Fix client TLS bug

Wasn't properly handling the ACME protocol for raw TLS tunnels.

boringproxy.go

@@ -109,7 +109,7 @@ func Listen() {
 	}
 
 	if *acceptCATerms {
-		certmagic.DefaultACME.Agreed  = true
+		certmagic.DefaultACME.Agreed = true
 		log.Print(fmt.Sprintf("Automatic agreement to CA terms with email (%s)", *acmeEmail))
 	}
 

client.go

@@ -345,17 +345,30 @@ func (c *Client) BoreTunnel(ctx context.Context, tunnel Tunnel) error {
 					break
 					//continue
 				}
+
+				// If ALPN type is acme-tls/1, certmagic will do its thing under the hood, and the
+				// connection should not be used.
+				if tlsConn, ok := conn.(*tls.Conn); ok {
+					tlsConn.Handshake()
+					if tlsConn.ConnectionState().NegotiatedProtocol == "acme-tls/1" {
+						tlsConn.Close()
+						continue
+					}
+				}
+
 				go c.handleConnection(conn, tunnel.ClientAddress, tunnel.ClientPort)
 			}
 		}()
 	}
 
-	// TODO: There's still quite a bit of duplication with what the server does. Could we
+	if tunnel.TlsTermination != "passthrough" {
-	// encapsulate it into a type?
+		// TODO: There's still quite a bit of duplication with what the server does. Could we
-	err = c.certConfig.ManageSync(ctx, []string{tunnel.Domain})
+		// encapsulate it into a type?
-	if err != nil {
+		err = c.certConfig.ManageSync(ctx, []string{tunnel.Domain})
-		log.Println("CertMagic error at startup")
+		if err != nil {
-		log.Println(err)
+			log.Println("CertMagic error at startup")
+			log.Println(err)
+		}
 	}
 
 	<-ctx.Done()