c/ooni-probe-cli
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #362 from ooni/develop

Browse Source 
I am currently working on https://github.com/ooni/probe-engine/issues/725 with an eye on https://github.com/ooni/probe/issues/1507. While approaching these issues, it seems that the `netx` codebase could use some consolidation (_coagula_) and some splitting (_solve_).

The general idea of these changes is that I want to arrive to the situation where we have (1) a `New` factory method for each package under `netx` for which it makes sense (e.g., `dialer.New`, `tlsdialer.New`, `httptransport.New`), (2) a separate `Config` structure per package (e.g., `dialer.Config`) rather than having all the possible config into the same structure (3) part of the `urlgetter` code (and namely the low-level part) moved into the `netx` package. (See https://github.com/ooni/probe/issues/1591.)

There is too much bureaucracy around writing a new experiment. Much of this bureaucracy will go (it seems) if we do what I have said above. After that, we will end up that you run tests by using the top-level `netx` package. (In any case, I am not of course 100% sure about all the changes that will come after, but this comment seems enough to set a direction.)

These are the changes in this pull request:

* refactor(netx): extract tlsdialer from dialer

We want these two packages to be separate. Dialer was doing too much before. Separating TLS dialing code into a separate package allows us to have a `tlsdialer.New` factory that clearly conveys the meaning. Also, this would allow us to much more clearly separate configuration and simplify reasoning on what each factory does.

* refactor(engine): move `tlsx` package inside `netx` and merge the `gocertifi` package inside it

It would be tempting to merge everything inside `tlsdialer` but the reality is that also the `quicdialer` package needs to use the same code, therefore, it seems more tidy to actually have some tls extensions in `netx`.
This commit is contained in:
Simone Basso 2021-06-08 13:40:59 +02:00 committed by GitHub
commit 0317420398
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
25 changed files with 711 additions and 582 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
internal/engine/legacy/netx/dialer.go
View File

@ -13,6 +13,7 @@ import (
"github.com/ooni/probe-cli/v3/internal/engine/legacy/netx/handlers"
"github.com/ooni/probe-cli/v3/internal/engine/legacy/netx/modelx"
"github.com/ooni/probe-cli/v3/internal/engine/netx/dialer"
"github.com/ooni/probe-cli/v3/internal/engine/netx/tlsdialer"
)
// Dialer performs measurements while dialing.
@ -101,14 +102,14 @@ func (d *Dialer) DialTLS(network, address string) (net.Conn, error) {
// - SystemTLSHandshaker
//
// If you have others needs, manually build the chain you need.
func newTLSDialer(d dialer.Dialer, config *tls.Config) dialer.TLSDialer {
return dialer.TLSDialer{
func newTLSDialer(d dialer.Dialer, config *tls.Config) tlsdialer.TLSDialer {
return tlsdialer.TLSDialer{
Config: config,
Dialer: d,
TLSHandshaker: dialer.EmitterTLSHandshaker{
TLSHandshaker: dialer.ErrorWrapperTLSHandshaker{
TLSHandshaker: dialer.TimeoutTLSHandshaker{
TLSHandshaker: dialer.SystemTLSHandshaker{},
TLSHandshaker: tlsdialer.EmitterTLSHandshaker{
TLSHandshaker: tlsdialer.ErrorWrapperTLSHandshaker{
TLSHandshaker: tlsdialer.TimeoutTLSHandshaker{
TLSHandshaker: tlsdialer.SystemTLSHandshaker{},
},
},
},

2
internal/engine/legacy/netxlogger/netxlogger.go
View File

@ -8,8 +8,8 @@ import (
"net/http"
"strings"
"github.com/ooni/probe-cli/v3/internal/engine/internal/tlsx"
"github.com/ooni/probe-cli/v3/internal/engine/legacy/netx/modelx"
"github.com/ooni/probe-cli/v3/internal/engine/netx/tlsx"
)
// Logger is the interface we expect from a logger

2
internal/engine/legacy/oonidatamodel/oonidatamodel.go
View File

@ -16,11 +16,11 @@ import (
"strings"
"unicode/utf8"
"github.com/ooni/probe-cli/v3/internal/engine/internal/tlsx"
"github.com/ooni/probe-cli/v3/internal/engine/legacy/netx/modelx"
"github.com/ooni/probe-cli/v3/internal/engine/legacy/oonitemplates"
"github.com/ooni/probe-cli/v3/internal/engine/model"
"github.com/ooni/probe-cli/v3/internal/engine/netx/errorx"
"github.com/ooni/probe-cli/v3/internal/engine/netx/tlsx"
)
// ExtSpec describes a data format extension

10
internal/engine/netx/dialer/eof_test.go
View File

@ -2,7 +2,6 @@ package dialer
import (
"context"
"crypto/tls"
"io"
"net"
"time"
@ -69,12 +68,3 @@ func (EOFAddr) Network() string {
func (EOFAddr) String() string {
return "127.0.0.1:1234"
}
type EOFTLSHandshaker struct{}
func (EOFTLSHandshaker) Handshake(
ctx context.Context, conn net.Conn, config *tls.Config,
) (net.Conn, tls.ConnectionState, error) {
time.Sleep(10 * time.Microsecond)
return nil, tls.ConnectionState{}, io.EOF
}

26
internal/engine/netx/dialer/integration_test.go
View File

@ -1,7 +1,6 @@
package dialer_test
import (
"context"
"net"
"net/http"
"testing"
@ -10,31 +9,6 @@ import (
"github.com/ooni/probe-cli/v3/internal/engine/netx/dialer"
)
func TestTLSDialerSuccess(t *testing.T) {
if testing.Short() {
t.Skip("skip test in short mode")
}
log.SetLevel(log.DebugLevel)
dialer := dialer.TLSDialer{Dialer: new(net.Dialer),
TLSHandshaker: dialer.LoggingTLSHandshaker{
TLSHandshaker: dialer.SystemTLSHandshaker{},
Logger: log.Log,
},
}
txp := &http.Transport{DialTLS: func(network, address string) (net.Conn, error) {
// AlpineLinux edge is still using Go 1.13. We cannot switch to
// using DialTLSContext here as we'd like to until either Alpine
// switches to Go 1.14 or we drop the MK dependency.
return dialer.DialTLSContext(context.Background(), network, address)
}}
client := &http.Client{Transport: txp}
resp, err := client.Get("https://www.google.com")
if err != nil {
t.Fatal(err)
}
resp.Body.Close()
}
func TestDNSDialerSuccess(t *testing.T) {
if testing.Short() {
t.Skip("skip test in short mode")

27
internal/engine/netx/dialer/logging.go
View File

@ -2,11 +2,8 @@ package dialer
import (
"context"
"crypto/tls"
"net"
"time"
"github.com/ooni/probe-cli/v3/internal/engine/internal/tlsx"
)
// Logger is the logger assumed by this package
@ -30,27 +27,3 @@ func (d LoggingDialer) DialContext(ctx context.Context, network, address string)
d.Logger.Debugf("dial %s/%s... %+v in %s", address, network, err, stop.Sub(start))
return conn, err
}
// LoggingTLSHandshaker is a TLSHandshaker with logging
type LoggingTLSHandshaker struct {
TLSHandshaker
Logger Logger
}
// Handshake implements Handshaker.Handshake
func (h LoggingTLSHandshaker) Handshake(
ctx context.Context, conn net.Conn, config *tls.Config,
) (net.Conn, tls.ConnectionState, error) {
h.Logger.Debugf("tls {sni=%s next=%+v}...", config.ServerName, config.NextProtos)
start := time.Now()
tlsconn, state, err := h.TLSHandshaker.Handshake(ctx, conn, config)
stop := time.Now()
h.Logger.Debugf(
"tls {sni=%s next=%+v}... %+v in %s {next=%s cipher=%s v=%s}", config.ServerName,
config.NextProtos, err, stop.Sub(start), state.NegotiatedProtocol,
tlsx.CipherSuiteString(state.CipherSuite), tlsx.VersionString(state.Version))
return tlsconn, state, err
}
var _ Dialer = LoggingDialer{}
var _ TLSHandshaker = LoggingTLSHandshaker{}

17
internal/engine/netx/dialer/logging_test.go
View File

@ -2,7 +2,6 @@ package dialer_test
import (
"context"
"crypto/tls"
"errors"
"io"
"testing"
@ -24,19 +23,3 @@ func TestLoggingDialerFailure(t *testing.T) {
t.Fatal("expected nil conn here")
}
}
func TestLoggingTLSHandshakerFailure(t *testing.T) {
h := dialer.LoggingTLSHandshaker{
TLSHandshaker: dialer.EOFTLSHandshaker{},
Logger: log.Log,
}
tlsconn, _, err := h.Handshake(context.Background(), dialer.EOFConn{}, &tls.Config{
ServerName: "www.google.com",
})
if !errors.Is(err, io.EOF) {
t.Fatal("not the error we expected")
}
if tlsconn != nil {
t.Fatal("expected nil tlsconn here")
}
}

