Extend TLS options

* create proper tls config for https proxy dialer
* refactor common tls routines into tlsutil
* allow mTLS for upstream proxies
* customizable curve list

Author: Snawoot

dialer/upstream.go

@@ -16,46 +16,105 @@ import (
 	"sync"
 
 	xproxy "golang.org/x/net/proxy"
+
+	"github.com/SenseUnit/dumbproxy/tlsutil"
 )
 
 type HTTPProxyDialer struct {
-	address  string
-	tls      bool
-	userinfo *url.Userinfo
-	next     Dialer
+	address   string
+	tlsConfig *tls.Config
+	userinfo  *url.Userinfo
+	next      Dialer
 }
 
-func NewHTTPProxyDialer(address string, tls bool, userinfo *url.Userinfo, next LegacyDialer) *HTTPProxyDialer {
+func NewHTTPProxyDialer(address string, tlsConfig *tls.Config, userinfo *url.Userinfo, next LegacyDialer) *HTTPProxyDialer {
 	return &HTTPProxyDialer{
-		address:  address,
-		tls:      tls,
-		next:     MaybeWrapWithContextDialer(next),
-		userinfo: userinfo,
+		address:   address,
+		tlsConfig: tlsConfig,
+		next:      MaybeWrapWithContextDialer(next),
+		userinfo:  userinfo,
 	}
 }
 
 func HTTPProxyDialerFromURL(u *url.URL, next xproxy.Dialer) (xproxy.Dialer, error) {
 	host := u.Hostname()
 	port := u.Port()
-	tls := false
+	params, err := url.ParseQuery(u.RawQuery)
+	if err != nil {
+		return nil, fmt.Errorf("unable to parse query string of proxy specification URL %q: %w", u.String(), err)
+	}
 
+	var tlsConfig *tls.Config
 	switch strings.ToLower(u.Scheme) {
 	case "http":
 		if port == "" {
 			port = "80"
 		}
 	case "https":
-		tls = true
 		if port == "" {
 			port = "443"
 		}
+		tlsConfig = &tls.Config{
+			ServerName: host,
+		}
+		if params.Has("cafile") {
+			roots, err := tlsutil.LoadCAfile(params.Get("cafile"))
+			if err != nil {
+				return nil, err
+			}
+			tlsConfig.RootCAs = roots
+		}
+		if params.Has("sni") {
+			tlsConfig.ServerName = params.Get("sni")
+			tlsConfig.InsecureSkipVerify = true
+			tlsConfig.VerifyConnection = tlsutil.ExpectPeerName(host, tlsConfig.RootCAs)
+		}
+		if params.Has("peername") {
+			tlsConfig.InsecureSkipVerify = true
+			tlsConfig.VerifyConnection = tlsutil.ExpectPeerName(params.Get("peername"), tlsConfig.RootCAs)
+		}
+		if params.Has("cert") {
+			cert, err := tls.LoadX509KeyPair(params.Get("cert"), params.Get("key"))
+			if err != nil {
+				return nil, err
+			}
+			tlsConfig.Certificates = []tls.Certificate{cert}
+		}
+		if params.Has("ciphers") {
+			cipherList, err := tlsutil.ParseCipherList(params.Get("ciphers"))
+			if err != nil {
+				return nil, err
+			}
+			tlsConfig.CipherSuites = cipherList
+		}
+		if params.Has("curves") {
+			curveList, err := tlsutil.ParseCurveList(params.Get("curves"))
+			if err != nil {
+				return nil, err
+			}
+			tlsConfig.CurvePreferences = curveList
+		}
+		if params.Has("min-tls-version") {
+			ver, err := tlsutil.ParseVersion(params.Get("min-tls-version"))
+			if err != nil {
+				return nil, err
+			}
+			tlsConfig.MinVersion = ver
+		}
+		if params.Has("max-tls-version") {
+			ver, err := tlsutil.ParseVersion(params.Get("max-tls-version"))
+			if err != nil {
+				return nil, err
+			}
+			tlsConfig.MaxVersion = ver
+		}
 	default:
 		return nil, errors.New("unsupported proxy type")
 	}
 
 	address := net.JoinHostPort(host, port)
 
-	return NewHTTPProxyDialer(address, tls, u.User, next), nil
+	return NewHTTPProxyDialer(address, tlsConfig, u.User, next), nil
 }
 
 func (d *HTTPProxyDialer) Dial(network, address string) (net.Conn, error) {
@@ -72,14 +131,8 @@ func (d *HTTPProxyDialer) DialContext(ctx context.Context, network, address stri
 	if err != nil {
 		return nil, fmt.Errorf("proxy dialer is unable to make connection: %w", err)
 	}
-	if d.tls {
-		hostname, _, err := net.SplitHostPort(d.address)
-		if err != nil {
-			hostname = address
-		}
-		conn = tls.Client(conn, &tls.Config{
-			ServerName: hostname,
-		})
+	if d.tlsConfig != nil {
+		conn = tls.Client(conn, d.tlsConfig)
 	}
 
