// Connects the socket, creating a new socket object if necessary.
func (p *TSSLSocket) Open() error {
var err error
// If we have a hostname, we need to pass the hostname to tls.Dial for
// certificate hostname checks.
if p.hostPort != "" {
if p.conn, err = tls.Dial("tcp", p.hostPort, p.cfg); err != nil {
return NewTTransportException(NOT_OPEN, err.Error())
}
} else {
if p.IsOpen() {
return NewTTransportException(ALREADY_OPEN, "Socket already connected.")
}
if p.addr == nil {
return NewTTransportException(NOT_OPEN, "Cannot open nil address.")
}
if len(p.addr.Network()) == 0 {
return NewTTransportException(NOT_OPEN, "Cannot open bad network name.")
}
if len(p.addr.String()) == 0 {
return NewTTransportException(NOT_OPEN, "Cannot open bad address.")
}
if p.conn, err = tls.Dial(p.addr.Network(), p.addr.String(), p.cfg); err != nil {
return NewTTransportException(NOT_OPEN, err.Error())
}
}
return nil
}
func (t *TLSRedialTransport) dial(network, addr string) (conn net.Conn, err error) {
t.once.Do(func() {
conn = t.ServerConn
})
if conn != nil {
return conn, nil
}
newConn, err := tls.Dial("tcp", t.serverAddr, &tls.Config{
ServerName: t.ServerName,
InsecureSkipVerify: true,
})
if err != nil {
return nil, err
}
if !bytes.Equal(t.publicKey, newConn.ConnectionState().PeerCertificates[0].RawSubjectPublicKeyInfo) {
newConn.Close()
log.Printf("TLS private key at %s changed", t.ServerName)
// Our little certificate-pinning trick failed because the server changed
// certificates (or we've been MITM'd). See if the server has a valid
// certificate, even if it's not the same one.
return tls.Dial("tcp", t.serverAddr, &tls.Config{ServerName: t.ServerName})
}
return newConn, nil
}
// FromURL connects to the given URL.Host via tls.Dial with the given tls.Config and populates the HostCertificateInfo
// via tls.ConnectionState. If the certificate was verified with the given tls.Config, the Err field will be nil.
// Otherwise, Err will be set to the x509.UnknownAuthorityError or x509.HostnameError.
// If tls.Dial returns an error of any other type, that error is returned.
func (info *HostCertificateInfo) FromURL(u *url.URL, config *tls.Config) error {
addr := u.Host
if !(strings.LastIndex(addr, ":") > strings.LastIndex(addr, "]")) {
addr += ":443"
}
conn, err := tls.Dial("tcp", addr, config)
if err != nil {
switch err.(type) {
case x509.UnknownAuthorityError:
case x509.HostnameError:
default:
return err
}
info.Err = err
conn, err = tls.Dial("tcp", addr, &tls.Config{InsecureSkipVerify: true})
if err != nil {
return err
}
} else {
info.Status = string(types.HostCertificateManagerCertificateInfoCertificateStatusGood)
}
state := conn.ConnectionState()
_ = conn.Close()
info.FromCertificate(state.PeerCertificates[0])
return nil
}
// connect to the server. Here we keep trying every 10 seconds until we manage
// to Dial to the server.