39
internal/engine/netx/dialer/saver.go
View File

@ -2,11 +2,9 @@ package dialer
import (
"context"
"crypto/tls"
"net"
"time"
"github.com/ooni/probe-cli/v3/internal/engine/internal/tlsx"
"github.com/ooni/probe-cli/v3/internal/engine/netx/errorx"
"github.com/ooni/probe-cli/v3/internal/engine/netx/trace"
)
@ -33,42 +31,6 @@ func (d SaverDialer) DialContext(ctx context.Context, network, address string) (
return conn, err
}
// SaverTLSHandshaker saves events occurring during the handshake
type SaverTLSHandshaker struct {
TLSHandshaker
Saver *trace.Saver
}
// Handshake implements TLSHandshaker.Handshake
func (h SaverTLSHandshaker) Handshake(
ctx context.Context, conn net.Conn, config *tls.Config,
) (net.Conn, tls.ConnectionState, error) {
start := time.Now()
h.Saver.Write(trace.Event{
Name: "tls_handshake_start",
NoTLSVerify: config.InsecureSkipVerify,
TLSNextProtos: config.NextProtos,
TLSServerName: config.ServerName,
Time: start,
})
tlsconn, state, err := h.TLSHandshaker.Handshake(ctx, conn, config)
stop := time.Now()
h.Saver.Write(trace.Event{
Duration: stop.Sub(start),
Err: err,
Name: "tls_handshake_done",
NoTLSVerify: config.InsecureSkipVerify,
TLSCipherSuite: tlsx.CipherSuiteString(state.CipherSuite),
TLSNegotiatedProto: state.NegotiatedProtocol,
TLSNextProtos: config.NextProtos,
TLSPeerCerts: trace.PeerCerts(state, err),
TLSServerName: config.ServerName,
TLSVersion: tlsx.VersionString(state.Version),
Time: stop,
})
return tlsconn, state, err
}
// SaverConnDialer wraps the returned connection such that we
// collect all the read/write events that occur.
type SaverConnDialer struct {
@ -121,5 +83,4 @@ func (c saverConn) Write(p []byte) (int, error) {
}
var _ Dialer = SaverDialer{}
var _ TLSHandshaker = SaverTLSHandshaker{}
var _ net.Conn = saverConn{}

301
internal/engine/netx/dialer/saver_test.go
View File

@ -2,10 +2,7 @@ package dialer_test
import (
"context"
"crypto/tls"
"errors"
"net"
"reflect"
"testing"
"time"
@ -71,301 +68,3 @@ func TestSaverConnDialerFailure(t *testing.T) {
t.Fatal("expected nil conn here")
}
}
func TestSaverTLSHandshakerSuccessWithReadWrite(t *testing.T) {
// This is the most common use case for collecting reads, writes
if testing.Short() {
t.Skip("skip test in short mode")
}
nextprotos := []string{"h2"}
saver := &trace.Saver{}
tlsdlr := dialer.TLSDialer{
Config: &tls.Config{NextProtos: nextprotos},
Dialer: dialer.SaverConnDialer{
Dialer: new(net.Dialer),
Saver: saver,
},
TLSHandshaker: dialer.SaverTLSHandshaker{
TLSHandshaker: dialer.SystemTLSHandshaker{},
Saver: saver,
},
}
// Implementation note: we don't close the connection here because it is
// very handy to have the last event being the end of the handshake
_, err := tlsdlr.DialTLSContext(context.Background(), "tcp", "www.google.com:443")
if err != nil {
t.Fatal(err)
}
ev := saver.Read()
if len(ev) < 4 {
// it's a bit tricky to be sure about the right number of
// events because network conditions may influence that
t.Fatal("unexpected number of events")
}
if ev[0].Name != "tls_handshake_start" {
t.Fatal("unexpected Name")
}
if ev[0].TLSServerName != "www.google.com" {
t.Fatal("unexpected TLSServerName")
}
if !reflect.DeepEqual(ev[0].TLSNextProtos, nextprotos) {
t.Fatal("unexpected TLSNextProtos")
}
if ev[0].Time.After(time.Now()) {
t.Fatal("unexpected Time")
}
last := len(ev) - 1
for idx := 1; idx < last; idx++ {
if ev[idx].Data == nil {
t.Fatal("unexpected Data")
}
if ev[idx].Duration <= 0 {
t.Fatal("unexpected Duration")
}
if ev[idx].Err != nil {
t.Fatal("unexpected Err")
}
if ev[idx].NumBytes <= 0 {
t.Fatal("unexpected NumBytes")
}
switch ev[idx].Name {
case errorx.ReadOperation, errorx.WriteOperation:
default:
t.Fatal("unexpected Name")
}
if ev[idx].Time.Before(ev[idx-1].Time) {
t.Fatal("unexpected Time")
}
}
if ev[last].Duration <= 0 {
t.Fatal("unexpected Duration")
}
if ev[last].Err != nil {
t.Fatal("unexpected Err")
}
if ev[last].Name != "tls_handshake_done" {
t.Fatal("unexpected Name")
}
if ev[last].TLSCipherSuite == "" {
t.Fatal("unexpected TLSCipherSuite")
}
if ev[last].TLSNegotiatedProto != "h2" {
t.Fatal("unexpected TLSNegotiatedProto")
}
if !reflect.DeepEqual(ev[last].TLSNextProtos, nextprotos) {
t.Fatal("unexpected TLSNextProtos")
}
if ev[last].TLSPeerCerts == nil {
t.Fatal("unexpected TLSPeerCerts")
}
if ev[last].TLSServerName != "www.google.com" {
t.Fatal("unexpected TLSServerName")
}
if ev[last].TLSVersion == "" {
t.Fatal("unexpected TLSVersion")
}
if ev[last].Time.Before(ev[last-1].Time) {
t.Fatal("unexpected Time")
}
}
func TestSaverTLSHandshakerSuccess(t *testing.T) {
if testing.Short() {
t.Skip("skip test in short mode")
}
nextprotos := []string{"h2"}
saver := &trace.Saver{}
tlsdlr := dialer.TLSDialer{
Config: &tls.Config{NextProtos: nextprotos},
Dialer: new(net.Dialer),
TLSHandshaker: dialer.SaverTLSHandshaker{
TLSHandshaker: dialer.SystemTLSHandshaker{},
Saver: saver,
},
}
conn, err := tlsdlr.DialTLSContext(context.Background(), "tcp", "www.google.com:443")
if err != nil {
t.Fatal(err)
}
conn.Close()
ev := saver.Read()
if len(ev) != 2 {
t.Fatal("unexpected number of events")
}
if ev[0].Name != "tls_handshake_start" {
t.Fatal("unexpected Name")
}
if ev[0].TLSServerName != "www.google.com" {
t.Fatal("unexpected TLSServerName")
}
if !reflect.DeepEqual(ev[0].TLSNextProtos, nextprotos) {
t.Fatal("unexpected TLSNextProtos")
}
if ev[0].Time.After(time.Now()) {
t.Fatal("unexpected Time")
}
if ev[1].Duration <= 0 {
t.Fatal("unexpected Duration")
}
if ev[1].Err != nil {
t.Fatal("unexpected Err")
}
if ev[1].Name != "tls_handshake_done" {
t.Fatal("unexpected Name")
}
if ev[1].TLSCipherSuite == "" {
t.Fatal("unexpected TLSCipherSuite")
}
if ev[1].TLSNegotiatedProto != "h2" {
t.Fatal("unexpected TLSNegotiatedProto")
}
if !reflect.DeepEqual(ev[1].TLSNextProtos, nextprotos) {
t.Fatal("unexpected TLSNextProtos")
}
if ev[1].TLSPeerCerts == nil {
t.Fatal("unexpected TLSPeerCerts")
}
if ev[1].TLSServerName != "www.google.com" {
t.Fatal("unexpected TLSServerName")
}
if ev[1].TLSVersion == "" {
t.Fatal("unexpected TLSVersion")
}
if ev[1].Time.Before(ev[0].Time) {
t.Fatal("unexpected Time")
}
}
func TestSaverTLSHandshakerHostnameError(t *testing.T) {
if testing.Short() {
t.Skip("skip test in short mode")
}
saver := &trace.Saver{}
tlsdlr := dialer.TLSDialer{
Dialer: new(net.Dialer),
TLSHandshaker: dialer.SaverTLSHandshaker{
TLSHandshaker: dialer.SystemTLSHandshaker{},
Saver: saver,
},
}
conn, err := tlsdlr.DialTLSContext(
context.Background(), "tcp", "wrong.host.badssl.com:443")
if err == nil {
t.Fatal("expected an error here")
}
if conn != nil {
t.Fatal("expected nil conn here")
}
for _, ev := range saver.Read() {
if ev.Name != "tls_handshake_done" {
continue
}
if ev.NoTLSVerify == true {
t.Fatal("expected NoTLSVerify to be false")
}
if len(ev.TLSPeerCerts) < 1 {
t.Fatal("expected at least a certificate here")
}
}
}
func TestSaverTLSHandshakerInvalidCertError(t *testing.T) {
if testing.Short() {
t.Skip("skip test in short mode")
}
saver := &trace.Saver{}
tlsdlr := dialer.TLSDialer{
Dialer: new(net.Dialer),
TLSHandshaker: dialer.SaverTLSHandshaker{
TLSHandshaker: dialer.SystemTLSHandshaker{},
Saver: saver,
},
}
conn, err := tlsdlr.DialTLSContext(
context.Background(), "tcp", "expired.badssl.com:443")
if err == nil {
t.Fatal("expected an error here")
}
if conn != nil {
t.Fatal("expected nil conn here")
}
for _, ev := range saver.Read() {
if ev.Name != "tls_handshake_done" {
continue
}
if ev.NoTLSVerify == true {
t.Fatal("expected NoTLSVerify to be false")
}
if len(ev.TLSPeerCerts) < 1 {
t.Fatal("expected at least a certificate here")
}
}
}
func TestSaverTLSHandshakerAuthorityError(t *testing.T) {
if testing.Short() {
t.Skip("skip test in short mode")
}
saver := &trace.Saver{}
tlsdlr := dialer.TLSDialer{
Dialer: new(net.Dialer),
TLSHandshaker: dialer.SaverTLSHandshaker{
TLSHandshaker: dialer.SystemTLSHandshaker{},
Saver: saver,
},
}
conn, err := tlsdlr.DialTLSContext(
context.Background(), "tcp", "self-signed.badssl.com:443")
if err == nil {
t.Fatal("expected an error here")
}
if conn != nil {
t.Fatal("expected nil conn here")
}
for _, ev := range saver.Read() {
if ev.Name != "tls_handshake_done" {
continue
}
if ev.NoTLSVerify == true {
t.Fatal("expected NoTLSVerify to be false")
}
if len(ev.TLSPeerCerts) < 1 {
t.Fatal("expected at least a certificate here")
}
}
}
func TestSaverTLSHandshakerNoTLSVerify(t *testing.T) {
if testing.Short() {
t.Skip("skip test in short mode")
}
saver := &trace.Saver{}
tlsdlr := dialer.TLSDialer{
Config: &tls.Config{InsecureSkipVerify: true},
Dialer: new(net.Dialer),
TLSHandshaker: dialer.SaverTLSHandshaker{
TLSHandshaker: dialer.SystemTLSHandshaker{},
Saver: saver,
},
}
conn, err := tlsdlr.DialTLSContext(
context.Background(), "tcp", "self-signed.badssl.com:443")
if err != nil {
t.Fatal(err)
}
if conn == nil {
t.Fatal("expected non-nil conn here")
}
conn.Close()
for _, ev := range saver.Read() {
if ev.Name != "tls_handshake_done" {
continue
}
if ev.NoTLSVerify != true {
t.Fatal("expected NoTLSVerify to be true")
}
if len(ev.TLSPeerCerts) < 1 {
t.Fatal("expected at least a certificate here")
}
}
}

