// -=-=- StartHere -=-=- // // # Chapter I: HTTP GET with TLS conn // // In this chapter we will write together a `main.go` file that // uses netxlite to establish a TLS connection to a remote endpoint // and then fetches a webpage from it using GET. // // This file is basically the same as the one used in chapter03 // with the small addition of the code to perform the GET. // // (This file is auto-generated from the corresponding source file, // so make sure you don't edit it manually.) // // ## The main.go file // // We define `main.go` file using `package main`. // // The beginning of the program is equal to chapter03, // so there is not much to say about it. // // ```Go package main import ( "context" "crypto/tls" "errors" "flag" "net" "net/http" "net/url" "os" "time" "github.com/apex/log" "github.com/ooni/probe-cli/v3/internal/netxlite" utls "gitlab.com/yawning/utls.git" ) func main() { log.SetLevel(log.DebugLevel) address := flag.String("address", "8.8.4.4:443", "Remote endpoint address") sni := flag.String("sni", "dns.google", "SNI to use") timeout := flag.Duration("timeout", 60*time.Second, "Timeout") flag.Parse() ctx, cancel := context.WithTimeout(context.Background(), *timeout) defer cancel() config := &tls.Config{ ServerName: *sni, NextProtos: []string{"h2", "http/1.1"}, RootCAs: netxlite.NewDefaultCertPool(), } conn, _, err := dialTLS(ctx, *address, config) if err != nil { fatal(err) } log.Infof("Conn type : %T", conn) // ``` // // This is where things diverge. We create an HTTP client // using a transport created with `netxlite.NewHTTPTransport`. // // This transport will have as TCP connections dialer a // "null" dialer that fails whenever you attempt to dial // (and we should not be dialing anything here since we // already have a TLS connection). // // It will also use as TLSDialer (the type that dials TLS // and, morally, combines `dialTCP` with `handshakeTLS`) one // that is "single use". What does this mean? Well, we // create such a TLSDialer using the connection we already // established. The first time the HTTP code dials for // TLS, the TLSDialer will return the connection we passed // to its constructor immediately. Every subsequent TLS // dial attempt will fail. // // The result is an HTTPTransport suitable for performing // a single request using the given TLS conn. // // (A similar construct allows to create an HTTPTransport that // uses a cleartext TCP connection. In the next chapter we'll // see how to do the same using QUIC.) // // ```Go clnt := &http.Client{Transport: netxlite.NewHTTPTransport( log.Log, netxlite.NewNullDialer(), netxlite.NewSingleUseTLSDialer(conn.(netxlite.TLSConn)), )} // ``` // // Once we have the proper transport and client, the rest of // the code is basically standard Go for fetching a webpage // using the GET method. // // ```Go log.Infof("Transport : %T", clnt.Transport) defer clnt.CloseIdleConnections() resp, err := clnt.Get( (&url.URL{Scheme: "https", Host: *sni, Path: "/"}).String()) if err != nil { fatal(err) } log.Infof("Status code: %d", resp.StatusCode) resp.Body.Close() } // ``` // // We won't comment on the rest of the program because it is // exactly like what we've seen in chapter03. // // ```Go func dialTCP(ctx context.Context, address string) (net.Conn, error) { d := netxlite.NewDialerWithoutResolver(log.Log) return d.DialContext(ctx, "tcp", address) } func handshakeTLS(ctx context.Context, tcpConn net.Conn, config *tls.Config) (net.Conn, tls.ConnectionState, error) { th := netxlite.NewTLSHandshakerUTLS(log.Log, &utls.HelloFirefox_55) return th.Handshake(ctx, tcpConn, config) } func dialTLS(ctx context.Context, address string, config *tls.Config) (net.Conn, tls.ConnectionState, error) { tcpConn, err := dialTCP(ctx, address) if err != nil { return nil, tls.ConnectionState{}, err } tlsConn, state, err := handshakeTLS(ctx, tcpConn, config) if err != nil { tcpConn.Close() return nil, tls.ConnectionState{}, err } return tlsConn, state, nil } func fatal(err error) { var ew *netxlite.ErrWrapper if !errors.As(err, &ew) { log.Fatal("cannot get ErrWrapper") } log.Warnf("error string : %s", err.Error()) log.Warnf("OONI failure : %s", ew.Failure) log.Warnf("failed operation: %s", ew.Operation) log.Warnf("underlying error: %+v", ew.WrappedErr) os.Exit(1) } // ``` // // ## Running the code // // ### Vanilla run // // You can now run this code as follows: // // ```bash // go run -race ./internal/tutorial/netxlite/chapter07 // ``` // // You will see debug logs describing what is happening along with timing info. // // ### Connect timeout // // ```bash // go run -race ./internal/tutorial/netxlite/chapter07 -address 8.8.4.4:1 // ``` // // should cause a connect timeout error. Try lowering the timout adding, e.g., // the `-timeout 5s` flag to the command line. // // ### Connection refused // // ```bash // go run -race ./internal/tutorial/netxlite/chapter07 -address '[::1]:1' // ``` // // should give you a connection refused error in most cases. (We are quoting // the `::1` IPv6 address using `[` and `]` here.) // // ### SNI mismatch // // ```bash // go run -race ./internal/tutorial/netxlite/chapter07 -sni example.com // ``` // // should give you a TLS invalid hostname error (for historical reasons // named `ssl_invalid_hostname`). // // ## Conclusions // // We have seen how to establish a TLS connection with a website // and then how to GET a webpage using such a connection.