]> Sergey Matveev's repositories - tofuproxy.git/blobdiff - tls.go
projects / tofuproxy.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
WARC
[tofuproxy.git] / tls.go
diff --git a/tls.go b/tls.go
index 4c29a6ff6bdf541b806fb83f08d4e3b8283e7aa4..dc598622998f6bcdcf893c11991c72b40c9532ed 100644 (file)
--- a/tls.go
+++ b/tls.go
@@ -1,5 +1,5 @@
 /*
-tofuproxy -- HTTP proxy with TLS certificates management
+tofuproxy -- flexible HTTP/WARC proxy with TLS certificates management
 Copyright (C) 2021 Sergey Matveev <stargrave@stargrave.org>
 
 This program is free software: you can redistribute it and/or modify
@@ -103,7 +103,8 @@ func (h *HTTPSHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 }
 
 func dialTLS(ctx context.Context, network, addr string) (net.Conn, error) {
-       host := strings.TrimSuffix(addr, ":443")
+       host := strings.Split(addr, ":")[0]
+       ccg := ClientCertificateGetter{host: host}
        cfg := tls.Config{
                VerifyPeerCertificate: func(
                        rawCerts [][]byte,
@@ -111,8 +112,9 @@ func dialTLS(ctx context.Context, network, addr string) (net.Conn, error) {
                ) error {
                        return verifyCert(host, nil, rawCerts, verifiedChains)
                },
-               ClientSessionCache: sessionCache,
-               NextProtos:         []string{"h2", "http/1.1"},
+               ClientSessionCache:   sessionCache,
+               NextProtos:           []string{"h2", "http/1.1"},
+               GetClientCertificate: ccg.get,
        }
        conn, dialErr := tls.Dial(network, addr, &cfg)
        if dialErr != nil {
@@ -129,17 +131,18 @@ func dialTLS(ctx context.Context, network, addr string) (net.Conn, error) {
                var err error
                conn, err = tls.Dial(network, addr, &cfg)
                if err != nil {
-                       fifos.SinkErr <- fmt.Sprintf("%s\t%s", addr, dialErr.Error())
+                       fifos.LogErr <- fmt.Sprintf("%s\t%s", addr, dialErr.Error())
                        return nil, err
                }
        }
        connState := conn.ConnectionState()
-       if connState.DidResume {
-               fifos.SinkTLS <- fmt.Sprintf(
-                       "%s\t%s %s\t%s\t%s",
-                       strings.TrimSuffix(addr, ":443"),
+       if !connState.DidResume {
+               fifos.LogTLS <- fmt.Sprintf(
+                       "%s\t%s %s %s\t%s\t%s",
+                       addr,
                        ucspi.TLSVersion(connState.Version),
                        tls.CipherSuiteName(connState.CipherSuite),
+                       connState.PeerCertificates[0].SignatureAlgorithm,
                        spkiHash(connState.PeerCertificates[0]),
                        connState.NegotiatedProtocol,
                )
Flexible HTTP/HTTPS proxy, TLS terminator, X.509 TOFU manager, WARC/geminispace browser