Overwrite TransportCredentials ServerName.

This ensures the transport credentials are properly configured to use the host to which the connection was made for verification purposes.
johanbrandhorst · Feb 5, 2018 · fe0e4a9 · fe0e4a9
1 parent 6099f35
commit fe0e4a9
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/wsproxy/wsproxy.go b/wsproxy/wsproxy.go
@@ -2,6 +2,7 @@ package wsproxy
 
 import (
 	"context"
+	"crypto/tls"
 	"encoding/binary"
 	"errors"
 	"io"
@@ -45,6 +46,7 @@ func WrapServer(h http.Handler, opts ...Option) http.Handler {
 	p := &proxy{
 		h:      h,
 		logger: noopLogger{},
+		creds:  credentials.NewTLS(&tls.Config{InsecureSkipVerify: true}),
 	}
 
 	for _, opt := range opts {
@@ -104,6 +106,14 @@ func (p *proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// Override TLS config ServerName in case
+	// it hasn't been set explicitly already
+	err = p.creds.OverrideServerName(stripPort(r.Host))
+	if err != nil {
+		p.logger.Warnln("Failed to set TLS Server Name:", err)
+		return
+	}
+
 	defer func() {
 		err = conn.Close()
 		if err != nil {
@@ -296,3 +306,15 @@ func withPort(host string) string {
 	}
 	return host
 }
+
+// stripPort removes a port, if any, from the input
+func stripPort(hostport string) string {
+	colon := strings.IndexByte(hostport, ':')
+	if colon == -1 {
+		return hostport
+	}
+	if i := strings.IndexByte(hostport, ']'); i != -1 {
+		return strings.TrimPrefix(hostport[:i], "[")
+	}
+	return hostport[:colon]
+}