Add/fix support for various TLS passthrough options for Websockets

Previously, clientCertificateHostMap was explicitly not supported,
while extraCACertificates was quietly ignored by remote clients, and
ignoreHostHttpsErrors ignored only certificate issues, not other TLS
configuration problems.

With this change, the full set of passthrough connection options should
be handled the same way in both cases.

Author: pimterry

src/rules/requests/request-handler-definitions.ts

@@ -771,8 +771,8 @@ export class PassThroughHandlerDefinition extends Serializable implements Reques
         this.proxyConfig = options.proxyConfig;
         this.simulateConnectionErrors = !!options.simulateConnectionErrors;
 
-        this.clientCertificateHostMap = options.clientCertificateHostMap || {};
         this.extraCACertificates = options.trustAdditionalCAs || [];
+        this.clientCertificateHostMap = options.clientCertificateHostMap || {};
 
         if (options.beforeRequest && options.transformRequest && !_.isEmpty(options.transformRequest)) {
             throw new Error("BeforeRequest and transformRequest options are mutually exclusive");
@@ -874,8 +874,9 @@ export class PassThroughHandlerDefinition extends Serializable implements Reques
         return {
             type: this.type,
             ...this.forwarding ? {
-                forwardToLocation: this.forwarding.targetHost,
-                forwarding: this.forwarding
+                forwarding: this.forwarding,
+                // Backward compat:
+                forwardToLocation: this.forwarding.targetHost
             } : {},
             proxyConfig: serializeProxyConfig(this.proxyConfig, channel),
             lookupOptions: this.lookupOptions,

src/rules/requests/request-handlers.ts

@@ -746,9 +746,11 @@ export class PassThroughHandler extends PassThroughHandlerDefinition {
                 lookup: getDnsLookupFunction(this.lookupOptions) as typeof dns.lookup,
                 // ^ Cast required to handle __promisify__ type hack in the official Node types
                 agent,
+
                 // TLS options:
                 ...UPSTREAM_TLS_OPTIONS,
-                minVersion: strictHttpsChecks ? tls.DEFAULT_MIN_VERSION : 'TLSv1', // Allow TLSv1, if !strict
+                // Allow TLSv1, if !strict
+                minVersion: strictHttpsChecks ? tls.DEFAULT_MIN_VERSION : 'TLSv1',
                 rejectUnauthorized: strictHttpsChecks,
                 ...clientCert,
                 ...caConfig

src/rules/websockets/websocket-handler-definitions.ts

@@ -6,7 +6,8 @@ import {
     ClientServerChannel,
     Serializable,
     SerializedProxyConfig,
-    serializeProxyConfig
+    serializeProxyConfig,
+    serializeBuffer
 } from "../../serialization/serialization";
 
 import { Explainable, Headers } from "../../types";
@@ -52,6 +53,7 @@ export interface SerializedPassThroughWebSocketData {
     proxyConfig?: SerializedProxyConfig;
     ignoreHostCertificateErrors?: string[] | boolean; // Doesn't match option name, backward compat
     extraCACertificates?: Array<{ cert: string } | { certPath: string }>;
+    clientCertificateHostMap?: { [host: string]: { pfx: string, passphrase?: string } };
 }
 
 export class PassThroughWebSocketHandlerDefinition extends Serializable implements WebSocketHandlerDefinition {
@@ -63,17 +65,15 @@ export class PassThroughWebSocketHandlerDefinition extends Serializable implemen
 
     public readonly forwarding?: ForwardingOptions;
     public readonly ignoreHostHttpsErrors: string[] | boolean = [];
+    public readonly clientCertificateHostMap: {
+        [host: string]: { pfx: Buffer, passphrase?: string }
+    };
 
     public readonly extraCACertificates: Array<{ cert: string | Buffer } | { certPath: string }> = [];
 
     constructor(options: PassThroughWebSocketHandlerOptions = {}) {
         super();
 
