// DialTLSFunc returns the adequate dial function, when using SSL, depending on // whether we're using insecure TLS (certificate verification is disabled), or we // have some trusted certs, or we're on android.1 // If the client's config has some trusted certs, the server's certificate will // be checked against those in the config after the TLS handshake. func (c *Client) DialTLSFunc() func(network, addr string) (net.Conn, error) { if !c.useTLS() { return nil } trustedCerts := c.getTrustedCerts() var stdTLS bool if !c.insecureAnyTLSCert && len(trustedCerts) == 0 { // TLS with normal/full verification. stdTLS = true if !android.IsChild() { // Not android, so let the stdlib deal with it return nil } } return func(network, addr string) (net.Conn, error) { var conn *tls.Conn var err error if android.IsChild() { ac, err := android.Dial(network, addr) if err != nil { return nil, err } var tlsConfig *tls.Config if stdTLS { tlsConfig, err = android.TLSConfig() if err != nil { return nil, err } } else { tlsConfig = &tls.Config{InsecureSkipVerify: true} } conn = tls.Client(ac, tlsConfig) if err := conn.Handshake(); err != nil { return nil, err } } else { conn, err = tls.Dial(network, addr, &tls.Config{InsecureSkipVerify: true}) if err != nil { return nil, err } } if c.insecureAnyTLSCert { return conn, nil } certs := conn.ConnectionState().PeerCertificates if len(certs) < 1 { return nil, fmt.Errorf("no TLS peer certificates from %s", addr) } sig := hashutil.SHA256Prefix(certs[0].Raw) for _, v := range trustedCerts { if v == sig { return conn, nil } } return nil, fmt.Errorf("TLS server at %v presented untrusted certificate (signature %q)", addr, sig) } }
// DialTLSFunc returns the adequate dial function, when using SSL, depending on // whether we're using insecure TLS (certificate verification is disabled), or we // have some trusted certs, or we're on android. // If the client's config has some trusted certs, the server's certificate will // be checked against those in the config after the TLS handshake. func (c *Client) DialTLSFunc() func(network, addr string) (net.Conn, error) { if !c.useTLS() { return nil } trustedCerts := c.getTrustedCerts() var stdTLS bool if !c.InsecureTLS && len(trustedCerts) == 0 { // TLS with normal/full verification stdTLS = true if !android.IsChild() { // Not android, so let the stdlib deal with it return nil } } return func(network, addr string) (net.Conn, error) { var conn *tls.Conn var err error if android.IsChild() { con, err := android.Dial(network, addr) if err != nil { return nil, err } var tlsConfig *tls.Config if stdTLS { tlsConfig, err = android.TLSConfig() if err != nil { return nil, err } } else { tlsConfig = &tls.Config{InsecureSkipVerify: true} } conn = tls.Client(con, tlsConfig) if err = conn.Handshake(); err != nil { return nil, err } } else { conn, err = tls.Dial(network, addr, &tls.Config{InsecureSkipVerify: true}) if err != nil { return nil, err } } if c.InsecureTLS { return conn, nil } certs := conn.ConnectionState().PeerCertificates if certs == nil || len(certs) < 1 { return nil, errors.New("Could not get server's certificate from the TLS connection.") } sig := hashutil.SHA256Prefix(certs[0].Raw) for _, v := range trustedCerts { if v == sig { return conn, nil } } return nil, fmt.Errorf("Server's certificate %v is not in the trusted list", sig) } }
// DialFunc returns the adequate dial function, depending on // whether SSL is required, the client's config has some trusted // certs, and we're on android. // If the client's config has some trusted certs, the server's // certificate will be checked against those in the config after // the TLS handshake. func (c *Client) DialFunc() func(network, addr string) (net.Conn, error) { trustedCerts := c.getTrustedCerts() if !c.useTLS() || (!c.InsecureTLS && len(trustedCerts) == 0) { // No TLS, or TLS with normal/full verification if android.IsChild() { return func(network, addr string) (net.Conn, error) { return android.Dial(network, addr) } } return nil } return func(network, addr string) (net.Conn, error) { var conn *tls.Conn var err error if android.IsChild() { con, err := android.Dial(network, addr) if err != nil { return nil, err } conn = tls.Client(con, &tls.Config{InsecureSkipVerify: true}) if err = conn.Handshake(); err != nil { return nil, err } } else { conn, err = tls.Dial(network, addr, &tls.Config{InsecureSkipVerify: true}) if err != nil { return nil, err } } if c.InsecureTLS { return conn, nil } certs := conn.ConnectionState().PeerCertificates if certs == nil || len(certs) < 1 { return nil, errors.New("Could not get server's certificate from the TLS connection.") } sig := hashutil.SHA256Prefix(certs[0].Raw) for _, v := range trustedCerts { if v == sig { return conn, nil } } return nil, fmt.Errorf("Server's certificate %v is not in the trusted list", sig) } }
func (c *Client) http2DialTLSFunc() func(network, addr string, cfg *tls.Config) (net.Conn, error) { trustedCerts := c.getTrustedCerts() if !c.insecureAnyTLSCert && len(trustedCerts) == 0 { // TLS with normal/full verification. // nil means http2 uses its default dialer. return nil } return func(network, addr string, cfg *tls.Config) (net.Conn, error) { // we own cfg, so we can mutate it: cfg.InsecureSkipVerify = true conn, err := tls.Dial(network, addr, cfg) if err != nil { return nil, err } if c.insecureAnyTLSCert { return conn, err } state := conn.ConnectionState() if p := state.NegotiatedProtocol; p != http2.NextProtoTLS { return nil, fmt.Errorf("http2: unexpected ALPN protocol %q; want %q", p, http2.NextProtoTLS) } if !state.NegotiatedProtocolIsMutual { return nil, errors.New("http2: could not negotiate protocol mutually") } certs := state.PeerCertificates if len(certs) < 1 { return nil, fmt.Errorf("no TLS peer certificates from %s", addr) } sig := hashutil.SHA256Prefix(certs[0].Raw) for _, v := range trustedCerts { if v == sig { return conn, nil } } return nil, fmt.Errorf("TLS server at %v presented untrusted certificate (signature %q)", addr, sig) } }