// grabCerts grabs certificates for the masquerades received on masqueradesCh and sends
// *masquerades to masqueradesCh.
func grabCerts() {
defer wg.Done()
for masq := range inputCh {
parts := strings.Split(masq, " ")
if len(parts) != 2 {
log.Error("Bad line! '" + masq + "'")
continue
}
ip := parts[0]
domain := parts[1]
_, blacklisted := blacklist[domain]
if blacklisted {
log.Tracef("Domain %s is blacklisted, skipping", domain)
continue
}
log.Tracef("Grabbing certs for IP %s, domain %s", ip, domain)
cwt, err := tlsdialer.DialForTimings(&net.Dialer{
Timeout: 10 * time.Second,
}, "tcp", ip+":443", false, &tls.Config{ServerName: domain})
if err != nil {
log.Errorf("Unable to dial IP %s, domain %s: %s", ip, domain, err)
continue
}
if err := cwt.Conn.Close(); err != nil {
log.Debugf("Error closing connection: %v", err)
}
chain := cwt.VerifiedChains[0]
rootCA := chain[len(chain)-1]
rootCert, err := keyman.LoadCertificateFromX509(rootCA)
if err != nil {
log.Errorf("Unable to load keyman certificate: %s", err)
continue
}
ca := &castat{
CommonName: rootCA.Subject.CommonName,
Cert: strings.Replace(string(rootCert.PEMEncoded()), "\n", "\\n", -1),
}
masqueradesCh <- &masquerade{
Domain: domain,
IpAddress: ip,
RootCA: ca,
}
}
}
func (d *direct) dialServerWith(masquerade *Masquerade) (net.Conn, error) {
tlsConfig := d.tlsConfig(masquerade)
dialTimeout := 10 * time.Second
sendServerNameExtension := false
cwt, err := tlsdialer.DialForTimings(
&net.Dialer{
Timeout: dialTimeout,
},
"tcp",
masquerade.IpAddress+":443",
sendServerNameExtension, // SNI or no
tlsConfig)
if err != nil && masquerade != nil {
err = fmt.Errorf("Unable to dial masquerade %s: %s", masquerade.Domain, err)
}
return cwt.Conn, err
}
func (d *dialer) dialServerWith(masquerade *Masquerade) (net.Conn, error) {
dialTimeout := time.Duration(d.DialTimeoutMillis) * time.Millisecond
if dialTimeout == 0 {
dialTimeout = 30 * time.Second
}
// Note - we need to suppress the sending of the ServerName in the client
// handshake to make host-spoofing work with Fastly. If the client Hello
// includes a server name, Fastly checks to make sure that this matches the
// Host header in the HTTP request and if they don't match, it returns
// a 400 Bad Request error.
sendServerNameExtension := false
cwt, err := tlsdialer.DialForTimings(
&net.Dialer{
Timeout: dialTimeout,
},
"tcp",
d.addressForServer(masquerade),
sendServerNameExtension,
d.tlsConfig(masquerade))
if d.OnDialStats != nil {
domain := ""
if masquerade != nil {
domain = masquerade.Domain
}
resultAddr := ""
if err == nil {
resultAddr = cwt.Conn.RemoteAddr().String()
}
d.OnDialStats(err == nil, domain, resultAddr, cwt.ResolutionTime, cwt.ConnectTime, cwt.HandshakeTime)
}
if err != nil && masquerade != nil {
err = fmt.Errorf("Unable to dial masquerade %s: %s", masquerade.Domain, err)
}
return cwt.Conn, err
}
// grabCerts grabs certificates for the domains received on domainsCh and sends
// *masquerades to masqueradesCh.
func grabCerts() {
defer wg.Done()
for domain := range domainsCh {
_, blacklisted := blacklist[domain]
if blacklisted {
log.Tracef("Domain %s is blacklisted, skipping", domain)
continue
}
log.Tracef("Grabbing certs for domain: %s", domain)
cwt, err := tlsdialer.DialForTimings(&net.Dialer{
Timeout: 10 * time.Second,
}, "tcp", domain+":443", false, nil)
if err != nil {
log.Errorf("Unable to dial domain %s: %s", domain, err)
continue
}
if err := cwt.Conn.Close(); err != nil {
log.Debugf("Error closing connection: %v", err)
}
chain := cwt.VerifiedChains[0]
rootCA := chain[len(chain)-1]
rootCert, err := keyman.LoadCertificateFromX509(rootCA)
if err != nil {
log.Errorf("Unablet to load keyman certificate: %s", err)
continue
}
ca := &castat{
CommonName: rootCA.Subject.CommonName,
Cert: strings.Replace(string(rootCert.PEMEncoded()), "\n", "\\n", -1),
}
masqueradesCh <- &masquerade{
Domain: domain,
IpAddress: cwt.ResolvedAddr.IP.String(),
RootCA: ca,
}
}
}
