webnet/tailscale
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

client/tailscale: make GetCertificate guess cert if SNI lacks dots

Browse Source 
Updates #1235

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
Brad Fitzpatrick
2021-08-18 10:05:05 -07:00
parent e199e407d2
commit b7ae529ecc
2 changed files with 29 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
client/tailscale/tailscale.go
+22 -1
View File
@@ -331,7 +331,14 @@ func GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
}
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
defer cancel()
certPEM, keyPEM, err := CertPair(ctx, hi.ServerName)
name := hi.ServerName
if !strings.Contains(name, ".") {
if v, ok := ExpandSNIName(ctx, name); ok {
name = v
}
}
certPEM, keyPEM, err := CertPair(ctx, name)
if err != nil {
return nil, err
}
@@ -341,3 +348,17 @@ func GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
}
return &cert, nil
}
// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
func ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
st, err := StatusWithoutPeers(ctx)
if err != nil {
return "", false
}
for _, d := range st.CertDomains {
if len(d) > len(name)+1 && strings.HasPrefix(d, name) && d[len(name)] == '.' {
return d, true
}
}
return "", false
}