Documentation ¶
Overview ¶
Package sni provices logic to work with TLS SNI fields
Index ¶
- Constants
- Variables
- func CipherSuites(u []uint16) []string
- func CompressionMethods(u []uint8) []string
- func PeekClientHelloInfo(ctx context.Context, conn net.Conn) (*tls.ClientHelloInfo, net.Conn, error)
- func ReadClientHelloInfo(ctx context.Context, f io.Reader) (*tls.ClientHelloInfo, error)
- func SignatureAlgos(u []SignatureScheme) []string
- func SupportedVersions(u []uint16) []string
- func VersionName(u uint16) string
- type ClientHelloInfo
- type Conn
- type CurveID
- type Dispatcher
- func (d *Dispatcher) Accept() (net.Conn, error)
- func (d *Dispatcher) Addr() net.Addr
- func (d *Dispatcher) Cancel()
- func (d *Dispatcher) Cancelled() bool
- func (d *Dispatcher) Close() error
- func (d *Dispatcher) Err() error
- func (d *Dispatcher) Serve(ln net.Listener) error
- func (d *Dispatcher) Shutdown(context.Context) error
- func (d *Dispatcher) Wait() error
- type Handler
- type SignatureScheme
Constants ¶
const ( VersionTLS10 = 0x0301 VersionTLS11 = 0x0302 VersionTLS12 = 0x0303 VersionTLS13 = 0x0304 /* Deprecated: SSLv3 is cryptographically broken, and is no longer supported by this package. See golang.org/issue/32716.*/ VersionSSL30 = 0x0300 )
const ( // TLS 1.0 - 1.2 cipher suites. TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005 TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035 TLS_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x003c TLS_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009c TLS_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009d TLS_ECDHE_ECDSA_WITH_RC4_128_SHA uint16 = 0xc007 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a TLS_ECDHE_RSA_WITH_RC4_128_SHA uint16 = 0xc011 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0xc012 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0xc013 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0xc014 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc023 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc027 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02f TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc030 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca8 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca9 // TLS 1.3 cipher suites. TLS_AES_128_GCM_SHA256 uint16 = 0x1301 TLS_AES_256_GCM_SHA384 uint16 = 0x1302 TLS_CHACHA20_POLY1305_SHA256 uint16 = 0x1303 // TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator // that the client is doing version fallback. See RFC 7507. TLS_FALLBACK_SCSV uint16 = 0x5600 // Legacy names for the corresponding cipher suites with the correct _SHA256 // suffix, retained for backward compatibility. TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 )
Variables ¶
var ( // ErrClosed is returned after Close() or Cancel() ErrClosed = fs.ErrClosed // ErrInvalid is returned when arguments aren't valid ErrInvalid = fs.ErrInvalid // ErrExists is returned when something is already created ErrExists = fs.ErrExist )
Functions ¶
func CipherSuites ¶
CipherSuites returns the supported Cipher suites
func CompressionMethods ¶
CompressionMethods will return the names of the compression method used. This is Compression None or Unknown
func PeekClientHelloInfo ¶
func PeekClientHelloInfo(ctx context.Context, conn net.Conn) (*tls.ClientHelloInfo, net.Conn, error)
PeekClientHelloInfo extracts the ClientHelloInfo from a connection still allowing a future handler have complete untouched access to the stream
func ReadClientHelloInfo ¶
ReadClientHelloInfo mimics a TLS connection to let Go's tls.Server parse the ClientHelloInfo for us - https://www.agwa.name/blog/post/writing_an_sni_proxy_in_go
func SignatureAlgos ¶
func SignatureAlgos(u []SignatureScheme) []string
SignatureAlgos will return the names of the supported Signature Algorithms
func SupportedVersions ¶
SupportedVersions will return the names of the compression method used. This is Compression None or Unknown
func VersionName ¶
VersionName will return the name of the TLS/SSL version
Types ¶
type ClientHelloInfo ¶
type ClientHelloInfo struct { Vers uint16 CipherSuites []uint16 CompressionMethods []uint8 ServerName string SupportedSignatureAlgorithms []SignatureScheme SupportedSignatureAlgorithmsCert []SignatureScheme ALPNProtocols []string SupportedVersions []uint16 // contains filtered or unexported fields }
ClientHelloInfo contains information from a ClientHello message in order to guide application logic in the GetCertificate and GetConfigForClient callbacks.
