-
Notifications
You must be signed in to change notification settings - Fork 54
/
Copy pathbadssl.go
115 lines (97 loc) · 3.34 KB
/
badssl.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
package netemx
import (
"context"
"crypto/tls"
"io"
"net"
"sync"
"time"
"github.com/ooni/netem"
"github.com/ooni/probe-cli/v3/internal/model"
"github.com/ooni/probe-cli/v3/internal/runtimex"
"github.com/ooni/probe-cli/v3/internal/testingx"
)
// BadSSLServerFactory is a [NetStackServerFactory] that instantiates
// a [NetStackServer] used for testing common TLS issues.
type BadSSLServerFactory struct{}
var _ NetStackServerFactory = &BadSSLServerFactory{}
// MustNewServer implements NetStackServerFactory.
func (*BadSSLServerFactory) MustNewServer(env NetStackServerFactoryEnv, stack *netem.UNetStack) NetStackServer {
return &badSSLServer{
closers: []io.Closer{},
logger: env.Logger(),
mu: sync.Mutex{},
unet: stack,
}
}
type badSSLServer struct {
closers []io.Closer
logger model.Logger
mu sync.Mutex
unet *netem.UNetStack
}
// Close implements NetStackServer.
func (srv *badSSLServer) Close() error {
// "this method MUST be CONCURRENCY SAFE"
defer srv.mu.Unlock()
srv.mu.Lock()
// make sure we close all the child listeners
for _, closer := range srv.closers {
_ = closer.Close()
}
// "this method MUST be IDEMPOTENT"
srv.closers = []io.Closer{}
return nil
}
// MustStart implements NetStackServer.
func (srv *badSSLServer) MustStart() {
// "this method MUST be CONCURRENCY SAFE"
defer srv.mu.Unlock()
srv.mu.Lock()
// build the listening endpoint
ipAddr := net.ParseIP(srv.unet.IPAddress())
runtimex.Assert(ipAddr != nil, "invalid IP address")
epnt := &net.TCPAddr{IP: ipAddr, Port: 443}
// start the server in a background goroutine
server := testingx.MustNewTLSServerEx(epnt, srv.unet, &tlsHandlerForBadSSLServer{srv.unet})
// track this listener as something to close later
srv.closers = append(srv.closers, server)
}
// tlsHandlerForBadSSLServer is a [testingx.TLSHandler] that only cares about the
// handshake and applies specific wrong configurations during it.
//
// Limitation: this handler does not care about what happens after the handshake
// and just lets the underlying [*testingx.TLSServer] close the TLS conn.
type tlsHandlerForBadSSLServer struct {
unet *netem.UNetStack
}
// GetCertificate implements testingx.TLSHandler.
func (thx *tlsHandlerForBadSSLServer) GetCertificate(
ctx context.Context, tcpConn net.Conn, chi *tls.ClientHelloInfo) (*tls.Certificate, error) {
switch chi.ServerName {
case "wrong.host.badssl.com":
// Use the correct root CA but return a certificate for a different
// host, which should cause the SNI verification to fail.
tlsCert := thx.unet.MustNewTLSCertificate("wrong-host.badssl.com") // different
return tlsCert, nil
case "untrusted-root.badssl.com":
fallthrough
default:
// Create a custom CA config and use it to negotiate TLS. Because this would be
// a different root CA, validating certs will fail the handshake.
//
// A more advanced version of this handler could choose different behaviors
// depending on the SNI provided as part of the *tls.ClientHelloInfo.
ca := netem.MustNewCA()
return ca.MustNewTLSCertificate(chi.ServerName), nil
case "expired.badssl.com":
// Create on-the-fly a certificate with the right SNI but that is clearly expired.
cert := thx.unet.MustNewTLSCertificateWithTimeNow(
func() time.Time {
return time.Date(2017, time.July, 17, 0, 0, 0, 0, time.UTC)
},
chi.ServerName,
)
return cert, nil
}
}