From 70dfdac609396440308a390f58dff0a97f78f0f4 Mon Sep 17 00:00:00 2001
From: Andrew Lytvynov <awly@tailscale.com>
Date: Thu, 18 Sep 2025 09:10:33 -0700
Subject: [PATCH] prober: allow custom tls.Config for TLS probes (#17186)

Updates https://github.com/tailscale/corp/issues/28569

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
---
 prober/derp.go             |  5 +++--
 prober/derp_test.go        |  2 +-
 prober/dns_example_test.go |  3 ++-
 prober/tls.go              | 30 ++++++++++++++++--------------
 prober/tls_test.go         | 18 ++++++++++++++++--
 5 files changed, 38 insertions(+), 20 deletions(-)

diff --git a/prober/derp.go b/prober/derp.go
index c7a82317d..52e56fd4e 100644
--- a/prober/derp.go
+++ b/prober/derp.go
@@ -8,6 +8,7 @@ import (
 	"cmp"
 	"context"
 	crand "crypto/rand"
+	"crypto/tls"
 	"encoding/binary"
 	"encoding/json"
 	"errors"
@@ -68,7 +69,7 @@ type derpProber struct {
 	ProbeMap ProbeClass
 
 	// Probe classes for probing individual derpers.
-	tlsProbeFn  func(string) ProbeClass
+	tlsProbeFn  func(string, *tls.Config) ProbeClass
 	udpProbeFn  func(string, int) ProbeClass
 	meshProbeFn func(string, string) ProbeClass
 	bwProbeFn   func(string, string, int64) ProbeClass
@@ -206,7 +207,7 @@ func (d *derpProber) probeMapFn(ctx context.Context) error {
 				if d.probes[n] == nil {
 					log.Printf("adding DERP TLS probe for %s (%s) every %v", server.Name, region.RegionName, d.tlsInterval)
 					derpPort := cmp.Or(server.DERPPort, 443)
-					d.probes[n] = d.p.Run(n, d.tlsInterval, labels, d.tlsProbeFn(fmt.Sprintf("%s:%d", server.HostName, derpPort)))
+					d.probes[n] = d.p.Run(n, d.tlsInterval, labels, d.tlsProbeFn(fmt.Sprintf("%s:%d", server.HostName, derpPort), nil))
 				}
 			}
 
diff --git a/prober/derp_test.go b/prober/derp_test.go
index 93b8d760b..1ace9983c 100644
--- a/prober/derp_test.go
+++ b/prober/derp_test.go
@@ -74,7 +74,7 @@ func TestDerpProber(t *testing.T) {
 		p:              p,
 		derpMapURL:     srv.URL,
 		tlsInterval:    time.Second,
-		tlsProbeFn:     func(_ string) ProbeClass { return FuncProbe(func(context.Context) error { return nil }) },
+		tlsProbeFn:     func(_ string, _ *tls.Config) ProbeClass { return FuncProbe(func(context.Context) error { return nil }) },
 		udpInterval:    time.Second,
 		udpProbeFn:     func(_ string, _ int) ProbeClass { return FuncProbe(func(context.Context) error { return nil }) },
 		meshInterval:   time.Second,
diff --git a/prober/dns_example_test.go b/prober/dns_example_test.go
index a8326fd72..089816919 100644
--- a/prober/dns_example_test.go
+++ b/prober/dns_example_test.go
@@ -5,6 +5,7 @@ package prober_test
 
 import (
 	"context"
+	"crypto/tls"
 	"flag"
 	"fmt"
 	"log"
@@ -40,7 +41,7 @@ func ExampleForEachAddr() {
 
 	// This function is called every time we discover a new IP address to check.
 	makeTLSProbe := func(addr netip.Addr) []*prober.Probe {
-		pf := prober.TLSWithIP(*hostname, netip.AddrPortFrom(addr, 443))
+		pf := prober.TLSWithIP(netip.AddrPortFrom(addr, 443), &tls.Config{ServerName: *hostname})
 		if *verbose {
 			logger := logger.WithPrefix(log.Printf, fmt.Sprintf("[tls %s]: ", addr))
 			pf = probeLogWrapper(logger, pf)
diff --git a/prober/tls.go b/prober/tls.go
index 4fb4aa9c6..777b2b508 100644
--- a/prober/tls.go
+++ b/prober/tls.go
@@ -9,9 +9,9 @@ import (
 	"crypto/x509"
 	"fmt"
 	"io"
-	"net"
 	"net/http"
 	"net/netip"
+	"slices"
 	"time"
 