19
internal/engine/netx/netx.go
View File

@ -33,11 +33,12 @@ import (
"github.com/lucas-clemente/quic-go"
"github.com/ooni/probe-cli/v3/internal/engine/netx/bytecounter"
"github.com/ooni/probe-cli/v3/internal/engine/netx/dialer"
"github.com/ooni/probe-cli/v3/internal/engine/netx/gocertifi"
"github.com/ooni/probe-cli/v3/internal/engine/netx/httptransport"
"github.com/ooni/probe-cli/v3/internal/engine/netx/quicdialer"
"github.com/ooni/probe-cli/v3/internal/engine/netx/resolver"
"github.com/ooni/probe-cli/v3/internal/engine/netx/selfcensor"
"github.com/ooni/probe-cli/v3/internal/engine/netx/tlsdialer"
"github.com/ooni/probe-cli/v3/internal/engine/netx/tlsx"
"github.com/ooni/probe-cli/v3/internal/engine/netx/trace"
"github.com/ooni/probe-cli/v3/internal/runtimex"
)
@ -113,8 +114,8 @@ type tlsHandshaker interface {
// NewDefaultCertPool returns a copy of the default x509
// certificate pool. This function panics on failure.
func NewDefaultCertPool() *x509.CertPool {
pool, err := gocertifi.CACerts()
runtimex.PanicOnError(err, "gocertifi.CACerts() failed")
pool, err := tlsx.CACerts()
runtimex.PanicOnError(err, "tlsx.CACerts() failed")
return pool
}
@ -196,14 +197,14 @@ func NewTLSDialer(config Config) TLSDialer {
if config.Dialer == nil {
config.Dialer = NewDialer(config)
}
var h tlsHandshaker = dialer.SystemTLSHandshaker{}
h = dialer.TimeoutTLSHandshaker{TLSHandshaker: h}
h = dialer.ErrorWrapperTLSHandshaker{TLSHandshaker: h}
var h tlsHandshaker = tlsdialer.SystemTLSHandshaker{}
h = tlsdialer.TimeoutTLSHandshaker{TLSHandshaker: h}
h = tlsdialer.ErrorWrapperTLSHandshaker{TLSHandshaker: h}
if config.Logger != nil {
h = dialer.LoggingTLSHandshaker{Logger: config.Logger, TLSHandshaker: h}
h = tlsdialer.LoggingTLSHandshaker{Logger: config.Logger, TLSHandshaker: h}
}
if config.TLSSaver != nil {
h = dialer.SaverTLSHandshaker{TLSHandshaker: h, Saver: config.TLSSaver}
h = tlsdialer.SaverTLSHandshaker{TLSHandshaker: h, Saver: config.TLSSaver}
}
if config.TLSConfig == nil {
config.TLSConfig = &tls.Config{NextProtos: []string{"h2", "http/1.1"}}
@ -213,7 +214,7 @@ func NewTLSDialer(config Config) TLSDialer {
}
config.TLSConfig.RootCAs = config.CertPool
config.TLSConfig.InsecureSkipVerify = config.NoTLSVerify
return dialer.TLSDialer{
return tlsdialer.TLSDialer{
Config: config.TLSConfig,
Dialer: config.Dialer,
TLSHandshaker: h,

