net/tlsdial: fix TLS cert validation of HTTPS proxies - tailscale - The easiest, most secure way to use WireGuard and 2FA

diff options

author	Brad Fitzpatrick <bradfitz@tailscale.com>	2025-06-08 18:51:41 -0700
committer	Brad Fitzpatrick <brad@danga.com>	2025-06-18 14:20:39 -0700
commit	e92eb6b17bb59cd66cd78c90db3b285015ed5e11 (patch)
tree	059585ca0a791e03a16dfcb1e223ca646e19d999 /control/controlhttp/controlhttpserver
parent	4979ce7a94cd023db5cd03cbb556934d9652dfd2 (diff)
download	tailscale-e92eb6b17bb59cd66cd78c90db3b285015ed5e11.tar.xz tailscale-e92eb6b17bb59cd66cd78c90db3b285015ed5e11.zip

net/tlsdial: fix TLS cert validation of HTTPS proxies

If you had HTTPS_PROXY=https://some-valid-cert.example.com running a CONNECT proxy, we should've been able to do a TLS CONNECT request to e.g. controlplane.tailscale.com:443 through that, and I'm pretty sure it used to work, but refactorings and lack of integration tests made it regress. It probably regressed when we added the baked-in LetsEncrypt root cert validation fallback code, which was testing against the wrong hostname (the ultimate one, not the one which we were being asked to validate) Fixes #16222 Change-Id: If014e395f830e2f87f056f588edacad5c15e91bc Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

Diffstat (limited to 'control/controlhttp/controlhttpserver')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: