func performHandshakeAndValidation(conn *tls.Conn, uri *url.URL) error { if err := conn.Handshake(); err != nil { return err } cs := conn.ConnectionState() if !cs.NegotiatedProtocolIsMutual || cs.NegotiatedProtocol != protocol.ProtocolName { return fmt.Errorf("protocol negotiation error") } q := uri.Query() relayIDs := q.Get("id") if relayIDs != "" { relayID, err := syncthingprotocol.DeviceIDFromString(relayIDs) if err != nil { return fmt.Errorf("relay address contains invalid verification id: %s", err) } certs := cs.PeerCertificates if cl := len(certs); cl != 1 { return fmt.Errorf("unexpected certificate count: %d", cl) } remoteID := syncthingprotocol.NewDeviceID(certs[0].Raw) if remoteID != relayID { return fmt.Errorf("relay id does not match. Expected %v got %v", relayID, remoteID) } } return nil }
func (c *connection) startTls() (err error) { if c.authOptions == nil { return nil } if c.authOptions.TlsConfig == nil { return ErrAuthMissingConfig } c.state = connTlsStarting startTlsCmd := &StartTlsCommand{} if err = c.execute(startTlsCmd); err != nil { return } var tlsConn *tls.Conn if tlsConn = tls.Client(c.conn, c.authOptions.TlsConfig); tlsConn == nil { err = ErrAuthTLSUpgradeFailed return } if err = tlsConn.Handshake(); err != nil { return } c.conn = tlsConn authCmd := &AuthCommand{ User: c.authOptions.User, Password: c.authOptions.Password, } err = c.execute(authCmd) return }
// StartTLS takes an identity and an authority certificate and upgrades the net.Conn on the protocol to TLS // It returns the CommonName from the peer certitifcate, or an error func (p *Protocol) StartTLS(identity *security.Identity, caCertificate *security.Certificate) (string, error) { var ( err error tlsConn *tls.Conn ) if err = p.WriteBytesWithDeadline([]byte{TLS}); err != nil { return "", err } // Build the config config := new(tls.Config) config.ServerName = p.serverName // Setup the tls connection if err = p.tlsSetup(config, identity, caCertificate); err != nil { return "", err } // Upgrade the connection to TLS // TODO: Add a deadline here? tlsConn = tls.Client(p.conn, config) if err = tlsConn.Handshake(); err != nil { return "", err } // Capture the connection state cs := tlsConn.ConnectionState() // And replace the original connection p.conn = net.Conn(tlsConn) p.setupBuffers() return cs.PeerCertificates[0].Subject.CommonName, nil }
// HandleStartTLS is the companion to StartTLS, and will do the connection upgrade. It assumes // that the TLS command byte has already been read. Like StartTLS it returns the peer name, or // an error func (p *Protocol) HandleStartTLS(identity *security.Identity, caCertificate *security.Certificate) (string, error) { var ( err error tlsConn *tls.Conn ) // Build the config config := new(tls.Config) config.ClientAuth = tls.RequireAndVerifyClientCert // Setup the tls connection if err := p.tlsSetup(config, identity, caCertificate); err != nil { return "", err } // Upgrade the connection to TLS // TODO: Add a deadline here? tlsConn = tls.Server(p.conn, config) if err = tlsConn.Handshake(); err != nil { return "", err } // Capture the connection state cs := tlsConn.ConnectionState() // And replace the original connection p.conn = net.Conn(tlsConn) p.setupBuffers() // Send an Ack p.Ack() return cs.PeerCertificates[0].Subject.CommonName, nil }
func enrichWithOwnChecks(conn *tls.Conn, tlsConfig *tls.Config) error { var err error if err = conn.Handshake(); err != nil { conn.Close() return err } opts := x509.VerifyOptions{ Roots: tlsConfig.RootCAs, CurrentTime: time.Now(), DNSName: "", Intermediates: x509.NewCertPool(), } certs := conn.ConnectionState().PeerCertificates for i, cert := range certs { if i == 0 { continue } opts.Intermediates.AddCert(cert) } _, err = certs[0].Verify(opts) if err != nil { conn.Close() return err } return nil }