57
internal/engine/netx/netx_test.go
View File

@ -14,6 +14,7 @@ import (
"github.com/ooni/probe-cli/v3/internal/engine/netx/httptransport"
"github.com/ooni/probe-cli/v3/internal/engine/netx/resolver"
"github.com/ooni/probe-cli/v3/internal/engine/netx/selfcensor"
"github.com/ooni/probe-cli/v3/internal/engine/netx/tlsdialer"
"github.com/ooni/probe-cli/v3/internal/engine/netx/trace"
)
@ -486,7 +487,7 @@ func TestNewDialerWithContextByteCounting(t *testing.T) {
func TestNewTLSDialerVanilla(t *testing.T) {
td := netx.NewTLSDialer(netx.Config{})
rtd, ok := td.(dialer.TLSDialer)
rtd, ok := td.(tlsdialer.TLSDialer)
if !ok {
t.Fatal("not the TLSDialer we expected")
}
@ -512,15 +513,15 @@ func TestNewTLSDialerVanilla(t *testing.T) {
if rtd.TLSHandshaker == nil {
t.Fatal("invalid TLSHandshaker")
}
ewth, ok := rtd.TLSHandshaker.(dialer.ErrorWrapperTLSHandshaker)
ewth, ok := rtd.TLSHandshaker.(tlsdialer.ErrorWrapperTLSHandshaker)
if !ok {
t.Fatal("not the TLSHandshaker we expected")
}
tth, ok := ewth.TLSHandshaker.(dialer.TimeoutTLSHandshaker)
tth, ok := ewth.TLSHandshaker.(tlsdialer.TimeoutTLSHandshaker)
if !ok {
t.Fatal("not the TLSHandshaker we expected")
}
if _, ok := tth.TLSHandshaker.(dialer.SystemTLSHandshaker); !ok {
if _, ok := tth.TLSHandshaker.(tlsdialer.SystemTLSHandshaker); !ok {
t.Fatal("not the TLSHandshaker we expected")
}
}
@ -529,7 +530,7 @@ func TestNewTLSDialerWithConfig(t *testing.T) {
td := netx.NewTLSDialer(netx.Config{
TLSConfig: new(tls.Config),
})
rtd, ok := td.(dialer.TLSDialer)
rtd, ok := td.(tlsdialer.TLSDialer)
if !ok {
t.Fatal("not the TLSDialer we expected")
}
@ -552,15 +553,15 @@ func TestNewTLSDialerWithConfig(t *testing.T) {
if rtd.TLSHandshaker == nil {
t.Fatal("invalid TLSHandshaker")
}
ewth, ok := rtd.TLSHandshaker.(dialer.ErrorWrapperTLSHandshaker)
ewth, ok := rtd.TLSHandshaker.(tlsdialer.ErrorWrapperTLSHandshaker)
if !ok {
t.Fatal("not the TLSHandshaker we expected")
}
tth, ok := ewth.TLSHandshaker.(dialer.TimeoutTLSHandshaker)
tth, ok := ewth.TLSHandshaker.(tlsdialer.TimeoutTLSHandshaker)
if !ok {
t.Fatal("not the TLSHandshaker we expected")
}
if _, ok := tth.TLSHandshaker.(dialer.SystemTLSHandshaker); !ok {
if _, ok := tth.TLSHandshaker.(tlsdialer.SystemTLSHandshaker); !ok {
t.Fatal("not the TLSHandshaker we expected")
}
}
@ -569,7 +570,7 @@ func TestNewTLSDialerWithLogging(t *testing.T) {
td := netx.NewTLSDialer(netx.Config{
Logger: log.Log,
})
rtd, ok := td.(dialer.TLSDialer)
rtd, ok := td.(tlsdialer.TLSDialer)
if !ok {
t.Fatal("not the TLSDialer we expected")
}
@ -595,22 +596,22 @@ func TestNewTLSDialerWithLogging(t *testing.T) {
if rtd.TLSHandshaker == nil {
t.Fatal("invalid TLSHandshaker")
}
lth, ok := rtd.TLSHandshaker.(dialer.LoggingTLSHandshaker)
lth, ok := rtd.TLSHandshaker.(tlsdialer.LoggingTLSHandshaker)
if !ok {
t.Fatal("not the TLSHandshaker we expected")
}
if lth.Logger != log.Log {
t.Fatal("not the Logger we expected")
}
ewth, ok := lth.TLSHandshaker.(dialer.ErrorWrapperTLSHandshaker)
ewth, ok := lth.TLSHandshaker.(tlsdialer.ErrorWrapperTLSHandshaker)
if !ok {
t.Fatal("not the TLSHandshaker we expected")
}
tth, ok := ewth.TLSHandshaker.(dialer.TimeoutTLSHandshaker)
tth, ok := ewth.TLSHandshaker.(tlsdialer.TimeoutTLSHandshaker)
if !ok {
t.Fatal("not the TLSHandshaker we expected")
}
if _, ok := tth.TLSHandshaker.(dialer.SystemTLSHandshaker); !ok {
if _, ok := tth.TLSHandshaker.(tlsdialer.SystemTLSHandshaker); !ok {
t.Fatal("not the TLSHandshaker we expected")
}
}
@ -620,7 +621,7 @@ func TestNewTLSDialerWithSaver(t *testing.T) {
td := netx.NewTLSDialer(netx.Config{
TLSSaver: saver,
})
rtd, ok := td.(dialer.TLSDialer)
rtd, ok := td.(tlsdialer.TLSDialer)
if !ok {
t.Fatal("not the TLSDialer we expected")
}
@ -646,22 +647,22 @@ func TestNewTLSDialerWithSaver(t *testing.T) {
if rtd.TLSHandshaker == nil {
t.Fatal("invalid TLSHandshaker")
}
sth, ok := rtd.TLSHandshaker.(dialer.SaverTLSHandshaker)
sth, ok := rtd.TLSHandshaker.(tlsdialer.SaverTLSHandshaker)
if !ok {
t.Fatal("not the TLSHandshaker we expected")
}
if sth.Saver != saver {
t.Fatal("not the Logger we expected")
}
ewth, ok := sth.TLSHandshaker.(dialer.ErrorWrapperTLSHandshaker)
ewth, ok := sth.TLSHandshaker.(tlsdialer.ErrorWrapperTLSHandshaker)
if !ok {
t.Fatal("not the TLSHandshaker we expected")
}
tth, ok := ewth.TLSHandshaker.(dialer.TimeoutTLSHandshaker)
tth, ok := ewth.TLSHandshaker.(tlsdialer.TimeoutTLSHandshaker)
if !ok {
t.Fatal("not the TLSHandshaker we expected")
}
if _, ok := tth.TLSHandshaker.(dialer.SystemTLSHandshaker); !ok {
if _, ok := tth.TLSHandshaker.(tlsdialer.SystemTLSHandshaker); !ok {
t.Fatal("not the TLSHandshaker we expected")
}
}
@ -671,7 +672,7 @@ func TestNewTLSDialerWithNoTLSVerifyAndConfig(t *testing.T) {
TLSConfig: new(tls.Config),
NoTLSVerify: true,
})
rtd, ok := td.(dialer.TLSDialer)
rtd, ok := td.(tlsdialer.TLSDialer)
if !ok {
t.Fatal("not the TLSDialer we expected")
}
@ -697,15 +698,15 @@ func TestNewTLSDialerWithNoTLSVerifyAndConfig(t *testing.T) {
if rtd.TLSHandshaker == nil {
t.Fatal("invalid TLSHandshaker")
}
ewth, ok := rtd.TLSHandshaker.(dialer.ErrorWrapperTLSHandshaker)
ewth, ok := rtd.TLSHandshaker.(tlsdialer.ErrorWrapperTLSHandshaker)
if !ok {
t.Fatal("not the TLSHandshaker we expected")
}
tth, ok := ewth.TLSHandshaker.(dialer.TimeoutTLSHandshaker)
tth, ok := ewth.TLSHandshaker.(tlsdialer.TimeoutTLSHandshaker)
if !ok {
t.Fatal("not the TLSHandshaker we expected")
}
if _, ok := tth.TLSHandshaker.(dialer.SystemTLSHandshaker); !ok {
