cmd/derper, net/tlsdial: fix client's self-signed cert validation

This fixes the implementation and test from #15208 which apparently never worked. Ignore the metacert when counting the number of expected certs presented. And fix the test, pulling out the TLSConfig setup code into something shared between the real cmd/derper and the test. Fixes #15579 Change-Id: I90526e38e59f89b480629b415f00587b107de10a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2025-05-19 08:39:55 -07:00
parent b5770c81c9
commit 8009ad74a3
11 changed files with 77 additions and 27 deletions
@@ -88,6 +88,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/control/controlhttp/controlhttpcommon          from tailscale.com/control/controlhttp
        tailscale.com/control/controlknobs                           from tailscale.com/net/portmapper
        tailscale.com/derp                                           from tailscale.com/derp/derphttp
+        tailscale.com/derp/derpconst                                 from tailscale.com/derp+
        tailscale.com/derp/derphttp                                  from tailscale.com/net/netcheck
        tailscale.com/disco                                          from tailscale.com/derp
        tailscale.com/drive                                          from tailscale.com/client/local+