 	stopGuardEvent := make(chan struct{})

main.go

@@ -4,14 +4,12 @@ import (
 	"bytes"
 	"crypto/rand"
 	"crypto/tls"
-	"crypto/x509"
 	"encoding/base64"
 	"encoding/binary"
 	"encoding/hex"
 	"errors"
 	"flag"
 	"fmt"
-	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
@@ -37,6 +35,7 @@ import (
 	"github.com/SenseUnit/dumbproxy/forward"
 	"github.com/SenseUnit/dumbproxy/handler"
 	clog "github.com/SenseUnit/dumbproxy/log"
+	"github.com/SenseUnit/dumbproxy/tlsutil"
 	proxyproto "github.com/pires/go-proxyproto"
 
 	_ "golang.org/x/crypto/x509roots/fallback"
@@ -118,61 +117,16 @@ func (l *PrefixList) Value() []netip.Prefix {
 type TLSVersionArg uint16
 
 func (a *TLSVersionArg) Set(s string) error {
-	var ver uint16
-	switch strings.ToUpper(s) {
-	case "TLS10":
-		ver = tls.VersionTLS10
-	case "TLS11":
-		ver = tls.VersionTLS11
-	case "TLS12":
-		ver = tls.VersionTLS12
-	case "TLS13":
-		ver = tls.VersionTLS13
-	case "TLS1.0":
-		ver = tls.VersionTLS10
-	case "TLS1.1":
-		ver = tls.VersionTLS11
-	case "TLS1.2":
-		ver = tls.VersionTLS12
-	case "TLS1.3":
-		ver = tls.VersionTLS13
-	case "10":
-		ver = tls.VersionTLS10
-	case "11":
-		ver = tls.VersionTLS11
-	case "12":
-		ver = tls.VersionTLS12
-	case "13":
-		ver = tls.VersionTLS13
-	case "1.0":
-		ver = tls.VersionTLS10
-	case "1.1":
-		ver = tls.VersionTLS11
-	case "1.2":
-		ver = tls.VersionTLS12
-	case "1.3":
-		ver = tls.VersionTLS13
-	case "":
-	default:
-		return fmt.Errorf("unknown TLS version %q", s)
+	ver, err := tlsutil.ParseVersion(s)
+	if err != nil {
+		return err
 	}
 	*a = TLSVersionArg(ver)
 	return nil
 }
 
 func (a *TLSVersionArg) String() string {
-	switch *a {
-	case tls.VersionTLS10:
-		return "TLS10"
-	case tls.VersionTLS11:
-		return "TLS11"
-	case tls.VersionTLS12:
-		return "TLS12"
-	case tls.VersionTLS13:
-		return "TLS13"
-	default:
-		return fmt.Sprintf("%#04x", *a)
-	}
+	return tlsutil.FormatVersion(uint16(*a))
 }
 
 type proxyArg struct {
@@ -224,7 +178,9 @@ type CLIArgs struct {
 	verbosity                 int
 	cert, key, cafile         string
 	list_ciphers              bool
+	list_curves               bool
 	ciphers                   string
+	curves                    string
 	disableHTTP2              bool
 	showVersion               bool
 	autocert                  bool
@@ -292,7 +248,9 @@ func parse_args() CLIArgs {
 	flag.StringVar(&args.key, "key", "", "key for TLS certificate")
 	flag.StringVar(&args.cafile, "cafile", "", "CA file to authenticate clients with certificates")
 	flag.BoolVar(&args.list_ciphers, "list-ciphers", false, "list ciphersuites")
+	flag.BoolVar(&args.list_curves, "list-curves", false, "list key exchange curves")
 	flag.StringVar(&args.ciphers, "ciphers", "", "colon-separated list of enabled ciphers")
+	flag.StringVar(&args.curves, "curves", "", "colon-separated list of enabled key exchange curves")
 	flag.BoolVar(&args.disableHTTP2, "disable-http2", false, "disable HTTP2")
 	flag.BoolVar(&args.showVersion, "version", false, "show program version and exit")
 	flag.BoolVar(&args.autocert, "autocert", false, "issue TLS certificates automatically")
@@ -374,6 +332,11 @@ func run() int {
 		return 0
 	}
 
+	if args.list_curves {
+		list_curves()
+		return 0
+	}
+
 	if args.passwd != "" {
 		if err := passwd(args.passwd, args.passwdCost, args.positionalArgs...); err != nil {
 			log.Fatalf("can't set password: %v", err)
@@ -570,7 +533,8 @@ func run() int {
 
 	if args.cert != "" {
 		cfg, err1 := makeServerTLSConfig(args.cert, args.key, args.cafile,
-			args.ciphers, uint16(args.minTLSVersion), uint16(args.maxTLSVersion), !args.disableHTTP2)
+			args.ciphers, args.curves,
+			uint16(args.minTLSVersion), uint16(args.maxTLSVersion), !args.disableHTTP2)
 		if err1 != nil {
 			mainLogger.Critical("TLS config construction failed: %v", err1)
 			return 3
@@ -629,7 +593,7 @@ func run() int {
 			}()
 		}
 		cfg := m.TLSConfig()
-		cfg, err = updateServerTLSConfig(cfg, args.cafile, args.ciphers,
+		cfg, err = updateServerTLSConfig(cfg, args.cafile, args.ciphers, args.curves,
 			uint16(args.minTLSVersion), uint16(args.maxTLSVersion), !args.disableHTTP2)
 		if err != nil {
 			mainLogger.Critical("TLS config construction failed: %v", err)
@@ -657,7 +621,7 @@ func run() int {
 	return 0
 }
 