if _, ok := tth.TLSHandshaker.(tlsdialer.SystemTLSHandshaker); !ok {
t.Fatal("not the TLSHandshaker we expected")
}
}
@ -714,7 +715,7 @@ func TestNewTLSDialerWithNoTLSVerifyAndNoConfig(t *testing.T) {
td := netx.NewTLSDialer(netx.Config{
NoTLSVerify: true,
})
rtd, ok := td.(dialer.TLSDialer)
rtd, ok := td.(tlsdialer.TLSDialer)
if !ok {
t.Fatal("not the TLSDialer we expected")
}
@ -743,15 +744,15 @@ func TestNewTLSDialerWithNoTLSVerifyAndNoConfig(t *testing.T) {
if rtd.TLSHandshaker == nil {
t.Fatal("invalid TLSHandshaker")
}
ewth, ok := rtd.TLSHandshaker.(dialer.ErrorWrapperTLSHandshaker)
ewth, ok := rtd.TLSHandshaker.(tlsdialer.ErrorWrapperTLSHandshaker)
if !ok {
t.Fatal("not the TLSHandshaker we expected")
}
tth, ok := ewth.TLSHandshaker.(dialer.TimeoutTLSHandshaker)
tth, ok := ewth.TLSHandshaker.(tlsdialer.TimeoutTLSHandshaker)
if !ok {
t.Fatal("not the TLSHandshaker we expected")
}
if _, ok := tth.TLSHandshaker.(dialer.SystemTLSHandshaker); !ok {
if _, ok := tth.TLSHandshaker.(tlsdialer.SystemTLSHandshaker); !ok {
t.Fatal("not the TLSHandshaker we expected")
}
}
@ -785,10 +786,10 @@ func TestNewWithDialer(t *testing.T) {
func TestNewWithTLSDialer(t *testing.T) {
expected := errors.New("mocked error")
tlsDialer := dialer.TLSDialer{
tlsDialer := tlsdialer.TLSDialer{
Config: new(tls.Config),
Dialer: netx.FakeDialer{Err: expected},
TLSHandshaker: dialer.SystemTLSHandshaker{},
TLSHandshaker: tlsdialer.SystemTLSHandshaker{},
}
txp := netx.NewHTTPTransport(netx.Config{
TLSDialer: tlsDialer,

2
internal/engine/netx/quicdialer/saver.go
View File

@ -6,7 +6,7 @@ import (
"time"
"github.com/lucas-clemente/quic-go"
"github.com/ooni/probe-cli/v3/internal/engine/internal/tlsx"
"github.com/ooni/probe-cli/v3/internal/engine/netx/tlsx"
"github.com/ooni/probe-cli/v3/internal/engine/netx/trace"
)

80
internal/engine/netx/tlsdialer/eof_test.go Normal file
View File

@ -0,0 +1,80 @@
package tlsdialer
import (
"context"
"crypto/tls"
"io"
"net"
"time"
)
type EOFDialer struct{}
func (EOFDialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
time.Sleep(10 * time.Microsecond)
return nil, io.EOF
}
type EOFConnDialer struct{}
func (EOFConnDialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
return EOFConn{}, nil
}
type EOFConn struct {
net.Conn
}
func (EOFConn) Read(p []byte) (int, error) {
time.Sleep(10 * time.Microsecond)
return 0, io.EOF
}
func (EOFConn) Write(p []byte) (int, error) {
time.Sleep(10 * time.Microsecond)
return 0, io.EOF
}
func (EOFConn) Close() error {
time.Sleep(10 * time.Microsecond)
return io.EOF
}
func (EOFConn) LocalAddr() net.Addr {
return EOFAddr{}
}
func (EOFConn) RemoteAddr() net.Addr {
return EOFAddr{}
}
func (EOFConn) SetDeadline(t time.Time) error {
return nil
}
func (EOFConn) SetReadDeadline(t time.Time) error {
return nil
}
func (EOFConn) SetWriteDeadline(t time.Time) error {
return nil
}
type EOFAddr struct{}
func (EOFAddr) Network() string {
return "tcp"
}
func (EOFAddr) String() string {
return "127.0.0.1:1234"
}
type EOFTLSHandshaker struct{}
func (EOFTLSHandshaker) Handshake(
ctx context.Context, conn net.Conn, config *tls.Config,
) (net.Conn, tls.ConnectionState, error) {
time.Sleep(10 * time.Microsecond)
return nil, tls.ConnectionState{}, io.EOF
}

71
internal/engine/netx/tlsdialer/fake_test.go Normal file
View File

@ -0,0 +1,71 @@
package tlsdialer
import (
"context"
"io"
"net"
"time"
)
type FakeDialer struct {
Conn net.Conn
Err error
}
func (d FakeDialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
time.Sleep(10 * time.Microsecond)
return d.Conn, d.Err
}
type FakeConn struct {
ReadError error
ReadData []byte
SetDeadlineError error
SetReadDeadlineError error
SetWriteDeadlineError error
WriteError error
}
func (c *FakeConn) Read(b []byte) (int, error) {
if len(c.ReadData) > 0 {
n := copy(b, c.ReadData)
c.ReadData = c.ReadData[n:]
return n, nil
}
if c.ReadError != nil {
return 0, c.ReadError
}
return 0, io.EOF
}
func (c *FakeConn) Write(b []byte) (n int, err error) {
if c.WriteError != nil {
return 0, c.WriteError
}
n = len(b)
return
}
func (*FakeConn) Close() (err error) {
return
}
func (*FakeConn) LocalAddr() net.Addr {
return &net.TCPAddr{}
}
func (*FakeConn) RemoteAddr() net.Addr {
return &net.TCPAddr{}
}
func (c *FakeConn) SetDeadline(t time.Time) (err error) {
return c.SetDeadlineError
}
func (c *FakeConn) SetReadDeadline(t time.Time) (err error) {
return c.SetReadDeadlineError
}
func (c *FakeConn) SetWriteDeadline(t time.Time) (err error) {
return c.SetWriteDeadlineError
}

36
internal/engine/netx/tlsdialer/integration_test.go Normal file
View File

@ -0,0 +1,36 @@
package tlsdialer_test
import (
"context"
"net"
"net/http"
"testing"
"github.com/apex/log"
"github.com/ooni/probe-cli/v3/internal/engine/netx/tlsdialer"
)
func TestTLSDialerSuccess(t *testing.T) {
if testing.Short() {
t.Skip("skip test in short mode")
}
log.SetLevel(log.DebugLevel)
dialer := tlsdialer.TLSDialer{Dialer: new(net.Dialer),
TLSHandshaker: tlsdialer.LoggingTLSHandshaker{
TLSHandshaker: tlsdialer.SystemTLSHandshaker{},
Logger: log.Log,
},
}
txp := &http.Transport{DialTLS: func(network, address string) (net.Conn, error) {
// AlpineLinux edge is still using Go 1.13. We cannot switch to
// using DialTLSContext here as we'd like to until either Alpine
// switches to Go 1.14 or we drop the MK dependency.
return dialer.DialTLSContext(context.Background(), network, address)
}}
client := &http.Client{Transport: txp}
resp, err := client.Get("https://www.google.com")
if err != nil {
t.Fatal(err)
}
resp.Body.Close()
}

