New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: DialTLS is not used w/ proxy (by design) #9126

Open
gopherbot opened this Issue Nov 18, 2014 · 4 comments

Comments

Projects
None yet
5 participants
@gopherbot

gopherbot commented Nov 18, 2014

by joshua.boelter:

What does 'go version' print?

go version go1.4rc1 [windows/amd64 | linux/amd64]

What steps reproduce the problem?

transport.DialTLS not used when an HTTPS connection is proxied.
http://play.golang.org/p/hSZy5-Sg0I

Equally concerned developers will introduce unintended security bugs if/when an app is
executed in an environment with a proxy.

What happened?

DialTLS not used (by design) when a proxy is present.

What should have happened instead?

Need support to reject connections based on factors outside hostname when a proxy is
present.  e.g. a Verify(...) callback on tls.Config executed after the handshake and
other verification steps have executed.

Please provide any additional information below.

The issue that added DialTLS:
https://golang.org/issue/8522

Patch set #3 (or similar) would address the need.
https://golang.org/cl/137940043/#ps40001
@ianlancetaylor

This comment has been minimized.

Contributor

ianlancetaylor commented Nov 19, 2014

Comment 1:

Labels changed: added repo-main, release-none.

@gopherbot gopherbot added new labels Nov 19, 2014

@bradfitz bradfitz removed the new label Dec 18, 2014

@jboelter

This comment has been minimized.

jboelter commented Dec 22, 2014

Brad - are you open to accepting a patch akin to patchset #3 (https://codereview.appspot.com/137940043/#ps40001) for go1.5?

@bradfitz

This comment has been minimized.

Member

bradfitz commented Dec 22, 2014

I'm having a hard time understanding the original bug report.

Can you start over in English without referencing old bugs or submitted CLs, starting with where we're at now in Go 1.4? What isn't possible?

@jboelter

This comment has been minimized.

jboelter commented Dec 22, 2014

1.4 introduced an optional DialTLS function on http.Transport. However, it is not used when a proxy is in use.

I'm calling REST APIs over https and I need to check for acceptable server certificates (a whitelist) after the handshake w/ or w/o a proxy present on the client.

Proposed

Add an optional verification callback to tls.Config that lets the callee inspect the certs. This would be called during the handshake for client or server.

// VerifyPeerCertificate optionally defines a function to add
// further restrictions on certificate validity.
// The provided peer certificates and chains are the result 
// of the handshake and x509.Certificate.Verify calls and should
// not be modified. The chains param will be nil if InsecureSkipVerify 
// is true. If the function returns an error, the certificate is
// considered invalid and the connection will close.
VerifyPeerCertificate func(peer []*x509.Certificate, chains [][]*x509.Certificate) error
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment