oxtoacart · August 6, 2021 08:48 · Sep 3, 2014 · Sep 3, 2014 · Sep 3, 2014
diff --git a/domainfront.go b/domainfront.go
@@ -36,12 +36,18 @@ func main() {
 }
 
 func dialTLS(network, addr string) (net.Conn, error) {
+	// Dial with net.Dial
 	conn, err := net.Dial("tcp", MASQUERADE_AS+":443")
 	if err != nil {
 		return nil, err
 	}
 
+	// Then wrap the connection with a tls Client.  The combination of net.Dial
+	// + tls.Client allows us to avoid using a ServerName, unlike tls.Dial which
+	// automatically populates ServerName based on the dialed address.
 	tlsConn := tls.Client(conn, &tls.Config{
+		// Need to set this so that the client handshake code doesn't complain
+		// about having neither a ServerName nor InsecureSkipVerify being true.
 		InsecureSkipVerify: true,
 	})
 
@@ -50,6 +56,8 @@ func dialTLS(network, addr string) (net.Conn, error) {
 		return nil, err
 	}
 
+	// Because we set InsecureSkipVerify, tls won't be verifying the server's
+	// cert for us, so we have to do it ourselves
 	err = verifyServerCerts(tlsConn)
 	if err != nil {
 		return nil, fmt.Errorf("Unable to verify server cert: %s", err)

diff --git a/domainfront.go b/domainfront.go
@@ -36,24 +36,26 @@ func main() {
 }
 
 func dialTLS(network, addr string) (net.Conn, error) {
-	conn, err := tls.Dial("tcp", MASQUERADE_AS+":443", &tls.Config{
-		InsecureSkipVerify: true,
-	})
-
+	conn, err := net.Dial("tcp", MASQUERADE_AS+":443")
 	if err != nil {
 		return nil, err
 	}
-	err = conn.Handshake()
+
+	tlsConn := tls.Client(conn, &tls.Config{
+		InsecureSkipVerify: true,
+	})
+
+	err = tlsConn.Handshake()
 	if err != nil {
 		return nil, err
 	}
 
-	err = verifyServerCerts(conn)
+	err = verifyServerCerts(tlsConn)
 	if err != nil {
 		return nil, fmt.Errorf("Unable to verify server cert: %s", err)
 	}
 
-	return conn, nil
+	return tlsConn, nil
 }
 
 func verifyServerCerts(conn *tls.Conn) error {

diff --git a/domainfront.go b/domainfront.go
@@ -0,0 +1,76 @@
+package main
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"io"
+	"log"
+	"net"
+	"net/http"
+	"os"
+	"time"
+)
+
+const (
+	MASQUERADE_AS = "cdnjs.com"         // the host to which we open a TLS connection
+	REAL_DEST     = "geo.getiantem.org" // the host for which we make an HTTP request over the TLS connection
+)
+
+func main() {
+	client := &http.Client{
+		Transport: &http.Transport{
+			Dial: dialTLS,
+		},
+	}
+
+	req, _ := http.NewRequest("GET", "http://"+REAL_DEST+"/lookup", nil)
+	req.Write(os.Stdout)
+	resp, err := client.Do(req)
+	log.Println("Made request")
+	if err != nil {
+		log.Fatalf("Unable to do GET: %s", err)
+	}
+	defer resp.Body.Close()
+	io.Copy(os.Stdout, resp.Body)
+}
+
+func dialTLS(network, addr string) (net.Conn, error) {
+	conn, err := tls.Dial("tcp", MASQUERADE_AS+":443", &tls.Config{
+		InsecureSkipVerify: true,
+	})
+
+	if err != nil {
+		return nil, err
+	}
+	err = conn.Handshake()
+	if err != nil {
+		return nil, err
+	}
+
+	err = verifyServerCerts(conn)
+	if err != nil {
+		return nil, fmt.Errorf("Unable to verify server cert: %s", err)
+	}
+
+	return conn, nil
+}
+
+func verifyServerCerts(conn *tls.Conn) error {
+	certs := conn.ConnectionState().PeerCertificates
+	opts := x509.VerifyOptions{
+		Roots:         nil,
+		CurrentTime:   time.Now(),
+		DNSName:       MASQUERADE_AS,
+		Intermediates: x509.NewCertPool(),
+	}
+
+	for i, cert := range certs {
+		if i == 0 {
+			continue
+		}
+		opts.Intermediates.AddCert(cert)
+	}
+	_, err := certs[0].Verify(opts)
+	return err
+}
No results found