func (c *connection) startTls() error { if c.authOptions == nil { return nil } if c.authOptions.TlsConfig == nil { return ErrAuthMissingConfig } c.setState(connTlsStarting) startTlsCmd := &startTlsCommand{} if err := c.execute(startTlsCmd); err != nil { return err } var tlsConn *tls.Conn if tlsConn = tls.Client(c.conn, c.authOptions.TlsConfig); tlsConn == nil { return ErrAuthTLSUpgradeFailed } if err := tlsConn.Handshake(); err != nil { return err } c.conn = tlsConn authCmd := &authCommand{ user: c.authOptions.User, password: c.authOptions.Password, } return c.execute(authCmd) }
func Connect(cert_filename string, key_filename string, server string) (*Apn, error) { rchan := make(chan NotificationError) cert, cert_err := tls.LoadX509KeyPair(cert_filename, key_filename) if cert_err != nil { return nil, cert_err } conn, err := net.Dial("tcp", server) if err != nil { return nil, err } certificate := []tls.Certificate{cert} conf := tls.Config{ Certificates: certificate, } var client_conn *tls.Conn = tls.Client(conn, &conf) err = client_conn.Handshake() if err != nil { return nil, err } go readError(client_conn, rchan) return &Apn{cert, server, client_conn, rchan}, nil }
func (t *TCP) startTLS() (el element.Element, err error) { var tlsConn *tls.Conn if t.mode == stream.Initiating { err = t.WriteElement(element.StartTLS) if err != nil { return } el, err = t.Next() if err != nil || el.Tag != element.TLSProceed.Tag { return } tlsConn = tls.Client(t.Conn, t.conf) } else { err = t.WriteElement(element.TLSProceed) if err != nil { return } tlsConn = tls.Server(t.Conn, t.conf) } err = tlsConn.Handshake() if err != nil { return } conn := net.Conn(tlsConn) t.Conn = conn t.Decoder = xml.NewDecoder(conn) el = element.Element{} err = stream.ErrRequireRestart t.secure = true log.Println("Done upgrading connection") return }
func (r *invitationReceiver) Serve() { for { select { case inv := <-r.invitations: l.Debugln("Received relay invitation", inv) conn, err := client.JoinSession(inv) if err != nil { l.Debugf("Failed to join relay session %s: %v", inv, err) continue } var tc *tls.Conn if inv.ServerSocket { tc = tls.Server(conn, r.tlsCfg) } else { tc = tls.Client(conn, r.tlsCfg) } err = tc.Handshake() if err != nil { l.Infof("TLS handshake (BEP/relay %s): %v", inv, err) tc.Close() continue } r.conns <- tc case <-r.stop: return } } }
func (d *relayDialer) Dial(id protocol.DeviceID, uri *url.URL) (IntermediateConnection, error) { inv, err := client.GetInvitationFromRelay(uri, id, d.tlsCfg.Certificates, 10*time.Second) if err != nil { return IntermediateConnection{}, err } conn, err := client.JoinSession(inv) if err != nil { return IntermediateConnection{}, err } err = dialer.SetTCPOptions(conn) if err != nil { conn.Close() return IntermediateConnection{}, err } var tc *tls.Conn if inv.ServerSocket { tc = tls.Server(conn, d.tlsCfg) } else { tc = tls.Client(conn, d.tlsCfg) } err = tc.Handshake() if err != nil { tc.Close() return IntermediateConnection{}, err } return IntermediateConnection{tc, "Relay (Client)", relayPriority}, nil }