func (bot *ircBot) connect() (conn io.ReadWriteCloser) {
var (
err error
counter int
)
connectTimeout := time.After(0)
bot.Lock()
bot.isConnecting = true
bot.isAuthenticating = false
bot.Unlock()
for {
select {
case <-connectTimeout:
counter++
connectTimeout = nil
glog.Infoln("[Info] Connecting to IRC server: ", bot.address)
conn, err = tls.Dial("tcp", bot.address, nil) // Always try TLS first
if err == nil {
glog.Infoln("Connected: TLS secure")
return conn
} else if _, ok := err.(x509.HostnameError); ok {
glog.Errorln("Could not connect using TLS because: ", err)
// Certificate might not match. This happens on irc.cloudfront.net
insecure := &tls.Config{InsecureSkipVerify: true}
conn, err = tls.Dial("tcp", bot.address, insecure)
if err == nil && isCertValid(conn.(*tls.Conn)) {
glog.Errorln("Connected: TLS with awkward certificate")
return conn
}
} else if _, ok := err.(x509.UnknownAuthorityError); ok {
glog.Errorln("x509.UnknownAuthorityError : ", err)
insecure := &tls.Config{InsecureSkipVerify: true}
conn, err = tls.Dial("tcp", bot.address, insecure)
if err == nil {
glog.Infoln("Connected: TLS with an x509.UnknownAuthorityError", err)
return conn
}
} else {
glog.Errorln("Could not establish a tls connection", err)
}
conn, err = net.Dial("tcp", bot.address)
if err == nil {
glog.Infoln("Connected: Plain text insecure")
return conn
}
// TODO (yml) At some point we might want to panic
delay := 5 * counter
glog.Infoln("IRC Connect error. Will attempt to re-connect. ", err, "in", delay, "seconds")
connectTimeout = time.After(time.Duration(delay) * time.Second)
}
}
}
// BundleFromRemote fetches the certificate chain served by the server at
// serverName (or ip, if the ip argument is not the empty string). It
// is expected that the method will be able to make a connection at
// port 443. The chain used by the server in this connection is
// used to rebuild the bundle.
func (b *Bundler) BundleFromRemote(serverName, ip string) (*Bundle, error) {
config := &tls.Config{
RootCAs: b.RootPool,
ServerName: serverName,
}
// Dial by IP if present
var dialName string
if ip != "" {
dialName = ip + ":443"
} else {
dialName = serverName + ":443"
}
log.Debugf("bundling from remote %s", dialName)
conn, err := tls.Dial("tcp", dialName, config)
var dialError string
// If there's an error in tls.Dial, try again with
// InsecureSkipVerify to fetch the remote bundle to (re-)bundle with.
// If the bundle is indeed not usable (expired, mismatched hostnames, etc.),
// report the error.
// Otherwise, create a working bundle and insert the tls error in the bundle.Status.
if err != nil {
log.Debugf("dial failed: %v", err)
// record the error msg
dialError = fmt.Sprintf("Failed rigid TLS handshake with %s: %v", dialName, err)
// dial again with InsecureSkipVerify
log.Debugf("try again with InsecureSkipVerify.")
config.InsecureSkipVerify = true
conn, err = tls.Dial("tcp", dialName, config)
if err != nil {
log.Debugf("dial with InsecureSkipVerify failed: %v", err)
return nil, errors.New(errors.DialError, errors.Unknown, err)
}
}
connState := conn.ConnectionState()
certs := connState.PeerCertificates
err = conn.VerifyHostname(serverName)
if err != nil {
log.Debugf("failed to verify hostname: %v", err)
return nil, errors.New(errors.CertificateError, errors.VerifyFailed, err)
}
// verify peer intermediates and store them if there is any missing from the bundle.
// Don't care if there is error, will throw it any way in Bundle() call.
b.fetchIntermediates(certs)
// Bundle with remote certs. Inject the initial dial error, if any, to the status reporting.
bundle, err := b.Bundle(certs, nil, Ubiquitous)
if err != nil {
return nil, err
} else if dialError != "" {
bundle.Status.Messages = append(bundle.Status.Messages, dialError)
}
return bundle, err
}
// TestWithClientCertificateAuthentication
// Use two CA:s in two different files and test that clients with client signed by either of them can connect
func (s *HTTPSSuite) TestWithClientCertificateAuthenticationMultipeCAsMultipleFiles(c *check.C) {
cmd := exec.Command(traefikBinary, "--configFile=fixtures/https/clientca/https_2ca2config.toml")
err := cmd.Start()
