func NewConnectingPeer(logger *util.Logger, server *TLSServer, connection *tls.Conn) *Peer { inst := NewPeer(logger, server, connection.RemoteAddr().String()) inst.Connection = connection inst.State = PeerStateHandshake inst.Incoming = true return inst }
func HandleUserTimeout(UserCollection *mgo.Collection, username, RSA_Public_Key string, conn *tls.Conn, timeout_sec int) { log.Printf("Timeout:\tUser '%s' at %s\n", username, conn.RemoteAddr()) err := GBServerDatabase.UpdateLastAccessedTime(UserCollection, username, string(RSA_Public_Key), 5) checkErr(err) err = GBServerDatabase.UpdateCurrentlyBeingUsed(UserCollection, username, string(RSA_Public_Key), false) checkErr(err) }
func connect(app string, keyFile string, certFile string, sandbox bool) { defer CapturePanic(fmt.Sprintf("connection to apns server error %s", app)) cert, err := tls.LoadX509KeyPair(certFile, keyFile) if err != nil { log.Printf("server : loadKeys: %s", err) } config := tls.Config{Certificates: []tls.Certificate{cert}, InsecureSkipVerify: true} endPoint := APNS_ENDPOINT if sandbox { endPoint = APNS_SANDBOX_ENDPOINT } var conn *tls.Conn for { conn, err = tls.Dial("tcp", endPoint, &config) if err != nil { log.Println("连接服务器有误, 2秒后将重连", err) time.Sleep(time.Second * 2) } else { break } } log.Println("client is connect to ", conn.RemoteAddr()) state := conn.ConnectionState() log.Println("client: hand shake ", state.HandshakeComplete) log.Println("client: mutual", state.NegotiatedProtocolIsMutual) if sandbox { app = app + DEVELOP_SUBFIX } info := &ConnectInfo{Connection: conn, App: app, Sandbox: sandbox, lastActivity: time.Now().Unix()} socketCN <- info }
func main() { ripmgr := randip.NewRandIPv4Mgr(true, 1249767200) for { newIP, err := ripmgr.GetNextIP() if err != nil { log.Println("IP Addr Exhausted") return } else { go func() { log.Println(newIP.String()) config := tls.Config{InsecureSkipVerify: true, ServerName: "google.com"} var err error var newConn *tls.Conn newConn, err = tls.DialWithDialer(&net.Dialer{Timeout: 2 * time.Second}, "tcp", newIP.String()+":443", &config) if err != nil { log.Println(err) } else { conState := newConn.ConnectionState() fmt.Println(newConn.RemoteAddr(), conState.PeerCertificates[0].NotBefore, conState.PeerCertificates[0].NotAfter, conState.PeerCertificates[0].SerialNumber) //jsonCert,_ := json.MarshalIndent(conState.PeerCertificates[0],""," ") //fmt.Println(string(jsonCert)) newConn.Close() } }() } } }
func handle_tlsconn(conn *tls.Conn, context *Context) bool { conn.SetDeadline(time.Now().Add(config.TimeoutTLS)) err := conn.Handshake() if err != nil { util.Log(0, "ERROR! [SECURITY] TLS Handshake: %v", err) return false } var no_deadline time.Time conn.SetDeadline(no_deadline) state := conn.ConnectionState() if len(state.PeerCertificates) == 0 { util.Log(0, "ERROR! [SECURITY] TLS peer has no certificate") return false } cert := state.PeerCertificates[0] // docs are unclear about this but I think leaf certificate is the first entry because that's as it is in tls.Certificate if util.LogLevel >= 2 { // because creating the dump is expensive util.Log(2, "DEBUG! [SECURITY] Peer certificate presented by %v:\n%v", conn.RemoteAddr(), CertificateInfo(cert)) } for _, cacert := range config.CACert { err = cert.CheckSignatureFrom(cacert) if err == nil { if string(cacert.RawSubject) != string(cert.RawIssuer) { err = fmt.Errorf("Certificate was issued by wrong CA: \"%v\" instead of \"%v\"", cacert.Subject, cert.Issuer) } else { break // stop checking if we found a match for a CA. err == nil here! } } } if err != nil { util.Log(0, "ERROR! [SECURITY] TLS peer presented certificate not signed by trusted CA: %v", err) return false } for _, e := range cert.Extensions { if len(e.Id) == 4 && e.Id[0] == 2 && e.Id[1] == 5 && e.Id[2] == 29 && e.Id[3] == 17 { parseSANExtension(e.Value, context) } else if len(e.Id) == 9 && e.Id[0] == 1 && e.Id[1] == 3 && e.Id[2] == 6 && e.Id[3] == 1 && e.Id[4] == 4 && e.Id[5] == 1 && e.Id[6] == 45753 && e.Id[7] == 1 { switch e.Id[8] { case 5: err = parseConnectionLimits(e.Value, context) if err != nil { util.Log(0, "ERROR! [SECURITY] GosaConnectionLimits: %v", err) } case 6: //err = parseAccessControl(e.Value, context) //if err != nil { util.Log(0, "ERROR! [SECURITY] GosaAccessControl: %v", err) } } } } context.TLS = true return true }