-func makeServerTLSConfig(certfile, keyfile, cafile, ciphers string, minVer, maxVer uint16, h2 bool) (*tls.Config, error) {
+func makeServerTLSConfig(certfile, keyfile, cafile, ciphers, curves string, minVer, maxVer uint16, h2 bool) (*tls.Config, error) {
 	cfg := tls.Config{
 		MinVersion: minVer,
 		MaxVersion: maxVer,
@@ -668,18 +632,21 @@ func makeServerTLSConfig(certfile, keyfile, cafile, ciphers string, minVer, maxV
 	}
 	cfg.Certificates = []tls.Certificate{cert}
 	if cafile != "" {
-		roots := x509.NewCertPool()
-		certs, err := ioutil.ReadFile(cafile)
+		roots, err := tlsutil.LoadCAfile(cafile)
 		if err != nil {
 			return nil, err
 		}
-		if ok := roots.AppendCertsFromPEM(certs); !ok {
-			return nil, errors.New("Failed to load CA certificates")
-		}
 		cfg.ClientCAs = roots
 		cfg.ClientAuth = tls.VerifyClientCertIfGiven
 	}
-	cfg.CipherSuites = makeCipherList(ciphers)
+	cfg.CipherSuites, err = tlsutil.ParseCipherList(ciphers)
+	if err != nil {
+		return nil, err
+	}
+	cfg.CurvePreferences, err = tlsutil.ParseCurveList(curves)
+	if err != nil {
+		return nil, err
+	}
 	if h2 {
 		cfg.NextProtos = []string{"h2", "http/1.1"}
 	} else {
@@ -688,20 +655,24 @@ func makeServerTLSConfig(certfile, keyfile, cafile, ciphers string, minVer, maxV
 	return &cfg, nil
 }
 
-func updateServerTLSConfig(cfg *tls.Config, cafile, ciphers string, minVer, maxVer uint16, h2 bool) (*tls.Config, error) {
+func updateServerTLSConfig(cfg *tls.Config, cafile, ciphers, curves string, minVer, maxVer uint16, h2 bool) (*tls.Config, error) {
 	if cafile != "" {
-		roots := x509.NewCertPool()
-		certs, err := ioutil.ReadFile(cafile)
+		roots, err := tlsutil.LoadCAfile(cafile)
 		if err != nil {
 			return nil, err
 		}
-		if ok := roots.AppendCertsFromPEM(certs); !ok {
-			return nil, errors.New("Failed to load CA certificates")
-		}
 		cfg.ClientCAs = roots
 		cfg.ClientAuth = tls.VerifyClientCertIfGiven
 	}
-	cfg.CipherSuites = makeCipherList(ciphers)
+	var err error
+	cfg.CipherSuites, err = tlsutil.ParseCipherList(ciphers)
+	if err != nil {
+		return nil, err
+	}
+	cfg.CurvePreferences, err = tlsutil.ParseCurveList(curves)
+	if err != nil {
+		return nil, err
+	}
 	if h2 {
 		cfg.NextProtos = []string{"h2", "http/1.1", "acme-tls/1"}
 	} else {
@@ -712,33 +683,15 @@ func updateServerTLSConfig(cfg *tls.Config, cafile, ciphers string, minVer, maxV
 	return cfg, nil
 }
 
-func makeCipherList(ciphers string) []uint16 {
-	if ciphers == "" {
-		return nil
-	}
-
-	cipherIDs := make(map[string]uint16)
+func list_ciphers() {
 	for _, cipher := range tls.CipherSuites() {
-		cipherIDs[cipher.Name] = cipher.ID
-	}
-
-	cipherNameList := strings.Split(ciphers, ":")
-	cipherIDList := make([]uint16, 0, len(cipherNameList))
-
-	for _, name := range cipherNameList {
-		id, ok := cipherIDs[name]
-		if !ok {
-			log.Printf("WARNING: Unknown cipher \"%s\"", name)
-		}
-		cipherIDList = append(cipherIDList, id)
+		fmt.Println(cipher.Name)
 	}
-
-	return cipherIDList
 }
 
-func list_ciphers() {
-	for _, cipher := range tls.CipherSuites() {
-		fmt.Println(cipher.Name)
+func list_curves() {
+	for _, curve := range tlsutil.Curves() {
+		fmt.Println(curve.String())
 	}
 }