c.Assert(err, checker.IsNil)
defer cmd.Process.Kill()
time.Sleep(500 * time.Millisecond)
tlsConfig := &tls.Config{
InsecureSkipVerify: true,
ServerName: "snitest.com",
Certificates: []tls.Certificate{},
}
// Connection without client certificate should fail
conn, err := tls.Dial("tcp", "127.0.0.1:4443", tlsConfig)
c.Assert(err, checker.NotNil, check.Commentf("should not be allowed to connect to server"))
// Connect with client signed by ca1
cert, err := tls.LoadX509KeyPair("fixtures/https/clientca/client1.crt", "fixtures/https/clientca/client1.key")
c.Assert(err, checker.IsNil, check.Commentf("unable to load client certificate and key"))
tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
conn, err = tls.Dial("tcp", "127.0.0.1:4443", tlsConfig)
c.Assert(err, checker.IsNil, check.Commentf("failed to connect to server"))
conn.Close()
// Connect with client signed by ca2
tlsConfig = &tls.Config{
InsecureSkipVerify: true,
ServerName: "snitest.com",
Certificates: []tls.Certificate{},
}
cert, err = tls.LoadX509KeyPair("fixtures/https/clientca/client2.crt", "fixtures/https/clientca/client2.key")
c.Assert(err, checker.IsNil, check.Commentf("unable to load client certificate and key"))
tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
conn, err = tls.Dial("tcp", "127.0.0.1:4443", tlsConfig)
c.Assert(err, checker.IsNil, check.Commentf("failed to connect to server"))
conn.Close()
// Connect with client signed by ca3 should fail
tlsConfig = &tls.Config{
InsecureSkipVerify: true,
ServerName: "snitest.com",
Certificates: []tls.Certificate{},
}
cert, err = tls.LoadX509KeyPair("fixtures/https/clientca/client3.crt", "fixtures/https/clientca/client3.key")
c.Assert(err, checker.IsNil, check.Commentf("unable to load client certificate and key"))
tlsConfig.Certificates = append(tlsConfig.Certificates, cert)
conn, err = tls.Dial("tcp", "127.0.0.1:4443", tlsConfig)
c.Assert(err, checker.NotNil, check.Commentf("should not be allowed to connect to server"))
}
func (s *ServerSuite) TestServerUpdateHTTPS(c *C) {
var req *http.Request
e := testutils.NewHandler(func(w http.ResponseWriter, r *http.Request) {
req = r
w.Write([]byte("hi https"))
})
defer e.Close()
b := MakeBatch(Batch{
Addr: "localhost:41000",
Route: `Path("/")`,
URL: e.URL,
Protocol: engine.HTTPS,
KeyPair: &engine.KeyPair{Key: localhostKey, Cert: localhostCert},
})
b.L.Settings = &engine.HTTPSListenerSettings{TLS: engine.TLSSettings{MinVersion: "VersionTLS11"}}
c.Assert(s.mux.UpsertHost(b.H), IsNil)
c.Assert(s.mux.UpsertServer(b.BK, b.S), IsNil)
c.Assert(s.mux.UpsertFrontend(b.F), IsNil)
c.Assert(s.mux.UpsertListener(b.L), IsNil)
c.Assert(s.mux.Start(), IsNil)
config := &tls.Config{
InsecureSkipVerify: true,
// We only support tls 10
MinVersion: tls.VersionTLS10,
MaxVersion: tls.VersionTLS10,
}
conn, err := tls.Dial("tcp", b.L.Address.Address, config)
c.Assert(err, NotNil) // we got TLS error
// Relax the version
b.L.Settings = &engine.HTTPSListenerSettings{TLS: engine.TLSSettings{MinVersion: "VersionTLS10"}}
c.Assert(s.mux.UpsertListener(b.L), IsNil)
time.Sleep(20 * time.Millisecond)
conn, err = tls.Dial("tcp", b.L.Address.Address, config)
c.Assert(err, IsNil)
fmt.Fprintf(conn, "GET / HTTP/1.0\r\n\r\n")
status, err := bufio.NewReader(conn).ReadString('\n')
c.Assert(status, Equals, "HTTP/1.0 200 OK\r\n")
state := conn.ConnectionState()
c.Assert(state.Version, DeepEquals, uint16(tls.VersionTLS10))
conn.Close()
}
func main() {
config := &tls.Config{nil, nil, []tls.Certificate{}, nil, nil, "google.com", false}
// config.Rand = nil
// config.Time = nil
// config.Certificates = nil
// config.RootCAs = nil
// config.NextProtos = nil
// config.ServerName = "google.com"
// config.AuthenticateClient = false
// config.CipherSuites = nil // Docs wrong?
conn, err := tls.Dial("tcp", "google.com:443", config)
if err != nil {
fmt.Printf("Error: %v\n", err)
} else {
buf := make([]uint8, 100)
fmt.Printf("Reading...\n")
fmt.Printf("Hangs :-\\\n")
size, err := conn.Read(buf) // Hangs
fmt.Printf("Done reading\n")
if err != nil {
fmt.Printf("Error: %v\n", err)
} else {
fmt.Printf("Data: %v\n", buf[:size])
}
}
}
/*
Dial opens a new client connection to a Web Socket.
