archive
/
tailscale
mirror of https://github.com/tailscale/tailscale/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

ipn/ipnlocal: don't serve a TLS cert unless it has webserver config

Browse Source 
Even if the name is right, or is configured on a different port.

Updates tailscale/corp#7515

Change-Id: I8b721968f3241af10d98431e1b5ba075223e6cd3
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
pull/6265/head
Brad Fitzpatrick 2 years ago committed by Brad Fitzpatrick
parent 1a94c309ea
commit 6beb3184d5
1 changed files with 35 additions and 25 deletions
Show Stats Download Patch File Download Diff File

60
ipn/ipnlocal/serve.go
Unescape Escape View File

@ -54,7 +54,7 @@ func (b *LocalBackend) HandleInterceptedTCPConn(dport uint16, srcAddr netip.Addr
} }
hs := &http.Server{ hs := &http.Server{
TLSConfig: &tls.Config{ TLSConfig: &tls.Config{
GetCertificate: b.getTLSServeCert, GetCertificate: b.getTLSServeCertForPort(dport),
}, },
Handler: http.HandlerFunc(b.serveWebHandler), Handler: http.HandlerFunc(b.serveWebHandler),
BaseContext: func(_ net.Listener) context.Context { BaseContext: func(_ net.Listener) context.Context {
@ -123,20 +123,11 @@ func (b *LocalBackend) getServeHandler(r *http.Request) (_ ipn.HTTPHandlerView,
b.logf("[unexpected] localbackend: no serveHTTPContext in request") b.logf("[unexpected] localbackend: no serveHTTPContext in request")
return z, false return z, false
} }
sni := r.TLS.ServerName wsc, ok := b.webServerConfig(r.TLS.ServerName, sctx.DestPort)
key := ipn.HostPort(fmt.Sprintf("%s:%v", sni, sctx.DestPort))
b.mu.Lock()
defer b.mu.Unlock()
if !b.serveConfig.Valid() {
return z, false
}
wsc, ok := b.serveConfig.Web().GetOk(key)
if !ok { if !ok {
return z, false return z, false
} }
path := r.URL.Path path := r.URL.Path
for { for {
if h, ok := wsc.Handlers().GetOk(path); ok { if h, ok := wsc.Handlers().GetOk(path); ok {
@ -172,19 +163,38 @@ func (b *LocalBackend) serveWebHandler(w http.ResponseWriter, r *http.Request) {
http.Error(w, "empty handler", 500) http.Error(w, "empty handler", 500)
} }
func (b *LocalBackend) getTLSServeCert(hi *tls.ClientHelloInfo) (*tls.Certificate, error) { func (b *LocalBackend) webServerConfig(sniName string, port uint16) (c ipn.WebServerConfigView, ok bool) {
if hi == nil || hi.ServerName == "" { key := ipn.HostPort(fmt.Sprintf("%s:%v", sniName, port))
return nil, errors.New("no SNI ServerName")
} b.mu.Lock()
ctx, cancel := context.WithTimeout(context.Background(), time.Minute) defer b.mu.Unlock()
defer cancel()
pair, err := b.GetCertPEM(ctx, hi.ServerName) if !b.serveConfig.Valid() {
if err != nil { return c, false
return nil, err
} }
cert, err := tls.X509KeyPair(pair.CertPEM, pair.KeyPEM) return b.serveConfig.Web().GetOk(key)
if err != nil { }
return nil, err
func (b *LocalBackend) getTLSServeCertForPort(port uint16) func(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
return func(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
if hi == nil || hi.ServerName == "" {
return nil, errors.New("no SNI ServerName")
}
_, ok := b.webServerConfig(hi.ServerName, port)
if !ok {
return nil, errors.New("no webserver configured for name/port")
}
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
defer cancel()
pair, err := b.GetCertPEM(ctx, hi.ServerName)
if err != nil {
return nil, err
}
cert, err := tls.X509KeyPair(pair.CertPEM, pair.KeyPEM)
if err != nil {
return nil, err
}
return &cert, nil
} }
return &cert, nil
} }

Write Preview
Loading…
Cancel
Save