feature(turncat): Set SNI on TURN/TLS client connections

l7mp · Jun 10, 2024 · 246913f · 246913f
1 parent 512ce55
commit 246913f
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/cmd/turncat/main.go b/cmd/turncat/main.go
@@ -58,8 +58,10 @@ func main() {
 	cdsConfigFlags = cdsclient.NewCDSConfigFlags()
 	cdsConfigFlags.AddFlags(flag.CommandLine)
 
-	var level = flag.StringP("log", "l", "all:WARN", "Log level")
+	var serverName string
+	flag.StringVar(&serverName, "sni", "", "Server name (SNI) for TURN/TLS client connections")
 	var insecure = flag.BoolP("insecure", "i", false, "Insecure TLS mode, accept self-signed TURN server certificates (default: false)")
+	var level = flag.StringP("log", "l", "all:WARN", "Log level")
 	var verbose = flag.BoolP("verbose", "v", false, "Enable verbose logging, identical to -l all:DEBUG")
 	var help = flag.BoolP("help", "h", false, "Display this help text and exit")
 
@@ -114,6 +116,7 @@ func main() {
 		PeerAddr:      flag.Arg(2),
 		Realm:         config.Auth.Realm,
 		AuthGen:       authGen,
+		ServerName:    serverName,
 		InsecureMode:  *insecure,
 		LoggerFactory: loggerFactory,
 	}

diff --git a/turncat.go b/turncat.go
@@ -35,6 +35,8 @@ type TurncatConfig struct {
 	Realm string
 	// AuthGet specifies the function to generate auth tokens.
 	AuthGen AuthGen
+	// ServerName is the SNI used for virtual hosting (unless it is an IP address).
+	ServerName string
 	// InsecureMode controls whether self-signed TLS certificates are accepted by the TURN
 	// client.
 	InsecureMode bool
@@ -53,6 +55,7 @@ type Turncat struct {
 	connTrack     map[string]*connection // Conntrack table.
 	lock          *sync.Mutex            // Sync access to the conntrack state.
 	authGen       AuthGen                // Generate auth tokens.
+	serverName    string
 	insecure      bool
 	loggerFactory logging.LoggerFactory
 	log           logging.LeveledLogger
@@ -165,6 +168,7 @@ func NewTurncat(config *TurncatConfig) (*Turncat, error) {
 		lock:          new(sync.Mutex),
 		realm:         config.Realm,
 		authGen:       config.AuthGen,
+		serverName:    config.ServerName,
 		insecure:      config.InsecureMode,
 		loggerFactory: loggerFactory,
 		log:           log,
@@ -263,6 +267,7 @@ func (t *Turncat) newConnection(clientConn net.Conn) (*connection, error) {
 		// assert.NoError(t, err, "cannot create certificate for TLS client socket")
 		c, err := tls.Dial("tcp", t.serverAddr.String(), &tls.Config{
 			MinVersion:         tls.VersionTLS10,
+			ServerName:         t.serverName,
 			InsecureSkipVerify: t.insecure,
 		})
 		if err != nil {