39
internal/engine/netx/tlsdialer/logging.go Normal file
View File

@ -0,0 +1,39 @@
package tlsdialer
import (
"context"
"crypto/tls"
"net"
"time"
"github.com/ooni/probe-cli/v3/internal/engine/netx/tlsx"
)
// Logger is the logger assumed by this package
type Logger interface {
Debugf(format string, v ...interface{})
Debug(message string)
}
// LoggingTLSHandshaker is a TLSHandshaker with logging
type LoggingTLSHandshaker struct {
TLSHandshaker
Logger Logger
}
// Handshake implements Handshaker.Handshake
func (h LoggingTLSHandshaker) Handshake(
ctx context.Context, conn net.Conn, config *tls.Config,
) (net.Conn, tls.ConnectionState, error) {
h.Logger.Debugf("tls {sni=%s next=%+v}...", config.ServerName, config.NextProtos)
start := time.Now()
tlsconn, state, err := h.TLSHandshaker.Handshake(ctx, conn, config)
stop := time.Now()
h.Logger.Debugf(
"tls {sni=%s next=%+v}... %+v in %s {next=%s cipher=%s v=%s}", config.ServerName,
config.NextProtos, err, stop.Sub(start), state.NegotiatedProtocol,
tlsx.CipherSuiteString(state.CipherSuite), tlsx.VersionString(state.Version))
return tlsconn, state, err
}
var _ TLSHandshaker = LoggingTLSHandshaker{}

28
internal/engine/netx/tlsdialer/logging_test.go Normal file
View File

@ -0,0 +1,28 @@
package tlsdialer_test
import (
"context"
"crypto/tls"
"errors"
"io"
"testing"
"github.com/apex/log"
"github.com/ooni/probe-cli/v3/internal/engine/netx/tlsdialer"
)
func TestLoggingTLSHandshakerFailure(t *testing.T) {
h := tlsdialer.LoggingTLSHandshaker{
TLSHandshaker: tlsdialer.EOFTLSHandshaker{},
Logger: log.Log,
}
tlsconn, _, err := h.Handshake(context.Background(), tlsdialer.EOFConn{}, &tls.Config{
ServerName: "www.google.com",
})
if !errors.Is(err, io.EOF) {
t.Fatal("not the error we expected")
}
if tlsconn != nil {
t.Fatal("expected nil tlsconn here")
}
}

49
internal/engine/netx/tlsdialer/saver.go Normal file
View File

@ -0,0 +1,49 @@
package tlsdialer
import (
"context"
"crypto/tls"
"net"
"time"
"github.com/ooni/probe-cli/v3/internal/engine/netx/tlsx"
"github.com/ooni/probe-cli/v3/internal/engine/netx/trace"
)
// SaverTLSHandshaker saves events occurring during the handshake
type SaverTLSHandshaker struct {
TLSHandshaker
Saver *trace.Saver
}
// Handshake implements TLSHandshaker.Handshake
func (h SaverTLSHandshaker) Handshake(
ctx context.Context, conn net.Conn, config *tls.Config,
) (net.Conn, tls.ConnectionState, error) {
start := time.Now()
h.Saver.Write(trace.Event{
Name: "tls_handshake_start",
NoTLSVerify: config.InsecureSkipVerify,
TLSNextProtos: config.NextProtos,
TLSServerName: config.ServerName,
Time: start,
})
tlsconn, state, err := h.TLSHandshaker.Handshake(ctx, conn, config)
stop := time.Now()
h.Saver.Write(trace.Event{
Duration: stop.Sub(start),
Err: err,
Name: "tls_handshake_done",
NoTLSVerify: config.InsecureSkipVerify,
TLSCipherSuite: tlsx.CipherSuiteString(state.CipherSuite),
TLSNegotiatedProto: state.NegotiatedProtocol,
TLSNextProtos: config.NextProtos,
TLSPeerCerts: trace.PeerCerts(state, err),
TLSServerName: config.ServerName,
TLSVersion: tlsx.VersionString(state.Version),
Time: stop,
})
return tlsconn, state, err
}
var _ TLSHandshaker = SaverTLSHandshaker{}

313
internal/engine/netx/tlsdialer/saver_test.go Normal file
View File

@ -0,0 +1,313 @@
package tlsdialer_test
import (
"context"
"crypto/tls"
"net"
"reflect"
"testing"
"time"
"github.com/ooni/probe-cli/v3/internal/engine/netx/dialer"
"github.com/ooni/probe-cli/v3/internal/engine/netx/errorx"
"github.com/ooni/probe-cli/v3/internal/engine/netx/tlsdialer"
"github.com/ooni/probe-cli/v3/internal/engine/netx/trace"
)
func TestSaverTLSHandshakerSuccessWithReadWrite(t *testing.T) {
// This is the most common use case for collecting reads, writes
if testing.Short() {
t.Skip("skip test in short mode")
}
nextprotos := []string{"h2"}
saver := &trace.Saver{}
tlsdlr := tlsdialer.TLSDialer{
Config: &tls.Config{NextProtos: nextprotos},
Dialer: dialer.SaverConnDialer{
Dialer: new(net.Dialer),
Saver: saver,
},
TLSHandshaker: tlsdialer.SaverTLSHandshaker{
TLSHandshaker: tlsdialer.SystemTLSHandshaker{},
Saver: saver,
},
}
// Implementation note: we don't close the connection here because it is
// very handy to have the last event being the end of the handshake
_, err := tlsdlr.DialTLSContext(context.Background(), "tcp", "www.google.com:443")
if err != nil {
t.Fatal(err)
}
ev := saver.Read()
if len(ev) < 4 {
// it's a bit tricky to be sure about the right number of
// events because network conditions may influence that
t.Fatal("unexpected number of events")
}
if ev[0].Name != "tls_handshake_start" {
t.Fatal("unexpected Name")
}
if ev[0].TLSServerName != "www.google.com" {
t.Fatal("unexpected TLSServerName")
}
if !reflect.DeepEqual(ev[0].TLSNextProtos, nextprotos) {
t.Fatal("unexpected TLSNextProtos")
}
if ev[0].Time.After(time.Now()) {
t.Fatal("unexpected Time")
}
last := len(ev) - 1
for idx := 1; idx < last; idx++ {
if ev[idx].Data == nil {
t.Fatal("unexpected Data")
}
if ev[idx].Duration <= 0 {
t.Fatal("unexpected Duration")
}
if ev[idx].Err != nil {
t.Fatal("unexpected Err")
}
if ev[idx].NumBytes <= 0 {
t.Fatal("unexpected NumBytes")
}
switch ev[idx].Name {
case errorx.ReadOperation, errorx.WriteOperation:
default:
t.Fatal("unexpected Name")
}
if ev[idx].Time.Before(ev[idx-1].Time) {
t.Fatal("unexpected Time")
}
}
if ev[last].Duration <= 0 {
t.Fatal("unexpected Duration")
}
if ev[last].Err != nil {
t.Fatal("unexpected Err")
}
if ev[last].Name != "tls_handshake_done" {
t.Fatal("unexpected Name")
}
if ev[last].TLSCipherSuite == "" {
t.Fatal("unexpected TLSCipherSuite")
}
if ev[last].TLSNegotiatedProto != "h2" {
t.Fatal("unexpected TLSNegotiatedProto")
}
if !reflect.DeepEqual(ev[last].TLSNextProtos, nextprotos) {
t.Fatal("unexpected TLSNextProtos")
}
if ev[last].TLSPeerCerts == nil {
t.Fatal("unexpected TLSPeerCerts")
}
if ev[last].TLSServerName != "www.google.com" {
t.Fatal("unexpected TLSServerName")
}
if ev[last].TLSVersion == "" {
t.Fatal("unexpected TLSVersion")
}
if ev[last].Time.Before(ev[last-1].Time) {
t.Fatal("unexpected Time")
}
}
func TestSaverTLSHandshakerSuccess(t *testing.T) {
if testing.Short() {
t.Skip("skip test in short mode")
}
nextprotos := []string{"h2"}
saver := &trace.Saver{}
tlsdlr := tlsdialer.TLSDialer{
Config: &tls.Config{NextProtos: nextprotos},
Dialer: new(net.Dialer),
TLSHandshaker: tlsdialer.SaverTLSHandshaker{
TLSHandshaker: tlsdialer.SystemTLSHandshaker{},
Saver: saver,
},
}
conn, err := tlsdlr.DialTLSContext(context.Background(), "tcp", "www.google.com:443")
if err != nil {
t.Fatal(err)
}
conn.Close()
ev := saver.Read()
if len(ev) != 2 {
t.Fatal("unexpected number of events")
}
if ev[0].Name != "tls_handshake_start" {
t.Fatal("unexpected Name")
}
if ev[0].TLSServerName != "www.google.com" {
t.Fatal("unexpected TLSServerName")
}
if !reflect.DeepEqual(ev[0].TLSNextProtos, nextprotos) {
t.Fatal("unexpected TLSNextProtos")
}
if ev[0].Time.After(time.Now()) {
t.Fatal("unexpected Time")
}
if ev[1].Duration <= 0 {
t.Fatal("unexpected Duration")
}
if ev[1].Err != nil {
t.Fatal("unexpected Err")
}
if ev[1].Name != "tls_handshake_done" {
t.Fatal("unexpected Name")
}
if ev[1].TLSCipherSuite == "" {
t.Fatal("unexpected TLSCipherSuite")
}
if ev[1].TLSNegotiatedProto != "h2" {
t.Fatal("unexpected TLSNegotiatedProto")
}
if !reflect.DeepEqual(ev[1].TLSNextProtos, nextprotos) {
t.Fatal("unexpected TLSNextProtos")
}
if ev[1].TLSPeerCerts == nil {
t.Fatal("unexpected TLSPeerCerts")
}
if ev[1].TLSServerName != "www.google.com" {
t.Fatal("unexpected TLSServerName")
}
if ev[1].TLSVersion == "" {
t.Fatal("unexpected TLSVersion")
}
if ev[1].Time.Before(ev[0].Time) {
t.Fatal("unexpected Time")
}
}
func TestSaverTLSHandshakerHostnameError(t *testing.T) {
if testing.Short() {
t.Skip("skip test in short mode")
}
saver := &trace.Saver{}
tlsdlr := tlsdialer.TLSDialer{
Dialer: new(net.Dialer),
TLSHandshaker: tlsdialer.SaverTLSHandshaker{
TLSHandshaker: tlsdialer.SystemTLSHandshaker{},
Saver: saver,
},
}
conn, err := tlsdlr.DialTLSContext(
context.Background(), "tcp", "wrong.host.badssl.com:443")
if err == nil {
t.Fatal("expected an error here")
}
if conn != nil {
t.Fatal("expected nil conn here")
}
for _, ev := range saver.Read() {
if ev.Name != "tls_handshake_done" {
continue
}
if ev.NoTLSVerify == true {
t.Fatal("expected NoTLSVerify to be false")
}
if len(ev.TLSPeerCerts) < 1 {
t.Fatal("expected at least a certificate here")
}
}
}
func TestSaverTLSHandshakerInvalidCertError(t *testing.T) {
if testing.Short() {
t.Skip("skip test in short mode")
}
saver := &trace.Saver{}
tlsdlr := tlsdialer.TLSDialer{
Dialer: new(net.Dialer),
TLSHandshaker: tlsdialer.SaverTLSHandshaker{
TLSHandshaker: tlsdialer.SystemTLSHandshaker{},
Saver: saver,
},
}
conn, err := tlsdlr.DialTLSContext(
context.Background(), "tcp", "expired.badssl.com:443")
if err == nil {
t.Fatal("expected an error here")
}
if conn != nil {
t.Fatal("expected nil conn here")
}
for _, ev := range saver.Read() {
if ev.Name != "tls_handshake_done" {
continue
}
if ev.NoTLSVerify == true {
t.Fatal("expected NoTLSVerify to be false")
}
if len(ev.TLSPeerCerts) < 1 {
t.Fatal("expected at least a certificate here")
}
}
}
func TestSaverTLSHandshakerAuthorityError(t *testing.T) {
if testing.Short() {
t.Skip("skip test in short mode")
}
saver := &trace.Saver{}
tlsdlr := tlsdialer.TLSDialer{
Dialer: new(net.Dialer),
TLSHandshaker: tlsdialer.SaverTLSHandshaker{
TLSHandshaker: tlsdialer.SystemTLSHandshaker{},
Saver: saver,
},
}
conn, err := tlsdlr.DialTLSContext(
context.Background(), "tcp", "self-signed.badssl.com:443")
if err == nil {
t.Fatal("expected an error here")
}
if conn != nil {
t.Fatal("expected nil conn here")
}
for _, ev := range saver.Read() {
if ev.Name != "tls_handshake_done" {
continue
}
if ev.NoTLSVerify == true {
t.Fatal("expected NoTLSVerify to be false")
}
if len(ev.TLSPeerCerts) < 1 {
t.Fatal("expected at least a certificate here")
}
}
}
func TestSaverTLSHandshakerNoTLSVerify(t *testing.T) {
if testing.Short() {
t.Skip("skip test in short mode")
}
saver := &trace.Saver{}
tlsdlr := tlsdialer.TLSDialer{
Config: &tls.Config{InsecureSkipVerify: true},
Dialer: new(net.Dialer),
TLSHandshaker: tlsdialer.SaverTLSHandshaker{
TLSHandshaker: tlsdialer.SystemTLSHandshaker{},
Saver: saver,
},
}
conn, err := tlsdlr.DialTLSContext(
context.Background(), "tcp", "self-signed.badssl.com:443")
if err != nil {
t.Fatal(err)
}
if conn == nil {
t.Fatal("expected non-nil conn here")
}
conn.Close()
for _, ev := range saver.Read() {
if ev.Name != "tls_handshake_done" {
continue
}
if ev.NoTLSVerify != true {
t.Fatal("expected NoTLSVerify to be true")
}
if len(ev.TLSPeerCerts) < 1 {
t.Fatal("expected at least a certificate here")
}
}
}

