Skip to content

Commit

Permalink
allow ca certificates (#2513)
Browse files Browse the repository at this point in the history
  • Loading branch information
buck54321 authored Sep 12, 2023
1 parent 91cd926 commit fb32d47
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 28 deletions.
32 changes: 15 additions & 17 deletions client/comms/wsconn.go
Original file line number Diff line number Diff line change
Expand Up @@ -165,28 +165,26 @@ func NewWsConn(cfg *WsCfg) (WsConn, error) {
return nil, fmt.Errorf("ping wait cannot be negative")
}

var tlsConfig *tls.Config
if len(cfg.Cert) > 0 {

uri, err := url.Parse(cfg.URL)
if err != nil {
return nil, fmt.Errorf("error parsing URL: %w", err)
}
uri, err := url.Parse(cfg.URL)
if err != nil {
return nil, fmt.Errorf("error parsing URL: %w", err)
}

rootCAs, _ := x509.SystemCertPool()
if rootCAs == nil {
rootCAs = x509.NewCertPool()
}
rootCAs, _ := x509.SystemCertPool()
if rootCAs == nil {
rootCAs = x509.NewCertPool()
}

if len(cfg.Cert) > 0 {
if ok := rootCAs.AppendCertsFromPEM(cfg.Cert); !ok {
return nil, ErrInvalidCert
}
}

tlsConfig = &tls.Config{
RootCAs: rootCAs,
MinVersion: tls.VersionTLS12,
ServerName: uri.Hostname(),
}
tlsConfig := &tls.Config{
RootCAs: rootCAs,
MinVersion: tls.VersionTLS12,
ServerName: uri.Hostname(),
}

return &wsConn{
Expand Down Expand Up @@ -229,7 +227,7 @@ func (conn *wsConn) connect(ctx context.Context) error {
if err != nil {
if isErrorInvalidCert(err) {
conn.setConnectionStatus(InvalidCert)
if conn.tlsCfg == nil {
if len(conn.cfg.Cert) == 0 {
return dex.NewError(ErrCertRequired, err.Error())
}
return dex.NewError(ErrInvalidCert, err.Error())
Expand Down
15 changes: 4 additions & 11 deletions client/core/core.go
Original file line number Diff line number Diff line change
Expand Up @@ -8144,15 +8144,9 @@ func (c *Core) newDEXConnection(acctInfo *db.AccountInfo, flag connectDEXFlag) (
if err != nil {
return nil, newError(addressParseErr, "error parsing address: %v", err)
}
// The scheme switches gorilla/websocket to use the tls.Config or not.
scheme := "wss"
if len(acctInfo.Cert) == 0 {
scheme = "ws" // only supported for .onion hosts, but could allow private IP too
}
wsAddr := scheme + "://" + host + "/ws"
wsURL, err := url.Parse(wsAddr)
wsURL, err := url.Parse("wss://" + host + "/ws")
if err != nil {
return nil, newError(addressParseErr, "error parsing ws address %s: %w", wsAddr, err)
return nil, newError(addressParseErr, "error parsing ws address from host %s: %w", host, err)
}

listen := flag&connectDEXFlagTemporary == 0
Expand Down Expand Up @@ -8199,9 +8193,8 @@ func (c *Core) newDEXConnection(acctInfo *db.AccountInfo, flag connectDEXFlag) (
TorIsolation: c.cfg.TorIsolation, // need socks.NewPool with isolation???
}
wsCfg.NetDialContext = proxy.DialContext
}
if scheme == "ws" && !isOnionHost {
return nil, errors.New("a TLS connection is required when not using a hidden service")
wsURL.Scheme = "ws"
wsCfg.URL = wsURL.String()
}

wsCfg.ConnectEventFunc = func(status comms.ConnectionStatus) {
Expand Down

0 comments on commit fb32d47

Please sign in to comment.