From fb32d47665beb8ccb4f8821fd23d29545c89d44b Mon Sep 17 00:00:00 2001
From: buck54321 <buck54321@gmail.com>
Date: Tue, 12 Sep 2023 12:20:00 -0700
Subject: [PATCH] allow ca certificates (#2513)

---
 client/comms/wsconn.go | 32 +++++++++++++++-----------------
 client/core/core.go    | 15 ++++-----------
 2 files changed, 19 insertions(+), 28 deletions(-)

diff --git a/client/comms/wsconn.go b/client/comms/wsconn.go
index d63a1b0a14..c8ea235df5 100644
--- a/client/comms/wsconn.go
+++ b/client/comms/wsconn.go
@@ -165,28 +165,26 @@ func NewWsConn(cfg *WsCfg) (WsConn, error) {
 		return nil, fmt.Errorf("ping wait cannot be negative")
 	}
 
-	var tlsConfig *tls.Config
-	if len(cfg.Cert) > 0 {
-
-		uri, err := url.Parse(cfg.URL)
-		if err != nil {
-			return nil, fmt.Errorf("error parsing URL: %w", err)
-		}
+	uri, err := url.Parse(cfg.URL)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing URL: %w", err)
+	}
 
-		rootCAs, _ := x509.SystemCertPool()
-		if rootCAs == nil {
-			rootCAs = x509.NewCertPool()
-		}
+	rootCAs, _ := x509.SystemCertPool()
+	if rootCAs == nil {
+		rootCAs = x509.NewCertPool()
+	}
 
+	if len(cfg.Cert) > 0 {
 		if ok := rootCAs.AppendCertsFromPEM(cfg.Cert); !ok {
 			return nil, ErrInvalidCert
 		}
+	}
 
-		tlsConfig = &tls.Config{
-			RootCAs:    rootCAs,
-			MinVersion: tls.VersionTLS12,
-			ServerName: uri.Hostname(),
-		}
+	tlsConfig := &tls.Config{
+		RootCAs:    rootCAs,
+		MinVersion: tls.VersionTLS12,
+		ServerName: uri.Hostname(),
 	}
 
 	return &wsConn{
@@ -229,7 +227,7 @@ func (conn *wsConn) connect(ctx context.Context) error {
 	if err != nil {
 		if isErrorInvalidCert(err) {
 			conn.setConnectionStatus(InvalidCert)
-			if conn.tlsCfg == nil {
+			if len(conn.cfg.Cert) == 0 {
 				return dex.NewError(ErrCertRequired, err.Error())
 			}
 			return dex.NewError(ErrInvalidCert, err.Error())
diff --git a/client/core/core.go b/client/core/core.go
index f030536dbc..efc33cb0d0 100644
--- a/client/core/core.go
+++ b/client/core/core.go
@@ -8144,15 +8144,9 @@ func (c *Core) newDEXConnection(acctInfo *db.AccountInfo, flag connectDEXFlag) (
 	if err != nil {
 		return nil, newError(addressParseErr, "error parsing address: %v", err)
 	}
-	// The scheme switches gorilla/websocket to use the tls.Config or not.
-	scheme := "wss"
-	if len(acctInfo.Cert) == 0 {
-		scheme = "ws" // only supported for .onion hosts, but could allow private IP too
-	}
-	wsAddr := scheme + "://" + host + "/ws"
-	wsURL, err := url.Parse(wsAddr)
+	wsURL, err := url.Parse("wss://" + host + "/ws")
 	if err != nil {
-		return nil, newError(addressParseErr, "error parsing ws address %s: %w", wsAddr, err)
+		return nil, newError(addressParseErr, "error parsing ws address from host %s: %w", host, err)
 	}
 
 	listen := flag&connectDEXFlagTemporary == 0
@@ -8199,9 +8193,8 @@ func (c *Core) newDEXConnection(acctInfo *db.AccountInfo, flag connectDEXFlag) (
 			TorIsolation: c.cfg.TorIsolation, // need socks.NewPool with isolation???
 		}
 		wsCfg.NetDialContext = proxy.DialContext
-	}
-	if scheme == "ws" && !isOnionHost {
-		return nil, errors.New("a TLS connection is required when not using a hidden service")
+		wsURL.Scheme = "ws"
+		wsCfg.URL = wsURL.String()
 	}
 
 	wsCfg.ConnectEventFunc = func(status comms.ConnectionStatus) {