Dialer: add optional method NetDialTLSContext #746

lluiscampos · 2021-12-10T09:53:06Z

Fixes issue: #745

With the previous interface, NetDial and NetDialContext were used for
both TLS and non-TLS TCP connections, and afterwards TLSClientConfig was
used to do the TLS handshake.

While this API works for most cases, it prevents from using more advance
authentication methods during the TLS handshake, as this is out of the
control of the user.

This commits introduces another a new dial method, NetDialTLSContext,
which is used when dialing for TLS/TCP. The code then assumes that the
handshake is done there and TLSClientConfig is not used.

This API change is fully backwards compatible and it better aligns with
net/http.Transport API, which has these two dial flavors. See:
https://pkg.go.dev/net/http#Transport

lluiscampos · 2021-12-10T10:04:55Z

The first commit is unrelated to the issue at hand, but otherwise the CI was failing on gofmt for latest Go version 1.17.

By switching to the "enhanced" API for websocket.Dialer from mendersoftware's fork. There is a limitation in current gorilla/websocket.Dialer API in that the user cannot specify a dial method for TLS/TCP connections. The TLS handshake is always done by the library based on user's TLSClientConfig, but that is not enough for Mender as we need it to be done via OpenSSL (aka our dial wrapper for TLS) so that advance auth features like getting the keys from HSM. This commit switches to mendersoftware's fork and modifies the code accordingly (one line change!). The patch has been submitted upstream. See: * gorilla/websocket#745 * gorilla/websocket#746 Changelog: None No changelog, commit 84204a3 claims to support websockets, this commit just fixes a bug there which has not been released. Signed-off-by: Lluis Campos <lluis.campos@northern.tech>

garyburd · 2022-01-01T16:15:09Z

Remove DialTLS field. The corresponding field in net/http Transport is deprecated, so there's no need to add it here.
Convert map of tests to slice of tests for consistency with other tests.

	tests := []struct {
                name              string 
		server            *httptest.Server // server to use
		netDial           func(network, addr string) (net.Conn, error)
		netDialContext    func(ctx context.Context, network, addr string) (net.Conn, error)
		netDialTLS        func(network, addr string) (net.Conn, error)
		netDialTLSContext func(ctx context.Context, network, addr string) (net.Conn, error)
		tlsClientConfig   *tls.Config
	}{
		 name: "HTTP server, all NetDial* defined, shall use NetDialContext",
	         server: server,
                 …

Fixes issue: gorilla#745 With the previous interface, NetDial and NetDialContext were used for both TLS and non-TLS TCP connections, and afterwards TLSClientConfig was used to do the TLS handshake. While this API works for most cases, it prevents from using more advance authentication methods during the TLS handshake, as this is out of the control of the user. This commits introduces another a new dial method, NetDialTLSContext, which is used when dialing for TLS/TCP. The code then assumes that the handshake is done there and TLSClientConfig is not used. This API change is fully backwards compatible and it better aligns with net/http.Transport API, which has these two dial flavors. See: https://pkg.go.dev/net/http#Transport Signed-off-by: Lluis Campos <lluis.campos@northern.tech>

lluiscampos · 2022-01-03T09:22:18Z

Thanks @garyburd for your feedback. I updated now the pull request following your suggestion. I updated the commit message accordingly too.

Remove DialTLS field. The corresponding field in net/http Transport is deprecated, so there's no need to add it here.

As Dialer already had Dial and DialContext I thought it was good to add the two... but being this a new field, makes sense not to add the deprecated one.

* Convert map of tests to slice of tests for consistency with other tests.

Roger that 👍

garyburd · 2022-01-04T02:01:02Z

Thank you for your contribution. 👍 for the included test.

Now that upstream have merged our PR. Slightly modify our code accordingly. See: * gorilla/websocket#745 * gorilla/websocket#746 Changelog: None Signed-off-by: Lluis Campos <lluis.campos@northern.tech>

lluiscampos force-pushed the issue-745-net-dial-tls branch from f50b198 to e87c21b Compare December 10, 2021 10:02

lluiscampos mentioned this pull request Dec 10, 2021

MEN-5273: proxy: Fix websocket connection for advanced auth settings mendersoftware/mender#907

Merged

lluiscampos force-pushed the issue-745-net-dial-tls branch from e87c21b to 18650c5 Compare January 3, 2022 09:18

lluiscampos changed the title ~~Dialer: add optional methods NetDialTLS and NetDialTLSContext~~ Dialer: add optional method NetDialTLSContext Jan 3, 2022

lluiscampos mentioned this pull request Jan 3, 2022

[feature] Dialer: Support for custom NetDial for TLS #745

Closed

garyburd merged commit 9111bb8 into gorilla:master Jan 4, 2022

lluiscampos mentioned this pull request Jan 10, 2022

Update to latest gorilla/websocket library mendersoftware/mender#921

Merged

lluiscampos deleted the issue-745-net-dial-tls branch October 21, 2022 17:47

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Dialer: add optional method NetDialTLSContext #746

Dialer: add optional method NetDialTLSContext #746

lluiscampos commented Dec 10, 2021 •

edited

lluiscampos commented Dec 10, 2021

garyburd commented Jan 1, 2022

lluiscampos commented Jan 3, 2022

garyburd commented Jan 4, 2022

Dialer: add optional method NetDialTLSContext #746

Dialer: add optional method NetDialTLSContext #746

Conversation

lluiscampos commented Dec 10, 2021 • edited

lluiscampos commented Dec 10, 2021

garyburd commented Jan 1, 2022

lluiscampos commented Jan 3, 2022

garyburd commented Jan 4, 2022

lluiscampos commented Dec 10, 2021 •

edited