-        this.ignoreHostHttpsErrors = options.ignoreHostHttpsErrors || [];
-        if (!Array.isArray(this.ignoreHostHttpsErrors) && typeof this.ignoreHostHttpsErrors !== 'boolean') {
-            throw new Error("ignoreHostHttpsErrors must be an array or a boolean");
-        }
-
         // If a location is provided, and it's not a bare hostname, it must be parseable
         const { forwarding } = options;
         if (forwarding && forwarding.targetHost.includes('/')) {
@@ -87,10 +87,19 @@ export class PassThroughWebSocketHandlerDefinition extends Serializable implemen
                 `);
             }
         }
+
         this.forwarding = options.forwarding;
 
+        this.ignoreHostHttpsErrors = options.ignoreHostHttpsErrors || [];
+        if (!Array.isArray(this.ignoreHostHttpsErrors) && typeof this.ignoreHostHttpsErrors !== 'boolean') {
+            throw new Error("ignoreHostHttpsErrors must be an array or a boolean");
+        }
+
         this.lookupOptions = options.lookupOptions;
         this.proxyConfig = options.proxyConfig;
+
+        this.extraCACertificates = options.trustAdditionalCAs || [];
+        this.clientCertificateHostMap = options.clientCertificateHostMap || {};
     }
 
     explain() {
@@ -120,6 +129,9 @@ export class PassThroughWebSocketHandlerDefinition extends Serializable implemen
                     return certObject;
                 }
             }),
+            clientCertificateHostMap: _.mapValues(this.clientCertificateHostMap,
+                ({ pfx, passphrase }) => ({ pfx: serializeBuffer(pfx), passphrase })
+            )
         };
     }
 }

src/rules/websockets/websocket-handlers.ts

@@ -8,6 +8,7 @@ import * as WebSocket from 'ws';
 
 import {
     ClientServerChannel,
+    deserializeBuffer,
     deserializeProxyConfig
 } from "../../serialization/serialization";
 
@@ -296,12 +297,18 @@ export class PassThroughWebSocketHandler extends PassThroughWebSocketHandlerDefi
 
         const effectivePort = getEffectivePort(parsedUrl);
 
-        const checkServerCertificate = shouldUseStrictHttps(
+        const strictHttpsChecks = shouldUseStrictHttps(
             parsedUrl.hostname!,
             effectivePort,
             this.ignoreHostHttpsErrors
         );
 
+        // Use a client cert if it's listed for the host+port or whole hostname
+        const hostWithPort = `${parsedUrl.hostname}:${effectivePort}`;
+        const clientCert = this.clientCertificateHostMap[hostWithPort] ||
+            this.clientCertificateHostMap[parsedUrl.hostname!] ||
+            {};
+
         const trustedCerts = await this.trustedCACertificates();
         const caConfig = trustedCerts
             ? { ca: trustedCerts }
@@ -334,7 +341,10 @@ export class PassThroughWebSocketHandler extends PassThroughWebSocketHandlerDefi
 
             // TLS options:
             ...UPSTREAM_TLS_OPTIONS,
-            rejectUnauthorized: checkServerCertificate,
+            // Allow TLSv1, if !strict:
+            minVersion: strictHttpsChecks ? tls.DEFAULT_MIN_VERSION : 'TLSv1',
+            rejectUnauthorized: strictHttpsChecks,
+            ...clientCert,
             ...caConfig
         } as WebSocket.ClientOptions & { lookup: any, maxPayload: number });
 
@@ -387,9 +397,12 @@ export class PassThroughWebSocketHandler extends PassThroughWebSocketHandlerDefi
         // By default, we assume we just need to assign the right prototype
         return _.create(this.prototype, {
             ...data,
-            extraCACertificates: data.extraCACertificates || [],
             proxyConfig: deserializeProxyConfig(data.proxyConfig, channel, ruleParams),
-            ignoreHostHttpsErrors: data.ignoreHostCertificateErrors
+            extraCACertificates: data.extraCACertificates || [],
+            ignoreHostHttpsErrors: data.ignoreHostCertificateErrors,
+            clientCertificateHostMap: _.mapValues(data.clientCertificateHostMap,
+                ({ pfx, passphrase }) => ({ pfx: deserializeBuffer(pfx), passphrase })
+            ),
         });
     }
 }