func handle_tlsconn(conn *tls.Conn, context *Context) bool { conn.SetDeadline(time.Now().Add(config.TimeoutTLS)) err := conn.Handshake() if err != nil { util.Log(0, "ERROR! [SECURITY] TLS Handshake: %v", err) return false } var no_deadline time.Time conn.SetDeadline(no_deadline) state := conn.ConnectionState() if len(state.PeerCertificates) == 0 { util.Log(0, "ERROR! [SECURITY] TLS peer has no certificate") return false } cert := state.PeerCertificates[0] // docs are unclear about this but I think leaf certificate is the first entry because that's as it is in tls.Certificate if util.LogLevel >= 2 { // because creating the dump is expensive util.Log(2, "DEBUG! [SECURITY] Peer certificate presented by %v:\n%v", conn.RemoteAddr(), CertificateInfo(cert)) } for _, cacert := range config.CACert { err = cert.CheckSignatureFrom(cacert) if err == nil { if string(cacert.RawSubject) != string(cert.RawIssuer) { err = fmt.Errorf("Certificate was issued by wrong CA: \"%v\" instead of \"%v\"", cacert.Subject, cert.Issuer) } else { break // stop checking if we found a match for a CA. err == nil here! } } } if err != nil { util.Log(0, "ERROR! [SECURITY] TLS peer presented certificate not signed by trusted CA: %v", err) return false } for _, e := range cert.Extensions { if len(e.Id) == 4 && e.Id[0] == 2 && e.Id[1] == 5 && e.Id[2] == 29 && e.Id[3] == 17 { parseSANExtension(e.Value, context) } else if len(e.Id) == 9 && e.Id[0] == 1 && e.Id[1] == 3 && e.Id[2] == 6 && e.Id[3] == 1 && e.Id[4] == 4 && e.Id[5] == 1 && e.Id[6] == 45753 && e.Id[7] == 1 { switch e.Id[8] { case 5: err = parseConnectionLimits(e.Value, context) if err != nil { util.Log(0, "ERROR! [SECURITY] GosaConnectionLimits: %v", err) } case 6: //err = parseAccessControl(e.Value, context) //if err != nil { util.Log(0, "ERROR! [SECURITY] GosaAccessControl: %v", err) } } } } context.TLS = true return true }
// DialTLSFunc returns the adequate dial function, when using SSL, depending on // whether we're using insecure TLS (certificate verification is disabled), or we // have some trusted certs, or we're on android. // If the client's config has some trusted certs, the server's certificate will // be checked against those in the config after the TLS handshake. func (c *Client) DialTLSFunc() func(network, addr string) (net.Conn, error) { if !c.useTLS() { return nil } trustedCerts := c.getTrustedCerts() var stdTLS bool if !c.InsecureTLS && len(trustedCerts) == 0 { // TLS with normal/full verification stdTLS = true if !android.IsChild() { // Not android, so let the stdlib deal with it return nil } } return func(network, addr string) (net.Conn, error) { var conn *tls.Conn var err error if android.IsChild() { con, err := android.Dial(network, addr) if err != nil { return nil, err } var tlsConfig *tls.Config if stdTLS { tlsConfig, err = android.TLSConfig() if err != nil { return nil, err } } else { tlsConfig = &tls.Config{InsecureSkipVerify: true} } conn = tls.Client(con, tlsConfig) if err = conn.Handshake(); err != nil { return nil, err } } else { conn, err = tls.Dial(network, addr, &tls.Config{InsecureSkipVerify: true}) if err != nil { return nil, err } } if c.InsecureTLS { return conn, nil } certs := conn.ConnectionState().PeerCertificates if certs == nil || len(certs) < 1 { return nil, errors.New("Could not get server's certificate from the TLS connection.") } sig := hashutil.SHA256Prefix(certs[0].Raw) for _, v := range trustedCerts { if v == sig { return conn, nil } } return nil, fmt.Errorf("Server's certificate %v is not in the trusted list", sig) } }