A trivial example client:
package main
import (
"websocket"
"strings"
)
func main() {
ws, err := websocket.Dial("ws://localhost/ws", "", "http://localhost/");
if err != nil {
panic("Dial: " + err.String())
}
if _, err := ws.Write([]byte("hello, world!\n")); err != nil {
panic("Write: " + err.String())
}
var msg = make([]byte, 512);
if n, err := ws.Read(msg); err != nil {
panic("Read: " + err.String())
}
// use msg[0:n]
}
*/
func Dial(url, protocol, origin string) (ws *Conn, err os.Error) {
var client net.Conn
parsedUrl, err := http.ParseURL(url)
if err != nil {
goto Error
}
switch parsedUrl.Scheme {
case "ws":
client, err = net.Dial("tcp", "", parsedUrl.Host)
case "wss":
client, err = tls.Dial("tcp", "", parsedUrl.Host)
default:
err = ErrBadScheme
}
if err != nil {
goto Error
}
ws, err = newClient(parsedUrl.RawPath, parsedUrl.Host, origin, url, protocol, client, handshake)
if err != nil {
goto Error
}
return
Error:
return nil, &DialError{url, protocol, origin, err}
}
// golang.org/issue/13924
// This used to fail after many iterations, especially with -race:
// go test -v -run=TestTransportDoubleCloseOnWriteError -count=500 -race
func TestTransportDoubleCloseOnWriteError(t *testing.T) {
var (
mu sync.Mutex
conn net.Conn // to close if set
)
st := newServerTester(t,
func(w http.ResponseWriter, r *http.Request) {
mu.Lock()
defer mu.Unlock()
if conn != nil {
conn.Close()
}
},
optOnlyServer,
)
defer st.Close()
tr := &Transport{
TLSClientConfig: tlsConfigInsecure,
DialTLS: func(network, addr string, cfg *tls.Config) (net.Conn, error) {
tc, err := tls.Dial(network, addr, cfg)
if err != nil {
return nil, err
}
mu.Lock()
defer mu.Unlock()
conn = tc
return tc, nil
},
}
defer tr.CloseIdleConnections()
c := &http.Client{Transport: tr}
c.Get(st.ts.URL)
}
// Test concurrent requests with Transport.DisableKeepAlives. We can share connections,
// but when things are totally idle, it still needs to close.
func TestTransportDisableKeepAlives_Concurrency(t *testing.T) {
const D = 25 * time.Millisecond
st := newServerTester(t,
func(w http.ResponseWriter, r *http.Request) {
time.Sleep(D)
io.WriteString(w, "hi")
},
optOnlyServer,
)
defer st.Close()
var dials int32
var conns sync.WaitGroup
tr := &Transport{
t1: &http.Transport{
DisableKeepAlives: true,
},
TLSClientConfig: tlsConfigInsecure,
DialTLS: func(network, addr string, cfg *tls.Config) (net.Conn, error) {
tc, err := tls.Dial(network, addr, cfg)
if err != nil {
return nil, err
}
atomic.AddInt32(&dials, 1)
conns.Add(1)
return ¬eCloseConn{Conn: tc, closefn: func() { conns.Done() }}, nil
},
}
c := &http.Client{Transport: tr}
var reqs sync.WaitGroup
const N = 20
for i := 0; i < N; i++ {
reqs.Add(1)
if i == N-1 {
// For the final request, try to make all the
// others close. This isn't verified in the
// count, other than the Log statement, since
// it's so timing dependent. This test is
// really to make sure we don't interrupt a
// valid request.
