diff options
| author | Brad Fitzpatrick <bradfitz@tailscale.com> | 2025-06-08 18:51:41 -0700 |
|---|---|---|
| committer | Brad Fitzpatrick <brad@danga.com> | 2025-06-18 14:20:39 -0700 |
| commit | e92eb6b17bb59cd66cd78c90db3b285015ed5e11 (patch) | |
| tree | 059585ca0a791e03a16dfcb1e223ca646e19d999 /control/controlhttp | |
| parent | 4979ce7a94cd023db5cd03cbb556934d9652dfd2 (diff) | |
| download | tailscale-e92eb6b17bb59cd66cd78c90db3b285015ed5e11.tar.xz tailscale-e92eb6b17bb59cd66cd78c90db3b285015ed5e11.zip | |
net/tlsdial: fix TLS cert validation of HTTPS proxies
If you had HTTPS_PROXY=https://some-valid-cert.example.com running a
CONNECT proxy, we should've been able to do a TLS CONNECT request to
e.g. controlplane.tailscale.com:443 through that, and I'm pretty sure
it used to work, but refactorings and lack of integration tests made
it regress.
It probably regressed when we added the baked-in LetsEncrypt root cert
validation fallback code, which was testing against the wrong hostname
(the ultimate one, not the one which we were being asked to validate)
Fixes #16222
Change-Id: If014e395f830e2f87f056f588edacad5c15e91bc
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Diffstat (limited to 'control/controlhttp')
| -rw-r--r-- | control/controlhttp/client.go | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/control/controlhttp/client.go b/control/controlhttp/client.go index 869bcb599..1bb60d672 100644 --- a/control/controlhttp/client.go +++ b/control/controlhttp/client.go @@ -534,7 +534,7 @@ func (a *Dialer) tryURLUpgrade(ctx context.Context, u *url.URL, optAddr netip.Ad // Disable HTTP2, since h2 can't do protocol switching. tr.TLSClientConfig.NextProtos = []string{} tr.TLSNextProto = map[string]func(string, *tls.Conn) http.RoundTripper{} - tr.TLSClientConfig = tlsdial.Config(a.Hostname, a.HealthTracker, tr.TLSClientConfig) + tr.TLSClientConfig = tlsdial.Config(a.HealthTracker, tr.TLSClientConfig) if !tr.TLSClientConfig.InsecureSkipVerify { panic("unexpected") // should be set by tlsdial.Config } |