// DialTLSFunc returns the adequate dial function, when using SSL, depending on // whether we're using insecure TLS (certificate verification is disabled), or we // have some trusted certs, or we're on android.1 // If the client's config has some trusted certs, the server's certificate will // be checked against those in the config after the TLS handshake. func (c *Client) DialTLSFunc() func(network, addr string) (net.Conn, error) { if !c.useTLS() { return nil } trustedCerts := c.getTrustedCerts() var stdTLS bool if !c.insecureAnyTLSCert && len(trustedCerts) == 0 { // TLS with normal/full verification. stdTLS = true if !android.IsChild() { // Not android, so let the stdlib deal with it return nil } } return func(network, addr string) (net.Conn, error) { var conn *tls.Conn var err error if android.IsChild() { ac, err := android.Dial(network, addr) if err != nil { return nil, err } var tlsConfig *tls.Config if stdTLS { tlsConfig, err = android.TLSConfig() if err != nil { return nil, err } } else { tlsConfig = &tls.Config{InsecureSkipVerify: true} } conn = tls.Client(ac, tlsConfig) if err := conn.Handshake(); err != nil { return nil, err } } else { conn, err = tls.Dial(network, addr, &tls.Config{InsecureSkipVerify: true}) if err != nil { return nil, err } } if c.insecureAnyTLSCert { return conn, nil } certs := conn.ConnectionState().PeerCertificates if len(certs) < 1 { return nil, fmt.Errorf("no TLS peer certificates from %s", addr) } sig := hashutil.SHA256Prefix(certs[0].Raw) for _, v := range trustedCerts { if v == sig { return conn, nil } } return nil, fmt.Errorf("TLS server at %v presented untrusted certificate (signature %q)", addr, sig) } }
func (srv *Server) switchToTLS(conn xmppConn) { conn.Write([]byte(`<proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>`)) var tls_conn *tls.Conn tls_conn = tls.Server(conn.Conn, &srv.tlsConfig) tls_conn.Handshake() new_conn := xmppConn{tls_conn, "", ""} srv.handle(new_conn, true) }
func verifyClientAddrMatch(c *tls.Conn) error { err := c.Handshake() if err != nil { return err } addr, _, err := net.SplitHostPort(c.RemoteAddr().String()) if err != nil { return err } return c.ConnectionState().VerifiedChains[0][0].VerifyHostname(addr) }
// NewClient establishes a new Client connection based on a set of Options. func (o Options) NewClient() (*Client, error) { host := o.Host c, err := connect(host, o.User, o.Password) if err != nil { return nil, err } if strings.LastIndex(o.Host, ":") > 0 { host = host[:strings.LastIndex(o.Host, ":")] } client := new(Client) if o.NoTLS { if o.Debug { client.conn = DebugConn{c} } else { client.conn = c } } else { var tlsconn *tls.Conn if o.TLSConfig != nil { tlsconn = tls.Client(c, o.TLSConfig) } else { DefaultConfig.ServerName = host tlsconn = tls.Client(c, &DefaultConfig) } if err = tlsconn.Handshake(); err != nil { return nil, err } insecureSkipVerify := DefaultConfig.InsecureSkipVerify if o.TLSConfig != nil { insecureSkipVerify = o.TLSConfig.InsecureSkipVerify } if !insecureSkipVerify { if err = tlsconn.VerifyHostname(host); err != nil { return nil, err } } if o.Debug { client.conn = DebugConn{tlsconn} } else { client.conn = tlsconn } } if err := client.init(&o); err != nil { client.Close() return nil, err } return client, nil }
func (p *httpProxyClient) DialTCPSAddr(network string, raddr string) (ProxyTCPConn, error) { var tlsConn *tls.Conn rawConn, err := p.upProxy.DialTCPSAddr(network, p.proxyAddr) if err != nil { return nil, fmt.Errorf("无法连接代理服务器 %v ,错误:%v", p.proxyAddr, err) } var c Conn = rawConn if p.proxyType == "https" { tlsConn = tls.Client(c, &tls.Config{ServerName: p.proxyDomain, InsecureSkipVerify: p.insecureSkipVerify}) if err := tlsConn.Handshake(); err != nil { tlsConn.Close() return nil, fmt.Errorf("TLS 协议握手错误:%v", err) } if p.insecureSkipVerify == false && tlsConn.VerifyHostname(p.proxyDomain) != nil { tlsConn.Close() return nil, fmt.Errorf("TLS 