10
internal/engine/netx/dialer/tls.go → internal/engine/netx/tlsdialer/tls.go
View File

@ -1,4 +1,5 @@
package dialer
// Package tlsdialer contains code to establish TLS connections.
package tlsdialer
import (
"context"
@ -11,6 +12,11 @@ import (
"github.com/ooni/probe-cli/v3/internal/engine/netx/errorx"
)
// UnderlyingDialer is the underlying dialer type.
type UnderlyingDialer interface {
DialContext(ctx context.Context, network, address string) (net.Conn, error)
}
// TLSHandshaker is the generic TLS handshaker
type TLSHandshaker interface {
Handshake(ctx context.Context, conn net.Conn, config *tls.Config) (
@ -105,7 +111,7 @@ func (h EmitterTLSHandshaker) Handshake(
// TLSDialer is the TLS dialer
type TLSDialer struct {
Config *tls.Config
Dialer Dialer
Dialer UnderlyingDialer
TLSHandshaker TLSHandshaker
}

64
internal/engine/netx/dialer/tls_test.go → internal/engine/netx/tlsdialer/tls_test.go
View File

@ -1,4 +1,4 @@
package dialer_test
package tlsdialer_test
import (
"context"
@ -11,13 +11,13 @@ import (
"github.com/ooni/probe-cli/v3/internal/engine/legacy/netx/handlers"
"github.com/ooni/probe-cli/v3/internal/engine/legacy/netx/modelx"
"github.com/ooni/probe-cli/v3/internal/engine/netx/dialer"
"github.com/ooni/probe-cli/v3/internal/engine/netx/errorx"
"github.com/ooni/probe-cli/v3/internal/engine/netx/tlsdialer"
)
func TestSystemTLSHandshakerEOFError(t *testing.T) {
h := dialer.SystemTLSHandshaker{}
conn, _, err := h.Handshake(context.Background(), dialer.EOFConn{}, &tls.Config{
h := tlsdialer.SystemTLSHandshaker{}
conn, _, err := h.Handshake(context.Background(), tlsdialer.EOFConn{}, &tls.Config{
ServerName: "x.org",
})
if err != io.EOF {
@ -29,13 +29,13 @@ func TestSystemTLSHandshakerEOFError(t *testing.T) {
}
func TestTimeoutTLSHandshakerSetDeadlineError(t *testing.T) {
h := dialer.TimeoutTLSHandshaker{
TLSHandshaker: dialer.SystemTLSHandshaker{},
h := tlsdialer.TimeoutTLSHandshaker{
TLSHandshaker: tlsdialer.SystemTLSHandshaker{},
HandshakeTimeout: 200 * time.Millisecond,
}
expected := errors.New("mocked error")
conn, _, err := h.Handshake(
context.Background(), &dialer.FakeConn{SetDeadlineError: expected},
context.Background(), &tlsdialer.FakeConn{SetDeadlineError: expected},
new(tls.Config))
if !errors.Is(err, expected) {
t.Fatal("not the error that we expected")
@ -46,12 +46,12 @@ func TestTimeoutTLSHandshakerSetDeadlineError(t *testing.T) {
}
func TestTimeoutTLSHandshakerEOFError(t *testing.T) {
h := dialer.TimeoutTLSHandshaker{
TLSHandshaker: dialer.SystemTLSHandshaker{},
h := tlsdialer.TimeoutTLSHandshaker{
TLSHandshaker: tlsdialer.SystemTLSHandshaker{},
HandshakeTimeout: 200 * time.Millisecond,
}
conn, _, err := h.Handshake(
context.Background(), dialer.EOFConn{}, &tls.Config{ServerName: "x.org"})
context.Background(), tlsdialer.EOFConn{}, &tls.Config{ServerName: "x.org"})
if !errors.Is(err, io.EOF) {
t.Fatal("not the error that we expected")
}
@ -61,8 +61,8 @@ func TestTimeoutTLSHandshakerEOFError(t *testing.T) {
}
func TestTimeoutTLSHandshakerCallsSetDeadline(t *testing.T) {
h := dialer.TimeoutTLSHandshaker{
TLSHandshaker: dialer.SystemTLSHandshaker{},
h := tlsdialer.TimeoutTLSHandshaker{
TLSHandshaker: tlsdialer.SystemTLSHandshaker{},
HandshakeTimeout: 200 * time.Millisecond,
}
underlying := &SetDeadlineConn{}
@ -86,7 +86,7 @@ func TestTimeoutTLSHandshakerCallsSetDeadline(t *testing.T) {
}
type SetDeadlineConn struct {
dialer.EOFConn
tlsdialer.EOFConn
deadlines []time.Time
}
@ -96,9 +96,9 @@ func (c *SetDeadlineConn) SetDeadline(t time.Time) error {
}
func TestErrorWrapperTLSHandshakerFailure(t *testing.T) {
h := dialer.ErrorWrapperTLSHandshaker{TLSHandshaker: dialer.EOFTLSHandshaker{}}
h := tlsdialer.ErrorWrapperTLSHandshaker{TLSHandshaker: tlsdialer.EOFTLSHandshaker{}}
conn, _, err := h.Handshake(
context.Background(), dialer.EOFConn{}, new(tls.Config))
context.Background(), tlsdialer.EOFConn{}, new(tls.Config))
if !errors.Is(err, io.EOF) {
t.Fatal("not the error that we expected")
}
@ -126,8 +126,8 @@ func TestEmitterTLSHandshakerFailure(t *testing.T) {
Beginning: time.Now(),
Handler: saver,
})
h := dialer.EmitterTLSHandshaker{TLSHandshaker: dialer.EOFTLSHandshaker{}}
conn, _, err := h.Handshake(ctx, dialer.EOFConn{}, &tls.Config{
h := tlsdialer.EmitterTLSHandshaker{TLSHandshaker: tlsdialer.EOFTLSHandshaker{}}
conn, _, err := h.Handshake(ctx, tlsdialer.EOFConn{}, &tls.Config{
ServerName: "www.kernel.org",
})
if !errors.Is(err, io.EOF) {
@ -164,7 +164,7 @@ func TestEmitterTLSHandshakerFailure(t *testing.T) {
}
func TestTLSDialerFailureSplitHostPort(t *testing.T) {
dialer := dialer.TLSDialer{}
dialer := tlsdialer.TLSDialer{}
conn, err := dialer.DialTLSContext(
context.Background(), "tcp", "www.google.com") // missing port
if err == nil {
@ -176,7 +176,7 @@ func TestTLSDialerFailureSplitHostPort(t *testing.T) {
}
func TestTLSDialerFailureDialing(t *testing.T) {
dialer := dialer.TLSDialer{Dialer: dialer.EOFDialer{}}
dialer := tlsdialer.TLSDialer{Dialer: tlsdialer.EOFDialer{}}
conn, err := dialer.DialTLSContext(
context.Background(), "tcp", "www.google.com:443")
if !errors.Is(err, io.EOF) {
@ -188,9 +188,9 @@ func TestTLSDialerFailureDialing(t *testing.T) {
}
func TestTLSDialerFailureHandshaking(t *testing.T) {
rec := &RecorderTLSHandshaker{TLSHandshaker: dialer.SystemTLSHandshaker{}}
dialer := dialer.TLSDialer{
Dialer: dialer.EOFConnDialer{},
rec := &RecorderTLSHandshaker{TLSHandshaker: tlsdialer.SystemTLSHandshaker{}}
dialer := tlsdialer.TLSDialer{
Dialer: tlsdialer.EOFConnDialer{},
TLSHandshaker: rec,
}
conn, err := dialer.DialTLSContext(
@ -207,12 +207,12 @@ func TestTLSDialerFailureHandshaking(t *testing.T) {
}
func TestTLSDialerFailureHandshakingOverrideSNI(t *testing.T) {
rec := &RecorderTLSHandshaker{TLSHandshaker: dialer.SystemTLSHandshaker{}}
dialer := dialer.TLSDialer{
rec := &RecorderTLSHandshaker{TLSHandshaker: tlsdialer.SystemTLSHandshaker{}}
dialer := tlsdialer.TLSDialer{
Config: &tls.Config{
ServerName: "x.org",
},
Dialer: dialer.EOFConnDialer{},
Dialer: tlsdialer.EOFConnDialer{},
TLSHandshaker: rec,
}
conn, err := dialer.DialTLSContext(
@ -229,7 +229,7 @@ func TestTLSDialerFailureHandshakingOverrideSNI(t *testing.T) {
}
type RecorderTLSHandshaker struct {
dialer.TLSHandshaker
tlsdialer.TLSHandshaker
SNI string
}
@ -241,10 +241,10 @@ func (h *RecorderTLSHandshaker) Handshake(
}
func TestDialTLSContextGood(t *testing.T) {
dialer := dialer.TLSDialer{
dialer := tlsdialer.TLSDialer{
Config: &tls.Config{ServerName: "google.com"},
Dialer: new(net.Dialer),
TLSHandshaker: dialer.SystemTLSHandshaker{},
TLSHandshaker: tlsdialer.SystemTLSHandshaker{},
}
conn, err := dialer.DialTLSContext(context.Background(), "tcp", "google.com:443")
if err != nil {
@ -257,12 +257,12 @@ func TestDialTLSContextGood(t *testing.T) {
}
func TestDialTLSContextTimeout(t *testing.T) {
dialer := dialer.TLSDialer{
dialer := tlsdialer.TLSDialer{
Config: &tls.Config{ServerName: "google.com"},
Dialer: new(net.Dialer),
TLSHandshaker: dialer.ErrorWrapperTLSHandshaker{
TLSHandshaker: dialer.TimeoutTLSHandshaker{
TLSHandshaker: dialer.SystemTLSHandshaker{},
TLSHandshaker: tlsdialer.ErrorWrapperTLSHandshaker{
TLSHandshaker: tlsdialer.TimeoutTLSHandshaker{
TLSHandshaker: tlsdialer.SystemTLSHandshaker{},
HandshakeTimeout: 10 * time.Microsecond,
},
},

86
internal/engine/netx/gocertifi/certifi.go → internal/engine/netx/tlsx/certifi.go
View File