time.Sleep(D * 2)
}
go func() {
defer reqs.Done()
res, err := c.Get(st.ts.URL)
if err != nil {
t.Error(err)
return
}
if _, err := ioutil.ReadAll(res.Body); err != nil {
t.Error(err)
return
}
res.Body.Close()
}()
}
reqs.Wait()
conns.Wait()
t.Logf("did %d dials, %d requests", atomic.LoadInt32(&dials), N)
}
func dialHTTP(hoststring string, scheme string) (cc *http.ClientConn, err os.Error) {
host, port, err := net.SplitHostPort(hoststring)
if err != nil {
return
}
if port == "" {
switch scheme {
case "http":
port = "80"
case "https":
port = "80"
case "riak":
port = "8098"
default:
err = os.NewError("Unknown scheme")
}
}
if err != nil {
return
}
var c net.Conn
switch scheme {
case "https":
c, err = tls.Dial("tcp", host+":"+port, nil)
default:
c, err = net.Dial("tcp", host+":"+port)
}
if err == nil {
cc = http.NewClientConn(c, nil)
}
return
}
func newConn(url *url.URL) (*httputil.ClientConn, error) {
addr := url.Host
if !hasPort(addr) {
addr += ":" + url.Scheme
}
var conn net.Conn
var err error
if url.Scheme == "http" {
conn, err = net.Dial("tcp", addr)
if err != nil {
return nil, err
}
} else { // https
conn, err = tls.Dial("tcp", addr, nil)
if err != nil {
return nil, err
}
h := url.Host
if hasPort(h) {
h = h[0:strings.LastIndex(h, ":")]
}
if err := conn.(*tls.Conn).VerifyHostname(h); err != nil {
return nil, err
}
}
return httputil.NewClientConn(conn, nil), nil
}
// Dial initiates a TLS connection to an outbound server. It returns a
// TLS connection to the server.
func Dial(address string, tr *Transport) (*tls.Conn, error) {
host, _, err := net.SplitHostPort(address)
if err != nil {
// Assume address is a hostname, and that it should
// use the HTTPS port number.
host = address
address = net.JoinHostPort(address, "443")
}
cfg, err := tr.TLSClientAuthClientConfig(host)
if err != nil {
return nil, err
}
conn, err := tls.Dial("tcp", address, cfg)
if err != nil {
return nil, err
}
state := conn.ConnectionState()
if len(state.VerifiedChains) == 0 {
return nil, errors.New(errors.CertificateError, errors.VerifyFailed)
}
for _, chain := range state.VerifiedChains {
for _, cert := range chain {
revoked, ok := revoke.VerifyCertificate(cert)
if (!tr.RevokeSoftFail && !ok) || revoked {
return nil, errors.New(errors.CertificateError, errors.VerifyFailed)
}
}
}
return conn, nil
}
func (f *forwarder) connect() {
if f.c != nil {
return
}
rate := time.Tick(200 * time.Millisecond)
for {
var c net.Conn
var err error
if f.Config.TlsConfig != nil {
c, err = tls.Dial("tcp", f.Config.ForwardDest, f.Config.TlsConfig)
} else {
c, err = net.DialTimeout("tcp", f.Config.ForwardDest, f.Config.ForwardDestConnectTimeout)
}
if err != nil {
f.cErrors.Inc(1)
log.WithFields(log.Fields{"id": f.ID, "message": err}).Error("Forwarder Connection Error")
f.disconnect()
} else {
f.cSuccesses.Inc(1)
log.WithFields(log.Fields{"id": f.ID, "remote_addr": c.RemoteAddr().String()}).Info("Forwarder Connection Success")
f.c = c
return
}
<-rate
}
}
// dial connects to the smtp server with the request encryption type
func dial(host string, port string, encryption encryption, config *tls.Config) (*smtp.Client, error) {
var conn net.Conn
var err error
address := host + ":" + port
// do the actual dial
switch encryption {
case EncryptionSSL:
conn, err = tls.Dial("tcp", address, config)
default:
conn, err = net.Dial("tcp", address)
}
if err != nil {
return nil, errors.New("Mail Error on dailing with encryption type " + encryption.String() + ": " + err.Error())
}
c, err := smtp.NewClient(conn, host)
if err != nil {
return nil, errors.New("Mail Error on smtp dial: " + err.Error())
}
return c, err
}
// DialConfig opens a new client connection to a WebSocket with a config.