协议域名验证失败:%v", err) } c = tlsConn } req, err := http.NewRequest("CONNECT", p.proxyAddr, nil) if err != nil { c.Close() return nil, fmt.Errorf("创建请求错误:%v", err) } req.URL.Path = raddr req.URL.Host = p.proxyAddr if err := req.Write(c); err != nil { c.Close() return nil, fmt.Errorf("写请求错误:%v", err) } br := bufio.NewReader(c) res, err := http.ReadResponse(br, req) if err != nil { c.Close() return nil, fmt.Errorf("响应格式错误:%v", err) } if res.StatusCode != 200 { c.Close() return nil, fmt.Errorf("响应错误:%v", res) } return &HttpTCPConn{c, rawConn, tlsConn, net.TCPAddr{}, net.TCPAddr{}, "", "", 0, 0, p, res.Body}, nil }
func (this *Tsd) Connect() (err error) { if this.conn, err = net.DialTimeout("tcp", fmt.Sprintf("%s:%d", this.host, this.port), time.Second*2); err != nil { return } if this.ssl { var tlsconn *tls.Conn tlsconn = tls.Client(this.conn, &tls.Config{InsecureSkipVerify: true}) if err = tlsconn.Handshake(); err != nil { return } this.conn = tlsconn } this.connected = true return }
// NewClient establishes a new Client connection based on a set of Options. func (o Options) NewClient() (*Client, error) { host := o.Host c, err := connect(host, o.User, o.Password) if err != nil { return nil, err } client := new(Client) if o.NoTLS { client.conn = c } else { var tlsconn *tls.Conn if o.TLSConfig != nil { tlsconn = tls.Client(c, o.TLSConfig) } else { //from https://github.com/dullgiulio/go-xmpp usrServ := strings.Split(o.User, "@") if len(usrServ) != 2 { return nil, errors.New("xmpp: invalid username (want user@domain): " + o.User) } DefaultConfig.ServerName = usrServ[1] tlsconn = tls.Client(c, &DefaultConfig) } if err = tlsconn.Handshake(); err != nil { return nil, err } if strings.LastIndex(o.Host, ":") > 0 { host = host[:strings.LastIndex(o.Host, ":")] } insecureSkipVerify := DefaultConfig.InsecureSkipVerify if o.TLSConfig != nil { insecureSkipVerify = o.TLSConfig.InsecureSkipVerify } if !insecureSkipVerify { if err = tlsconn.VerifyHostname(host); err != nil { return nil, err } } client.conn = tlsconn } if err := client.init(&o); err != nil { client.Close() return nil, err } return client, nil }
// DialFunc returns the adequate dial function, depending on // whether SSL is required, the client's config has some trusted // certs, and we're on android. // If the client's config has some trusted certs, the server's // certificate will be checked against those in the config after // the TLS handshake. func (c *Client) DialFunc() func(network, addr string) (net.Conn, error) { trustedCerts := c.GetTrustedCerts() if !c.useTLS() || (!c.InsecureTLS && len(trustedCerts) == 0) { // No TLS, or TLS with normal/full verification if onAndroid() { return func(network, addr string) (net.Conn, error) { return androidDial(network, addr) } } return nil } return func(network, addr string) (net.Conn, error) { var conn *tls.Conn var err error if onAndroid() { con, err := androidDial(network, addr) if err != nil { return nil, err } conn = tls.Client(con, &tls.Config{InsecureSkipVerify: true}) if err = conn.Handshake(); err != nil { return nil, err } } else { conn, err = tls.Dial(network, addr, &tls.Config{InsecureSkipVerify: true}) if err != nil { return nil, err } } if c.InsecureTLS { return conn, nil } certs := conn.ConnectionState().PeerCertificates if certs == nil || len(certs) < 1 { return nil, errors.New("Could not get server's certificate from the TLS connection.") } sig := misc.SHA1Prefix(certs[0].Raw) for _, v := range trustedCerts { if v == sig { return conn, nil } } return nil, fmt.Errorf("Server's certificate %v is not in the trusted list", sig) } }
