net/http: DialTLS is not used w/ proxy (by design)

[gopherbot]

by joshua.boelter:

What does 'go version' print?

go version go1.4rc1 [windows/amd64 | linux/amd64]

What steps reproduce the problem?

transport.DialTLS not used when an HTTPS connection is proxied.
http://play.golang.org/p/hSZy5-Sg0I

Equally concerned developers will introduce unintended security bugs if/when an app is
executed in an environment with a proxy.

What happened?

DialTLS not used (by design) when a proxy is present.

What should have happened instead?

Need support to reject connections based on factors outside hostname when a proxy is
present.  e.g. a Verify(...) callback on tls.Config executed after the handshake and
other verification steps have executed.

Please provide any additional information below.

The issue that added DialTLS:
https://golang.org/issue/8522

Patch set #3 (or similar) would address the need.
https://golang.org/cl/137940043/#ps40001

[ianlancetaylor]

Comment 1:

Labels changed: added repo-main, release-none.

[jboelter]

Brad - are you open to accepting a patch akin to patchset #3 (https://codereview.appspot.com/137940043/#ps40001) for go1.5?

[bradfitz]

I'm having a hard time understanding the original bug report.

Can you start over in English without referencing old bugs or submitted CLs, starting with where we're at now in Go 1.4? What isn't possible?

[jboelter]

1.4 introduced an optional DialTLS function on http.Transport. However, it is not used when a proxy is in use.

I'm calling REST APIs over https and I need to check for acceptable server certificates (a whitelist) after the handshake w/ or w/o a proxy present on the client.

Proposed

Add an optional verification callback to tls.Config that lets the callee inspect the certs. This would be called during the handshake for client or server.

// VerifyPeerCertificate optionally defines a function to add
// further restrictions on certificate validity.
// The provided peer certificates and chains are the result 
// of the handshake and x509.Certificate.Verify calls and should
// not be modified. The chains param will be nil if InsecureSkipVerify 
// is true. If the function returns an error, the certificate is
// considered invalid and the connection will close.
VerifyPeerCertificate func(peer []*x509.Certificate, chains [][]*x509.Certificate) error