func DialConfig(config *Config) (ws *Conn, err error) {
var client net.Conn
if config.Location == nil {
return nil, &DialError{config, ErrBadWebSocketLocation}
}
if config.Origin == nil {
return nil, &DialError{config, ErrBadWebSocketOrigin}
}
switch config.Location.Scheme {
case "ws":
client, err = net.Dial("tcp", parseAuthority(config.Location))
case "wss":
client, err = tls.Dial("tcp", parseAuthority(config.Location), config.TlsConfig)
default:
err = ErrBadScheme
}
if err != nil {
goto Error
}
ws, err = NewClient(config, client)
if err != nil {
client.Close()
goto Error
}
return
Error:
return nil, &DialError{config, err}
}
func connectToSMTPServer() (net.Conn, *model.AppError) {
host, _, _ := net.SplitHostPort(Cfg.EmailSettings.SMTPServer)
var conn net.Conn
var err error
if Cfg.EmailSettings.UseTLS {
tlsconfig := &tls.Config{
InsecureSkipVerify: true,
ServerName: host,
}
conn, err = tls.Dial("tcp", Cfg.EmailSettings.SMTPServer, tlsconfig)
if err != nil {
return nil, model.NewAppError("SendMail", "Failed to open TLS connection", err.Error())
}
} else {
conn, err = net.Dial("tcp", Cfg.EmailSettings.SMTPServer)
if err != nil {
return nil, model.NewAppError("SendMail", "Failed to open connection", err.Error())
}
}
return conn, nil
}
func main() {
addr := flag.String("addr", "", "Address in form of host:port")
flag.Parse()
conn, err := tls.Dial("tcp", *addr, &tls.Config{
InsecureSkipVerify: true,
})
if err != nil {
panic("failed to connect: " + err.Error())
}
var nativeChain []certMeta
chain := conn.ConnectionState().PeerCertificates
err, root := findRoot(chain)
if err != nil {
fmt.Println(err)
}
buildNativeChain(chain, root, &nativeChain, len(chain))
verifyPositions(nativeChain)
fmt.Printf("%+v\n", nativeChain)
// for _, cert := range chain {
// fmt.Printf("Certificate: %s, Issued by: %s, Expires at: %s, Days left: %d\n",
// cert.Subject.CommonName, cert.Issuer.CommonName, cert.NotAfter, cert.NotAfter.Sub(time.Now())/time.Hour/24)
// }
conn.Close()
}
// MgoDialInfoTls returns a DialInfo suitable
// for dialling an MgoInstance at any of the
// given addresses, optionally using TLS.
func MgoDialInfoTls(useTls bool, addrs ...string) *mgo.DialInfo {
var dial func(addr net.Addr) (net.Conn, error)
if useTls {
pool := x509.NewCertPool()
xcert, err := cert.ParseCert(CACert)
if err != nil {
panic(err)
}
pool.AddCert(xcert)
tlsConfig := &tls.Config{
RootCAs: pool,
ServerName: "anything",
}
dial = func(addr net.Addr) (net.Conn, error) {
conn, err := tls.Dial("tcp", addr.String(), tlsConfig)
if err != nil {
logger.Debugf("tls.Dial(%s) failed with %v", addr, err)
return nil, err
}
return conn, nil
}
} else {
dial = func(addr net.Addr) (net.Conn, error) {
conn, err := net.Dial("tcp", addr.String())
if err != nil {
logger.Debugf("net.Dial(%s) failed with %v", addr, err)
return nil, err
}
return conn, nil
}
}
return &mgo.DialInfo{Addrs: addrs, Dial: dial, Timeout: mgoDialTimeout}
}
func main() {
if len(os.Args) < 2 {
fmt.Printf("Please specify a host.\n")
os.Exit(1)
}
if len(os.Args) > 3 {
fmt.Printf("Too many arguments.\n")
os.Exit(1)
}
host := os.Args[1]
port := "443"
if len(os.Args) == 3 {
port = os.Args[2]
}
config := &tls.Config{
InsecureSkipVerify: true,
}
conn, err := tls.Dial("tcp", host+":"+port, config)
if err != nil {
fmt.Printf("Error dialing host: %v\n", err)
os.Exit(1)
}
go io.Copy(conn, os.Stdin)
io.Copy(os.Stdout, conn)
}
func runClient() {