func (r *invitationReceiver) Serve() { if r.stop != nil { return } r.stop = make(chan struct{}) for { select { case inv := <-r.invitations: if debug { l.Debugln("Received relay invitation", inv) } conn, err := client.JoinSession(inv) if err != nil { if debug { l.Debugf("Failed to join relay session %s: %v", inv, err) } continue } err = osutil.SetTCPOptions(conn.(*net.TCPConn)) if err != nil { l.Infoln(err) } var tc *tls.Conn if inv.ServerSocket { tc = tls.Server(conn, r.tlsCfg) } else { tc = tls.Client(conn, r.tlsCfg) } err = tc.Handshake() if err != nil { l.Infof("TLS handshake (BEP/relay %s): %v", inv, err) tc.Close() continue } r.conns <- model.IntermediateConnection{ tc, model.ConnectionTypeRelayAccept, } case <-r.stop: return } } }
func (a *Apn) NewApnConn() (*ApnConn, error) { conn, err := net.Dial("tcp", a.server) if err != nil { return nil, fmt.Errorf("connect to server error: %d", err) } var client_conn *tls.Conn = tls.Client(conn, a.conf) err = client_conn.Handshake() if err != nil { return nil, fmt.Errorf("handshake server error: %s", err) } apn_conn := &ApnConn{client_conn, a.log} //go readError(apn_conn) return apn_conn, nil }
func verifyCrypto(conn *tls.Conn) (*Connection, error) { if err := conn.Handshake(); err != nil { return nil, err } certs := conn.ConnectionState().PeerCertificates if len(certs) != 1 { return nil, errors.New(fmt.Sprintf("Illegal number of certificates presented by peer (%d)", len(certs))) } cert := certs[0] if err := cert.CheckSignature(cert.SignatureAlgorithm, cert.RawTBSCertificate, cert.Signature); err != nil { return nil, err } return &Connection{Conn: conn, Id: NewIdentity(cert)}, nil }
// Wrap a net.Conn into a client tls connection, performing any // additional verification as needed. // // As of go 1.3, crypto/tls only supports either doing no certificate // verification, or doing full verification including of the peer's // DNS name. For consul, we want to validate that the certificate is // signed by a known CA, but because consul doesn't use DNS names for // node names, we don't verify the certificate DNS names. Since go 1.3 // no longer supports this mode of operation, we have to do it // manually. func WrapTLSClient(conn net.Conn, tlsConfig *tls.Config) (net.Conn, error) { var err error var tlsConn *tls.Conn tlsConn = tls.Client(conn, tlsConfig) // If crypto/tls is doing verification, there's no need to do // our own. if tlsConfig.InsecureSkipVerify == false { return tlsConn, nil } if err = tlsConn.Handshake(); err != nil { tlsConn.Close() return nil, err } // The following is lightly-modified from the doFullHandshake // method in crypto/tls's handshake_client.go. opts := x509.VerifyOptions{ Roots: tlsConfig.RootCAs, CurrentTime: time.Now(), DNSName: "", Intermediates: x509.NewCertPool(), } certs := tlsConn.ConnectionState().PeerCertificates for i, cert := range certs { if i == 0 { continue } opts.Intermediates.AddCert(cert) } _, err = certs[0].Verify(opts) if err != nil { tlsConn.Close() return nil, err } return tlsConn, err }
func (apnconn *Apn) Reconnect() error { conn, err := net.Dial("tcp", apnconn.server) if err != nil { return err } certificate := []tls.Certificate{apnconn.cert} conf := tls.Config{ Certificates: certificate, } var client_conn *tls.Conn = tls.Client(conn, &conf) err = client_conn.Handshake() if err != nil { return err } go readError(client_conn, apnconn.Errorchan) return nil }
