From 9497921f529114b7b34533205b4d609582f720b9 Mon Sep 17 00:00:00 2001 From: Brad Fitzpatrick Date: Sun, 26 Apr 2020 08:31:14 -0700 Subject: [PATCH] logpolicy: also set up TLS dialing (for iOS) for log uploads This was the last of the three places that do TLS from clients (logs, control, derp). With this, iOS should be able to use the memory-efficient x509 root CertPool. --- logpolicy/logpolicy.go | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/logpolicy/logpolicy.go b/logpolicy/logpolicy.go index 9ce6e727f..d9137e965 100644 --- a/logpolicy/logpolicy.go +++ b/logpolicy/logpolicy.go @@ -29,6 +29,7 @@ import ( "tailscale.com/atomicfile" "tailscale.com/logtail" "tailscale.com/logtail/filch" + "tailscale.com/net/tlsdial" "tailscale.com/version" ) @@ -188,7 +189,7 @@ func New(collection string) *Policy { } return w }, - HTTPC: &http.Client{Transport: newLogtailTransport()}, + HTTPC: &http.Client{Transport: newLogtailTransport(logtail.DefaultHost)}, } filchBuf, filchErr := filch.New(filepath.Join(dir, version.CmdName()), filch.Options{}) @@ -231,8 +232,9 @@ func (p *Policy) Shutdown(ctx context.Context) error { return nil } -// newLogtailTransport returns the HTTP Transport we use for uploading logs. -func newLogtailTransport() *http.Transport { +// newLogtailTransport returns the HTTP Transport we use for uploading +// logs to the given host name. +func newLogtailTransport(host string) *http.Transport { // Start with a copy of http.DefaultTransport and tweak it a bit. tr := http.DefaultTransport.(*http.Transport).Clone() @@ -273,5 +275,8 @@ func newLogtailTransport() *http.Transport { tr.ForceAttemptHTTP2 = false tr.TLSNextProto = map[string]func(authority string, c *tls.Conn) http.RoundTripper{} } + + tr.TLSClientConfig = tlsdial.Config(host, tr.TLSClientConfig) + return tr }