func verifyClientAddrMatch(c *tls.Conn) error { err := c.Handshake() if err != nil { return err } addr, _, err := net.SplitHostPort(c.RemoteAddr().String()) if err != nil { return err } return c.ConnectionState().VerifiedChains[0][0].VerifyHostname(addr) }
func clientSessionCacheKey(conn *tls.Conn, config *tls.Config) string { if len(config.ServerName) > 0 { return config.ServerName } addr := conn.RemoteAddr().String() colonPos := strings.LastIndex(addr, ":") if colonPos == -1 { colonPos = len(addr) } hostname := addr[:colonPos] return hostname }
// tlsConnectionStateString выводит в лог информацию о TLS-соединении. func tlsConnectionStateString(conn *tls.Conn) string { var state = conn.ConnectionState() return fmt.Sprint("Connection state:", "\n------------------------------------------------------------", "\n Local Address: ", conn.LocalAddr(), "\n Remote Address: ", conn.RemoteAddr(), "\n TLS version: ", state.Version, "\n Handshake Complete: ", state.HandshakeComplete, "\n Did Resume: ", state.DidResume, "\n Cipher Suite: ", state.CipherSuite, "\n------------------------------------------------------------") }
func NewTLSRedialTransport(conn *tls.Conn, serverName string) *TLSRedialTransport { t := &TLSRedialTransport{ ServerConn: conn, ServerName: serverName, serverAddr: conn.RemoteAddr().String(), publicKey: conn.ConnectionState().PeerCertificates[0].RawSubjectPublicKeyInfo, } t.Dial = t.dial t.timeout = time.AfterFunc(10*time.Second, t.CloseIdleConnections) return t }
func tryConnect(addr string, strict bool) (errchan chan error) { errchan = make(chan error) go func() { caCertFile, err := ioutil.TempFile("", "logstash-forwarder-cacert") if err != nil { panic(err) } defer func() { os.Remove(caCertFile.Name()) }() ioutil.WriteFile(caCertFile.Name(), []byte(caCert), os.ModeTemporary) // this can be messy because of localhost resolving to ipv6 addresses // but there's no easy way to disable v6 resolution here const wait = 5 const retryLimit = 3 tryAttempt := 0 exinfo := "" config := &NetworkConfig{ SSLCA: caCertFile.Name(), Servers: []string{addr}, Timeout: wait, timeout: time.Second * wait, } var socket *tls.Conn for socket == nil && tryAttempt < retryLimit { select { case socket = <-doConnect(config): case <-time.After(time.Second * wait): log.Printf("INFO: Connect timeout: attempt: %d\n", tryAttempt) tryAttempt++ } } if socket == nil { errchan <- errors.New("Client connect failed. " + exinfo) return } defer socket.Close() log.Printf("INFO: Connected to %s\n", socket.RemoteAddr()) if !socket.ConnectionState().HandshakeComplete { errchan <- errors.New("handshake should be complete") return } errchan <- nil }() return errchan }
/* Check that the TLS connection's certficate can be applied to this connection. Because irc.coldfront.net presents a certificate not as irc.coldfront.net, but as it's actual host (e.g. snow.coldfront.net), We do this by comparing the IP address of the certs name to the IP address of our connection. If they match we're OK. */ func isCertValid(conn *tls.Conn) bool { connAddr := strings.Split(conn.RemoteAddr().String(), ":")[0] cert := conn.ConnectionState().PeerCertificates[0] if len(cert.DNSNames) == 0 { // Cert has single name, the usual case return isIPMatch(cert.Subject.CommonName, connAddr) } // Cert has several valid names for _, certname := range cert.DNSNames { if isIPMatch(certname, connAddr) { return true } } return false }
func tlsConnLog(conn *tls.Conn) *log.Entry { return log.WithFields(log.Fields{ "addr": conn.RemoteAddr(), }) }