func GetInfo ¶
func GetInfo(buf []byte) *ClientHelloInfo
GetInfo returns a pointer to a ClientHelloInfo:
type CurveID ¶
type CurveID uint16
CurveID is the type of a TLS identifier for an elliptic curve. See http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8
type Dispatcher ¶
type Dispatcher struct { // Logger to report errors Logger slog.Logger // Context to be used as parent of the internal Canceller Context context.Context // GetHandler tells the Dispatcher if the connection associated with // a given ClientHelloInfo should be passed to a dedicated Handler // instead of passing it to the outer tls.Listener GetHandler func(*tls.ClientHelloInfo) Handler // OnAccept is optionally used to configure the inbound net.Conn OnAccept func(net.Conn) (net.Conn, error) // OnError let's the use decide if we shut down on critical errors or not // it also allows the user to act accordingly OnError func(err error) bool // contains filtered or unexported fields }
The Dispatcher screens TCP connections and uses SNI to decide if they should be handled by a dedicated system or passed to the tls.Listener using it via Accept()
dispatcher := &sni.Dispatcher{ GetHandler: func() { ..... }, }
conf := &tls.Config{...} lsn, err := tls.NewListener(dispatcher, config)
func (*Dispatcher) Accept ¶
func (d *Dispatcher) Accept() (net.Conn, error)
Accept returns a connection that wasn't dispatched through the Handler provided by GetHandler
func (*Dispatcher) Addr ¶
func (d *Dispatcher) Addr() net.Addr
Addr returns the address the underlying listener is using
func (*Dispatcher) Cancel ¶
func (d *Dispatcher) Cancel()
Cancel initiates a shut down. it will prevent new dispatchs and cancel existing workers, but the responsibility of closing the listener is on the tls.Listener
func (*Dispatcher) Cancelled ¶
func (d *Dispatcher) Cancelled() bool
Cancelled tells if the Dispatcher has been shut down
func (*Dispatcher) Close ¶
func (d *Dispatcher) Close() error
Close initiates a shut down but also returns the first fatal error if there was one
func (*Dispatcher) Serve ¶
func (d *Dispatcher) Serve(ln net.Listener) error
Serve starts processing the underlying net.Listener
type Handler ¶
A Handler is a function that will take responsibility over a given connection. The Provided Context is used to indicate when a shut down has been initiated
type SignatureScheme ¶
type SignatureScheme uint16
const ( // RSASSA-PKCS1-v1_5 algorithms. PKCS1WithSHA256 SignatureScheme = 0x0401 PKCS1WithSHA384 SignatureScheme = 0x0501 PKCS1WithSHA512 SignatureScheme = 0x0601 // RSASSA-PSS algorithms with public key OID rsaEncryption. PSSWithSHA256 SignatureScheme = 0x0804 PSSWithSHA384 SignatureScheme = 0x0805 PSSWithSHA512 SignatureScheme = 0x0806 // ECDSA algorithms. Only constrained to a specific curve in TLS 1.3. ECDSAWithP256AndSHA256 SignatureScheme = 0x0403 ECDSAWithP384AndSHA384 SignatureScheme = 0x0503 ECDSAWithP521AndSHA512 SignatureScheme = 0x0603 // EdDSA algorithms. Ed25519 SignatureScheme = 0x0807 // Legacy signature and hash algorithms for TLS 1.2. PKCS1WithSHA1 SignatureScheme = 0x0201 ECDSAWithSHA1 SignatureScheme = 0x0203 )