Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: DialTLS is not used w/ proxy (by design) #9126

Open
gopherbot opened this issue Nov 18, 2014 · 4 comments
Open

net/http: DialTLS is not used w/ proxy (by design) #9126

gopherbot opened this issue Nov 18, 2014 · 4 comments
Milestone
Unplanned

Comments

@gopherbot
Copy link

@gopherbot gopherbot commented Nov 18, 2014

by joshua.boelter:

What does 'go version' print?

go version go1.4rc1 [windows/amd64 | linux/amd64]

What steps reproduce the problem?

transport.DialTLS not used when an HTTPS connection is proxied.
http://play.golang.org/p/hSZy5-Sg0I

Equally concerned developers will introduce unintended security bugs if/when an app is
executed in an environment with a proxy.

What happened?

DialTLS not used (by design) when a proxy is present.

What should have happened instead?

Need support to reject connections based on factors outside hostname when a proxy is
present.  e.g. a Verify(...) callback on tls.Config executed after the handshake and
other verification steps have executed.

Please provide any additional information below.

The issue that added DialTLS:
https://golang.org/issue/8522

Patch set #3 (or similar) would address the need.
https://golang.org/cl/137940043/#ps40001
@ianlancetaylor
Copy link
Contributor

@ianlancetaylor ianlancetaylor commented Nov 19, 2014

Comment 1:

Labels changed: added repo-main, release-none.

@bradfitz bradfitz removed the new label Dec 18, 2014
@jboelter
Copy link

@jboelter jboelter commented Dec 22, 2014

Brad - are you open to accepting a patch akin to patchset #3 (https://codereview.appspot.com/137940043/#ps40001) for go1.5?

@bradfitz
Copy link
Contributor

@bradfitz bradfitz commented Dec 22, 2014

I'm having a hard time understanding the original bug report.

Can you start over in English without referencing old bugs or submitted CLs, starting with where we're at now in Go 1.4? What isn't possible?

@jboelter
Copy link

@jboelter jboelter commented Dec 22, 2014

1.4 introduced an optional DialTLS function on http.Transport. However, it is not used when a proxy is in use.

I'm calling REST APIs over https and I need to check for acceptable server certificates (a whitelist) after the handshake w/ or w/o a proxy present on the client.

Proposed

Add an optional verification callback to tls.Config that lets the callee inspect the certs. This would be called during the handshake for client or server.

// VerifyPeerCertificate optionally defines a function to add
// further restrictions on certificate validity.
// The provided peer certificates and chains are the result 
// of the handshake and x509.Certificate.Verify calls and should
// not be modified. The chains param will be nil if InsecureSkipVerify 
// is true. If the function returns an error, the certificate is
// considered invalid and the connection will close.
VerifyPeerCertificate func(peer []*x509.Certificate, chains [][]*x509.Certificate) error

@christophershirk christophershirk mentioned this issue Feb 1, 2015
Closed
@rsc rsc added this to the Unplanned milestone Apr 10, 2015
@jboelter jboelter mentioned this issue Jul 13, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Unplanned
Development

No branches or pull requests
5 participants
@bradfitz @rsc @ianlancetaylor @jboelter @gopherbot