@ -1,8 +1,8 @@
// Code generated by go generate; DO NOT EDIT.
// 2021-05-12 09:14:54.779668278 +0200 CEST m=+6.872930413
// 2021-06-08 13:03:08.852763 +0200 CEST m=+2.563240667
// https://curl.haxx.se/ca/cacert.pem
package gocertifi
package tlsx
//go:generate go run generate.go "https://curl.haxx.se/ca/cacert.pem"
@ -12,7 +12,7 @@ const pemcerts string = `
##
## Bundle of CA Root Certificates
##
## Certificate data from Mozilla as of: Tue Apr 13 03:12:04 2021 GMT
## Certificate data from Mozilla as of: Tue May 25 03:12:05 2021 GMT
##
## This is a bundle of X.509 certificates of public Certificate Authorities
## (CA). These were automatically extracted from Mozilla's root certificates
@ -25,7 +25,7 @@ const pemcerts string = `
## Just configure this file as the SSLCACertificateFile.
##
## Conversion done with mk-ca-bundle.pl version 1.28.
## SHA256: f377673fa3c22ba2188a4cea041c7b8c99a4817ffde6821e98325ce89324e5aa
## SHA256: e292bd4e2d500c86df45b830d89417be5c42ee670408f1d2c454c63d8a782865
##
@ -904,82 +904,6 @@ Q0iy2+tzJOeRf1SktoA+naM8THLCV8Sg1Mw4J87VBp6iSNnpn86CcDaTmjvfliHjWbcM2pE38P1Z
WrOZyGlsQyYBNWNgVYkDOnXYukrZVP/u3oDYLdE41V4tC5h9Pmzb/CaIxw==
-----END CERTIFICATE-----
Chambers of Commerce Root - 2008
================================
-----BEGIN CERTIFICATE-----
MIIHTzCCBTegAwIBAgIJAKPaQn6ksa7aMA0GCSqGSIb3DQEBBQUAMIGuMQswCQYDVQQGEwJFVTFD
MEEGA1UEBxM6TWFkcmlkIChzZWUgY3VycmVudCBhZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNv
bS9hZGRyZXNzKTESMBAGA1UEBRMJQTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMu
QS4xKTAnBgNVBAMTIENoYW1iZXJzIG9mIENvbW1lcmNlIFJvb3QgLSAyMDA4MB4XDTA4MDgwMTEy
Mjk1MFoXDTM4MDczMTEyMjk1MFowga4xCzAJBgNVBAYTAkVVMUMwQQYDVQQHEzpNYWRyaWQgKHNl
ZSBjdXJyZW50IGFkZHJlc3MgYXQgd3d3LmNhbWVyZmlybWEuY29tL2FkZHJlc3MpMRIwEAYDVQQF
EwlBODI3NDMyODcxGzAZBgNVBAoTEkFDIENhbWVyZmlybWEgUy5BLjEpMCcGA1UEAxMgQ2hhbWJl
cnMgb2YgQ29tbWVyY2UgUm9vdCAtIDIwMDgwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
AQCvAMtwNyuAWko6bHiUfaN/Gh/2NdW928sNRHI+JrKQUrpjOyhYb6WzbZSm891kDFX29ufyIiKA
XuFixrYp4YFs8r/lfTJqVKAyGVn+H4vXPWCGhSRv4xGzdz4gljUha7MI2XAuZPeEklPWDrCQiorj
h40G072QDuKZoRuGDtqaCrsLYVAGUvGef3bsyw/QHg3PmTA9HMRFEFis1tPo1+XqxQEHd9ZR5gN/
ikilTWh1uem8nk4ZcfUyS5xtYBkL+8ydddy/Js2Pk3g5eXNeJQ7KXOt3EgfLZEFHcpOrUMPrCXZk
NNI5t3YRCQ12RcSprj1qr7V9ZS+UWBDsXHyvfuK2GNnQm05aSd+pZgvMPMZ4fKecHePOjlO+Bd5g
D2vlGts/4+EhySnB8esHnFIbAURRPHsl18TlUlRdJQfKFiC4reRB7noI/plvg6aRArBsNlVq5331
lubKgdaX8ZSD6e2wsWsSaR6s+12pxZjptFtYer49okQ6Y1nUCyXeG0+95QGezdIp1Z8XGQpvvwyQ
0wlf2eOKNcx5Wk0ZN5K3xMGtr/R5JJqyAQuxr1yW84Ay+1w9mPGgP0revq+ULtlVmhduYJ1jbLhj
ya6BXBg14JC7vjxPNyK5fuvPnnchpj04gftI2jE9K+OJ9dC1vX7gUMQSibMjmhAxhduub+84Mxh2
EQIDAQABo4IBbDCCAWgwEgYDVR0TAQH/BAgwBgEB/wIBDDAdBgNVHQ4EFgQU+SSsD7K1+HnA+mCI
G8TZTQKeFxkwgeMGA1UdIwSB2zCB2IAU+SSsD7K1+HnA+mCIG8TZTQKeFxmhgbSkgbEwga4xCzAJ
BgNVBAYTAkVVMUMwQQYDVQQHEzpNYWRyaWQgKHNlZSBjdXJyZW50IGFkZHJlc3MgYXQgd3d3LmNh
bWVyZmlybWEuY29tL2FkZHJlc3MpMRIwEAYDVQQFEwlBODI3NDMyODcxGzAZBgNVBAoTEkFDIENh
bWVyZmlybWEgUy5BLjEpMCcGA1UEAxMgQ2hhbWJlcnMgb2YgQ29tbWVyY2UgUm9vdCAtIDIwMDiC
CQCj2kJ+pLGu2jAOBgNVHQ8BAf8EBAMCAQYwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUH
AgEWHGh0dHA6Ly9wb2xpY3kuY2FtZXJmaXJtYS5jb20wDQYJKoZIhvcNAQEFBQADggIBAJASryI1
wqM58C7e6bXpeHxIvj99RZJe6dqxGfwWPJ+0W2aeaufDuV2I6A+tzyMP3iU6XsxPpcG1Lawk0lgH
3qLPaYRgM+gQDROpI9CF5Y57pp49chNyM/WqfcZjHwj0/gF/JM8rLFQJ3uIrbZLGOU8W6jx+ekbU
RWpGqOt1glanq6B8aBMz9p0w8G8nOSQjKpD9kCk18pPfNKXG9/jvjA9iSnyu0/VU+I22mlaHFoI6
M6taIgj3grrqLuBHmrS1RaMFO9ncLkVAO+rcf+g769HsJtg1pDDFOqxXnrN2pSB7+R5KBWIBpih1
YJeSDW4+TTdDDZIVnBgizVGZoCkaPF+KMjNbMMeJL0eYD6MDxvbxrN8y8NmBGuScvfaAFPDRLLmF
9dijscilIeUcE5fuDr3fKanvNFNb0+RqE4QGtjICxFKuItLcsiFCGtpA8CnJ7AoMXOLQusxI0zcK
zBIKinmwPQN/aUv0NCB9szTqjktk9T79syNnFQ0EuPAtwQlRPLJsFfClI9eDdOTlLsn+mCdCxqvG
nrDQWzilm1DefhiYtUU79nm06PcaewaD+9CL2rvHvRirCG88gGtAPxkZumWK5r7VXNM21+9AUiRg
OGcEMeyP84LG3rlV8zsxkVrctQgVrXYlCg17LofiDKYGvCYQbTed7N14jHyAxfDZd0jQ
-----END CERTIFICATE-----
Global Chambersign Root - 2008
==============================
-----BEGIN CERTIFICATE-----
MIIHSTCCBTGgAwIBAgIJAMnN0+nVfSPOMA0GCSqGSIb3DQEBBQUAMIGsMQswCQYDVQQGEwJFVTFD
MEEGA1UEBxM6TWFkcmlkIChzZWUgY3VycmVudCBhZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNv
bS9hZGRyZXNzKTESMBAGA1UEBRMJQTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMu
QS4xJzAlBgNVBAMTHkdsb2JhbCBDaGFtYmVyc2lnbiBSb290IC0gMjAwODAeFw0wODA4MDExMjMx
NDBaFw0zODA3MzExMjMxNDBaMIGsMQswCQYDVQQGEwJFVTFDMEEGA1UEBxM6TWFkcmlkIChzZWUg
Y3VycmVudCBhZGRyZXNzIGF0IHd3dy5jYW1lcmZpcm1hLmNvbS9hZGRyZXNzKTESMBAGA1UEBRMJ
QTgyNzQzMjg3MRswGQYDVQQKExJBQyBDYW1lcmZpcm1hIFMuQS4xJzAlBgNVBAMTHkdsb2JhbCBD
aGFtYmVyc2lnbiBSb290IC0gMjAwODCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMDf
VtPkOpt2RbQT2//BthmLN0EYlVJH6xedKYiONWwGMi5HYvNJBL99RDaxccy9Wglz1dmFRP+RVyXf
XjaOcNFccUMd2drvXNL7G706tcuto8xEpw2uIRU/uXpbknXYpBI4iRmKt4DS4jJvVpyR1ogQC7N0
ZJJ0YPP2zxhPYLIj0Mc7zmFLmY/CDNBAspjcDahOo7kKrmCgrUVSY7pmvWjg+b4aqIG7HkF4ddPB
/gBVsIdU6CeQNR1MM62X/JcumIS/LMmjv9GYERTtY/jKmIhYF5ntRQOXfjyGHoiMvvKRhI9lNNgA
TH23MRdaKXoKGCQwoze1eqkBfSbW+Q6OWfH9GzO1KTsXO0G2Id3UwD2ln58fQ1DJu7xsepeY7s2M
H/ucUa6LcL0nn3HAa6x9kGbo1106DbDVwo3VyJ2dwW3Q0L9R5OP4wzg2rtandeavhENdk5IMagfe
Ox2YItaswTXbo6Al/3K1dh3ebeksZixShNBFks4c5eUzHdwHU1SjqoI7mjcv3N2gZOnm3b2u/GSF
HTynyQbehP9r6GsaPMWis0L7iwk+XwhSx2LE1AVxv8Rk5Pihg+g+EpuoHtQ2TS9x9o0o9oOpE9Jh
wZG7SMA0j0GMS0zbaRL/UJScIINZc+18ofLx/d33SdNDWKBWY8o9PeU1VlnpDsogzCtLkykPAgMB
AAGjggFqMIIBZjASBgNVHRMBAf8ECDAGAQH/AgEMMB0GA1UdDgQWBBS5CcqcHtvTbDprru1U8VuT
BjUuXjCB4QYDVR0jBIHZMIHWgBS5CcqcHtvTbDprru1U8VuTBjUuXqGBsqSBrzCBrDELMAkGA1UE
BhMCRVUxQzBBBgNVBAcTOk1hZHJpZCAoc2VlIGN1cnJlbnQgYWRkcmVzcyBhdCB3d3cuY2FtZXJm
aXJtYS5jb20vYWRkcmVzcykxEjAQBgNVBAUTCUE4Mjc0MzI4NzEbMBkGA1UEChMSQUMgQ2FtZXJm
aXJtYSBTLkEuMScwJQYDVQQDEx5HbG9iYWwgQ2hhbWJlcnNpZ24gUm9vdCAtIDIwMDiCCQDJzdPp
1X0jzjAOBgNVHQ8BAf8EBAMCAQYwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0
dHA6Ly9wb2xpY3kuY2FtZXJmaXJtYS5jb20wDQYJKoZIhvcNAQEFBQADggIBAICIf3DekijZBZRG
/5BXqfEv3xoNa/p8DhxJJHkn2EaqbylZUohwEurdPfWbU1Rv4WCiqAm57OtZfMY18dwY6fFn5a+6
ReAJ3spED8IXDneRRXozX1+WLGiLwUePmJs9wOzL9dWCkoQ10b42OFZyMVtHLaoXpGNR6woBrX/s
dZ7LoR/xfxKxueRkf2fWIyr0uDldmOghp+G9PUIadJpwr2hsUF1Jz//7Dl3mLEfXgTpZALVza2Mg
9jFFCDkO9HB+QHBaP9BrQql0PSgvAm11cpUJjUhjxsYjV5KTXjXBjfkK9yydYhz2rXzdpjEetrHH
foUm+qRqtdpjMNHvkzeyZi99Bffnt0uYlDXA2TopwZ2yUDMdSqlapskD7+3056huirRXhOukP9Du
qqqHW2Pok+JrqNS4cnhrG+055F3Lm6qH1U9OAP7Zap88MQ8oAgF9mOinsKJknnn4SPIVqczmyETr
P3iZ8ntxPjzxmKfFGBI/5rsoM0LpRQp8bfKGeS/Fghl9CYl8slR2iK7ewfPM4W7bMdaTrpmg7yVq
c5iJWzouE4gev8CSlDQb4ye3ix5vQv/n6TebUB0tovkC7stYWDpxvGjjqsGvHCgfotwjZT+B6q6Z
09gwzxMNTxXJhLynSC34MCN32EZLeW32jO06f2ARePTpm67VVMB0gNELQp/B
-----END CERTIFICATE-----
Go Daddy Root Certificate Authority - G2
========================================
-----BEGIN CERTIFICATE-----
@ -3227,7 +3151,7 @@ CAezNIm8BZ/3Hobui3A=
`
// CACerts builds an X.509 certificate pool containing the
// certificate bundle from https://curl.haxx.se/ca/cacert.pem fetch on 2021-05-12 09:14:54.779668278 +0200 CEST m=+6.872930413.
// certificate bundle from https://curl.haxx.se/ca/cacert.pem fetch on 2021-06-08 13:03:08.852763 +0200 CEST m=+2.563240667.
// Returns nil on error along with an appropriate error code.
func CACerts() (*x509.CertPool, error) {
pool := x509.NewCertPool()

2
internal/engine/netx/gocertifi/generate.go → internal/engine/netx/tlsx/generate.go
View File

@ -26,7 +26,7 @@ var tmpl = template.Must(template.New("").Parse(`// Code generated by go generat
// {{ .Timestamp }}
// {{ .URL }}
package gocertifi
package tlsx
//go:generate go run generate.go "{{ .URL }}"

0
internal/engine/internal/tlsx/tlsx.go → internal/engine/netx/tlsx/tlsx.go
View File

0
internal/engine/internal/tlsx/tlsx_test.go → internal/engine/netx/tlsx/tlsx_test.go
View File