func (c *Client) tlsHandler() { if c.tls_on { c.Write("502", "Already running in TLS") return } if c.server.TLSConfig == nil { c.Write("502", "TLS not supported") return } log.LogTrace("Ready to start TLS") c.Write("220", "Ready to start TLS") // upgrade to TLS var tlsConn *tls.Conn tlsConn = tls.Server(c.conn, c.server.TLSConfig) err := tlsConn.Handshake() // not necessary to call here, but might as well if err == nil { //c.conn = net.Conn(tlsConn) c.conn = tlsConn c.bufin = bufio.NewReader(c.conn) c.bufout = bufio.NewWriter(c.conn) c.tls_on = true // Reset envelope as a new EHLO/HELO is required after STARTTLS c.reset() // Reset deadlines on the underlying connection before I replace it // with a TLS connection c.conn.SetDeadline(time.Time{}) c.flush() } else { c.logWarn("Could not TLS handshake:%v", err) c.Write("550", "Handshake error") } c.state = 1 }
// verifyCA carries out a TLS handshake to the server and verifies the // presented certificate against the effective CA, i.e. the one specified in // sslrootcert or the system CA if sslrootcert was not specified. func (cn *conn) verifyCA(client *tls.Conn, tlsConf *tls.Config) { err := client.Handshake() if err != nil { panic(err) } certs := client.ConnectionState().PeerCertificates opts := x509.VerifyOptions{ DNSName: client.ConnectionState().ServerName, Intermediates: x509.NewCertPool(), Roots: tlsConf.RootCAs, } for i, cert := range certs { if i == 0 { continue } opts.Intermediates.AddCert(cert) } _, err = certs[0].Verify(opts) if err != nil { panic(err) } }
func (s *connectionSvc) connectViaRelay(deviceID protocol.DeviceID, addr discover.Relay) *tls.Conn { uri, err := url.Parse(addr.URL) if err != nil { l.Infoln("Failed to parse relay connection url:", addr, err) return nil } inv, err := client.GetInvitationFromRelay(uri, deviceID, s.tlsCfg.Certificates) if err != nil { l.Debugf("Failed to get invitation for %s from %s: %v", deviceID, uri, err) return nil } l.Debugln("Succesfully retrieved relay invitation", inv, "from", uri) conn, err := client.JoinSession(inv) if err != nil { l.Debugf("Failed to join relay session %s: %v", inv, err) return nil } l.Debugln("Successfully joined relay session", inv) var tc *tls.Conn if inv.ServerSocket { tc = tls.Server(conn, s.tlsCfg) } else { tc = tls.Client(conn, s.tlsCfg) } err = tc.Handshake() if err != nil { l.Infof("TLS handshake (BEP/relay %s): %v", inv, err) tc.Close() return nil } return tc }
func dialTLSWithOwnChecks(config *caretakerd.Config, tlsConfig *tls.Config) (net.Conn, error) { var err error var tlsConn *tls.Conn address := config.RPC.Listen tlsConn, err = tls.Dial(address.AsScheme(), address.AsAddress(), tlsConfig) if err != nil { return nil, err } if err = tlsConn.Handshake(); err != nil { tlsConn.Close() return nil, err } opts := x509.VerifyOptions{ Roots: tlsConfig.RootCAs, CurrentTime: time.Now(), DNSName: "", Intermediates: x509.NewCertPool(), } certs := tlsConn.ConnectionState().PeerCertificates for i, cert := range certs { if i == 0 { continue } opts.Intermediates.AddCert(cert) } _, err = certs[0].Verify(opts) if err != nil { tlsConn.Close() return nil, err } return tlsConn, err }
func (a *Apn) connect() (<-chan uint32, error) { // make sure last readError(...) will fail when reading. err := a.Close() if err != nil { return nil, fmt.Errorf("close last connection failed: %s", err) } conn, err := net.Dial("tcp", a.server) if err != nil { return nil, fmt.Errorf("connect to server error: %d", err) } var client_conn *tls.Conn = tls.Client(conn, a.conf) err = client_conn.Handshake() if err != nil { return nil, fmt.Errorf("handshake server error: %s", err) } a.conn = client_conn quit := make(chan uint32) go readError(client_conn, quit, a.errorChan) return quit, nil }