cert, err := tls.LoadX509KeyPair(clientTLSCert, clientTLSKey)
if err != nil {
log.Fatalf("client: error loading keys: %s", err)
}
tlsconf := &tls.Config{Certificates: []tls.Certificate{cert}, InsecureSkipVerify: true}
conn, err := tls.Dial("tcp", addr, tlsconf)
if err != nil {
log.Fatalf("client: dial: %s", err)
}
defer conn.Close()
log.Println("client: connected to: ", conn.RemoteAddr())
state := conn.ConnectionState()
for _, v := range state.PeerCertificates {
fmt.Println(x509.MarshalPKIXPublicKey(v.PublicKey))
fmt.Println(v.Subject)
}
log.Println("client: handshake: ", state.HandshakeComplete)
log.Println("client: mutual: ", state.NegotiatedProtocolIsMutual)
message := "Hello\n"
n, err := io.WriteString(conn, message)
if err != nil {
log.Fatalf("client: write: %s", err)
}
log.Printf("client: wrote %q (%d bytes)", message, n)
reply := make([]byte, 256)
n, err = conn.Read(reply)
log.Printf("client: read %q (%d bytes)", string(reply[:n]), n)
log.Print("client: exiting")
}
func (ui *UI) connect(useNetmon bool) *imap.IMAP {
user, pass := loadAuth("auth")
ui.log("connecting...")
conn, err := tls.Dial("tcp", "imap.gmail.com:993", nil)
check(err)
var r io.Reader = conn
if *dumpProtocol {
r = newLoggingReader(r, 300)
}
if useNetmon {
ui.netmon = newNetmonReader(r)
r = ui.netmon
}
im := imap.New(r, conn)
im.Unsolicited = make(chan interface{}, 100)
hello, err := im.Start()
check(err)
ui.log("server hello: %s", hello)
ui.log("logging in...")
resp, caps, err := im.Auth(user, pass)
check(err)
ui.log("%s", resp)
ui.log("server capabilities: %s", caps)
return im
}
// Dial connect to mongo, and return an error if there's a problem
func (t *MongoTarget) Dial() error {
username := t.dstURI.User.Username()
password, _ := t.dstURI.User.Password()
parsedQuery, _ := url.ParseQuery(t.dstURI.RawQuery)
servers := strings.Split(t.dstURI.Host, ",")
dialInfo := &mgo.DialInfo{
Addrs: servers,
Database: t.dstDB,
Username: username,
Password: password,
Timeout: time.Second * time.Duration(*connectionTimeout),
}
if replicaSet, hasReplicaSet := parsedQuery["replicaSet"]; hasReplicaSet {
dialInfo.ReplicaSetName = replicaSet[0]
}
if ssl, hasSSL := parsedQuery["ssl"]; hasSSL && ssl[0] == "true" {
dialInfo.DialServer = func(addr *mgo.ServerAddr) (net.Conn, error) {
conn, err := tls.Dial("tcp", addr.String(), &tls.Config{InsecureSkipVerify: *ignoreSslError})
if err != nil {
logger.Error("tls err, %v", err)
}
return conn, err
}
}
session, err := mgo.DialWithInfo(dialInfo)
if err != nil {
return fmt.Errorf("Cannot dial with dialInfo %v\n, %v", dialInfo, err)
}
t.dst = session
return nil
}
func openTLSClient(ipPort string) (*tls.Conn, error) {
// Note this loads standard x509 certificates, test keys can be
// generated with makecert.sh
log.Printf("Loading certificates from directory: %s\n", *certDir)
cert, err := tls.LoadX509KeyPair(*certDir+"/server.pem", *certDir+"/server.key")
if err != nil {
log.Fatalf("server: loadkeys: %s", err)
}
// InsecureSkipVerify required for unsigned certs with Go1 and later.
config := tls.Config{Certificates: []tls.Certificate{cert}, InsecureSkipVerify: true}
conn, err := tls.Dial("tcp", ipPort, &config)
if err != nil {
log.Fatalf("client: dial: %s", err)
}
log.Println("client: connected to: ", conn.RemoteAddr())
// This shows the public key of the server, we will accept any key, but
// we could terminate the connection based on the public key if desired.
