr,
ucspi.TLSVersion(connState.Version),
tls.CipherSuiteName(connState.CipherSuite),
+ connState.PeerCertificates[0].SignatureAlgorithm,
spkiHash(connState.PeerCertificates[0]),
connState.NegotiatedProtocol,
)