 	"tailscale.com/util/multierr"
@@ -28,33 +28,31 @@ const letsEncryptStartedStaplingCRL int64 = 1746576000 // 2025-05-07 00:00:00 UT
 // The ProbeFunc connects to a hostPort (host:port string), does a TLS
 // handshake, verifies that the hostname matches the presented certificate,
 // checks certificate validity time and OCSP revocation status.
-func TLS(hostPort string) ProbeClass {
+//
+// The TLS config is optional and may be nil.
+func TLS(hostPort string, config *tls.Config) ProbeClass {
 	return ProbeClass{
 		Probe: func(ctx context.Context) error {
-			certDomain, _, err := net.SplitHostPort(hostPort)
-			if err != nil {
-				return err
-			}
-			return probeTLS(ctx, certDomain, hostPort)
+			return probeTLS(ctx, config, hostPort)
 		},
 		Class: "tls",
 	}
 }
 
-// TLSWithIP is like TLS, but dials the provided dialAddr instead
-// of using DNS resolution. The certDomain is the expected name in
-// the cert (and the SNI name to send).
-func TLSWithIP(certDomain string, dialAddr netip.AddrPort) ProbeClass {
+// TLSWithIP is like TLS, but dials the provided dialAddr instead of using DNS
+// resolution. Use config.ServerName to send SNI and validate the name in the
+// cert.
+func TLSWithIP(dialAddr netip.AddrPort, config *tls.Config) ProbeClass {
 	return ProbeClass{
 		Probe: func(ctx context.Context) error {
-			return probeTLS(ctx, certDomain, dialAddr.String())
+			return probeTLS(ctx, config, dialAddr.String())
 		},
 		Class: "tls",
 	}
 }
 
-func probeTLS(ctx context.Context, certDomain string, dialHostPort string) error {
-	dialer := &tls.Dialer{Config: &tls.Config{ServerName: certDomain}}
+func probeTLS(ctx context.Context, config *tls.Config, dialHostPort string) error {
+	dialer := &tls.Dialer{Config: config}
 	conn, err := dialer.DialContext(ctx, "tcp", dialHostPort)
 	if err != nil {
 		return fmt.Errorf("connecting to %q: %w", dialHostPort, err)
@@ -108,6 +106,10 @@ func validateConnState(ctx context.Context, cs *tls.ConnectionState) (returnerr
 	}
 
 	if len(leafCert.CRLDistributionPoints) == 0 {
+		if !slices.Contains(leafCert.Issuer.Organization, "Let's Encrypt") {
+			// LE certs contain a CRL, but certs from other CAs might not.
+			return
+		}
 		if leafCert.NotBefore.Before(time.Unix(letsEncryptStartedStaplingCRL, 0)) {
 			// Certificate might not have a CRL.
 			return
diff --git a/prober/tls_test.go b/prober/tls_test.go
index f6ca4aeb1..86fba91b9 100644
--- a/prober/tls_test.go
+++ b/prober/tls_test.go
@@ -83,7 +83,7 @@ func TestTLSConnection(t *testing.T) {
 	srv.StartTLS()
 	defer srv.Close()
 
-	err = probeTLS(context.Background(), "fail.example.com", srv.Listener.Addr().String())
+	err = probeTLS(context.Background(), &tls.Config{ServerName: "fail.example.com"}, srv.Listener.Addr().String())
 	// The specific error message here is platform-specific ("certificate is not trusted"
 	// on macOS and "certificate signed by unknown authority" on Linux), so only check
 	// that it contains the word 'certificate'.
@@ -269,40 +269,54 @@ func TestCRL(t *testing.T) {
 		name     string
 		cert     *x509.Certificate
 		crlBytes []byte
+		issuer   pkix.Name
 		wantErr  string
 	}{
 		{
 			"ValidCert",
 			leafCertParsed,
 			emptyRlBytes,
+			caCert.Issuer,
 			"",
 		},
 		{
 			"RevokedCert",
 			leafCertParsed,
 			rlBytes,
+			caCert.Issuer,
 			"has been revoked on",
 		},
 		{
 			"EmptyCRL",
 			leafCertParsed,
 			emptyRlBytes,
+			caCert.Issuer,
 			"",
 		},
 		{
-			"NoCRL",
+			"NoCRLLetsEncrypt",
 			leafCertParsed,
 			nil,
+			pkix.Name{CommonName: "tlsprobe.test", Organization: []string{"Let's Encrypt"}},
 			"no CRL server presented in leaf cert for",
 		},
+		{
+			"NoCRLOtherCA",
+			leafCertParsed,
+			nil,
+			caCert.Issuer,
+			"",
+		},
 		{
 			"NotBeforeCRLStaplingDate",
 			noCRLStapledParsed,
 			nil,
+			caCert.Issuer,
 			"",
 		},
 	} {
 		t.Run(tt.name, func(t *testing.T) {
+			tt.cert.Issuer = tt.issuer
 			cs := &tls.ConnectionState{PeerCertificates: []*x509.Certificate{tt.cert, caCert}}
 			if tt.crlBytes != nil {
 				crlServer.crlBytes = tt.crlBytes