Fix client TLS bug

Wasn't properly handling the ACME protocol for raw TLS tunnels.
2025-02-25 18:55:29 -06:00 · 2022-02-23 17:30:02 -07:00 · 2022-02-23 17:30:02 -07:00 · 3b639adec8
commit 3b639adec8
parent 23846951d3
2 changed files with 20 additions and 7 deletions
--- a/boringproxy.go
+++ b/boringproxy.go
@ -109,7 +109,7 @@ func Listen() {
 	}

 	if *acceptCATerms {
-		certmagic.DefaultACME.Agreed  = true
+		certmagic.DefaultACME.Agreed = true
 		log.Print(fmt.Sprintf("Automatic agreement to CA terms with email (%s)", *acmeEmail))
 	}

--- a/client.go
+++ b/client.go
@ -345,17 +345,30 @@ func (c *Client) BoreTunnel(ctx context.Context, tunnel Tunnel) error {
 					break
 					//continue
 				}
+
+				// If ALPN type is acme-tls/1, certmagic will do its thing under the hood, and the
+				// connection should not be used.
+				if tlsConn, ok := conn.(*tls.Conn); ok {
+					tlsConn.Handshake()
+					if tlsConn.ConnectionState().NegotiatedProtocol == "acme-tls/1" {
+						tlsConn.Close()
+						continue
+					}
+				}
+
 				go c.handleConnection(conn, tunnel.ClientAddress, tunnel.ClientPort)
 			}
 		}()
 	}

-	// TODO: There's still quite a bit of duplication with what the server does. Could we
-	// encapsulate it into a type?
-	err = c.certConfig.ManageSync(ctx, []string{tunnel.Domain})
-	if err != nil {
-		log.Println("CertMagic error at startup")
-		log.Println(err)
+	if tunnel.TlsTermination != "passthrough" {
+		// TODO: There's still quite a bit of duplication with what the server does. Could we
+		// encapsulate it into a type?
+		err = c.certConfig.ManageSync(ctx, []string{tunnel.Domain})
+		if err != nil {
+			log.Println("CertMagic error at startup")
+			log.Println(err)
+		}
 	}

 	<-ctx.Done()