webnet/tailscale
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

prober: allow custom tls.Config for TLS probes (#17186)

Browse Source 
Updates https://github.com/tailscale/corp/issues/28569

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
This commit is contained in:
Andrew Lytvynov
2025-09-18 09:10:33 -07:00
committed by GitHub
parent 73bbd7caca
commit 70dfdac609
5 changed files with 38 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files
prober/tls.go
+16 -14
View File
@@ -9,9 +9,9 @@ import (
"crypto/x509"
"fmt"
"io"
"net"
"net/http"
"net/netip"
"slices"
"time"
"tailscale.com/util/multierr"
@@ -28,33 +28,31 @@ const letsEncryptStartedStaplingCRL int64 = 1746576000 // 2025-05-07 00:00:00 UT
// The ProbeFunc connects to a hostPort (host:port string), does a TLS
// handshake, verifies that the hostname matches the presented certificate,
// checks certificate validity time and OCSP revocation status.
func TLS(hostPort string) ProbeClass {
//
// The TLS config is optional and may be nil.
func TLS(hostPort string, config *tls.Config) ProbeClass {
return ProbeClass{
Probe: func(ctx context.Context) error {
certDomain, _, err := net.SplitHostPort(hostPort)
if err != nil {
return err
}
return probeTLS(ctx, certDomain, hostPort)
return probeTLS(ctx, config, hostPort)
},
Class: "tls",
}
}
// TLSWithIP is like TLS, but dials the provided dialAddr instead
// of using DNS resolution. The certDomain is the expected name in
// the cert (and the SNI name to send).
func TLSWithIP(certDomain string, dialAddr netip.AddrPort) ProbeClass {
// TLSWithIP is like TLS, but dials the provided dialAddr instead of using DNS
// resolution. Use config.ServerName to send SNI and validate the name in the
// cert.
func TLSWithIP(dialAddr netip.AddrPort, config *tls.Config) ProbeClass {
return ProbeClass{
Probe: func(ctx context.Context) error {
return probeTLS(ctx, certDomain, dialAddr.String())
return probeTLS(ctx, config, dialAddr.String())
},
Class: "tls",
}
}
func probeTLS(ctx context.Context, certDomain string, dialHostPort string) error {
dialer := &tls.Dialer{Config: &tls.Config{ServerName: certDomain}}
func probeTLS(ctx context.Context, config *tls.Config, dialHostPort string) error {
dialer := &tls.Dialer{Config: config}
conn, err := dialer.DialContext(ctx, "tcp", dialHostPort)
if err != nil {
return fmt.Errorf("connecting to %q: %w", dialHostPort, err)
@@ -108,6 +106,10 @@ func validateConnState(ctx context.Context, cs *tls.ConnectionState) (returnerr
}
if len(leafCert.CRLDistributionPoints) == 0 {
if !slices.Contains(leafCert.Issuer.Organization, "Let's Encrypt") {
// LE certs contain a CRL, but certs from other CAs might not.
return
}
if leafCert.NotBefore.Before(time.Unix(letsEncryptStartedStaplingCRL, 0)) {
// Certificate might not have a CRL.
return