state := conn.ConnectionState()
for _, v := range state.PeerCertificates {
log.Printf("Client: Server public key is:\n%x\n", v.PublicKey.(*rsa.PublicKey).N)
}
// Lets verify behind the doubt that both ends of the connection
// have completed the handshake and negotiated a SSL connection
log.Println("client: handshake: ", state.HandshakeComplete)
log.Println("client: mutual: ", state.NegotiatedProtocolIsMutual)
// All TLS handling has completed, now to pass the connection off to
// go-rpcgen/protobuf/AddService
return conn, err
}
func (p *UpgradeAwareSingleHostReverseProxy) dialBackend(req *http.Request) (net.Conn, error) {
dialAddr := netutil.CanonicalAddr(req.URL)
switch p.backendAddr.Scheme {
case "http":
return net.Dial("tcp", dialAddr)
case "https":
tlsConfig, err := restclient.TLSConfigFor(p.clientConfig)
if err != nil {
return nil, err
}
tlsConn, err := tls.Dial("tcp", dialAddr, tlsConfig)
if err != nil {
return nil, err
}
hostToVerify, _, err := net.SplitHostPort(dialAddr)
if err != nil {
return nil, err
}
err = tlsConn.VerifyHostname(hostToVerify)
return tlsConn, err
default:
return nil, fmt.Errorf("unknown scheme: %s", p.backendAddr.Scheme)
}
}
// dial dials the host specified by req, using TLS if appropriate.
func (s *SpdyRoundTripper) dial(req *http.Request) (net.Conn, error) {
dialAddr := netutil.CanonicalAddr(req.URL)
if req.URL.Scheme == "http" {
if s.Dialer == nil {
return net.Dial("tcp", dialAddr)
} else {
return s.Dialer.Dial("tcp", dialAddr)
}
}
// TODO validate the TLSClientConfig is set up?
var conn *tls.Conn
var err error
if s.Dialer == nil {
conn, err = tls.Dial("tcp", dialAddr, s.tlsConfig)
} else {
conn, err = tls.DialWithDialer(s.Dialer, "tcp", dialAddr, s.tlsConfig)
}
if err != nil {
return nil, err
}
host, _, err := net.SplitHostPort(dialAddr)
if err != nil {
return nil, err
}
err = conn.VerifyHostname(host)
if err != nil {
return nil, err
}
return conn, nil
}
func (connWriter *connWriter) connect() error {
if connWriter.innerWriter != nil {
connWriter.innerWriter.Close()
connWriter.innerWriter = nil
}
if connWriter.useTLS {
conn, err := tls.Dial(connWriter.net, connWriter.addr, connWriter.configTLS)
if err != nil {
return err
}
connWriter.innerWriter = conn
return nil
}
conn, err := net.Dial(connWriter.net, connWriter.addr)
if err != nil {
return err
}
tcpConn, ok := conn.(*net.TCPConn)
if ok {
tcpConn.SetKeepAlive(true)
}
connWriter.innerWriter = conn
return nil
}
// DialTLS opens a new TLS encrytped connection with the givent configuration
// to the network/address and then beings a muxado client session on it.
func DialTLS(network, addr string, tlsConfig *tls.Config) (sess Session, err error) {
conn, err := tls.Dial(network, addr, tlsConfig)
if err != nil {
return
}
return Client(conn), nil
}
func (p *apnsPushService) reconnect(psp *PushServiceProvider) (net.Conn, error) {
name := psp.Name()
p.connLock.Lock()
defer p.connLock.Unlock()
if conn, ok := p.conns[name]; ok {
conn.Close()
}
cert, err := tls.LoadX509KeyPair(psp.FixedData["cert"], psp.FixedData["key"])
if err != nil {
return nil, NewBadPushServiceProviderWithDetails(psp, err.Error())
}
conf := &tls.Config{
Certificates: []tls.Certificate{cert},
InsecureSkipVerify: true,
}
tlsconn, err := tls.Dial("tcp", psp.VolatileData["addr"], conf)
if err != nil {
return nil, NewConnectionError(err)
}
err = tlsconn.Handshake()
if err != nil {
return nil, NewConnectionError(err)
}
p.conns[name] = tlsconn
return tlsconn, nil
}
