Skip to content

Commit

Permalink
fix(ca.go): use http/1.1 by default (#44)
Browse files Browse the repository at this point in the history
The previous martian code used http/1.1 by default. Now I know why: if
using http2 we cannot hijack http connections anymore.

While there, mention `README.md` bug and how to address it.

Part of ooni/probe#2531
  • Loading branch information
bassosimone authored Sep 20, 2023
1 parent c1d8ba3 commit 15f3ffe
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 1 deletion.
6 changes: 5 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ go get -u -v -d gvisor.dev/gvisor@COMMIT_HASH
because [Gvisor](https://gvisor.dev/)'s default branch is not
ready to be used with Go tools and `go get` would misbehave.

When updating [Gvisor](https://gvisor.dev/) in this library, make sure
When updating [Gvisor](https://gvisor.dev/) in this library, make sure
you pin to a commit from the [go](https://github.com/google/gvisor/tree/go) branch,
which is the [Gvisor](https://gvisor.dev/) branch supporting go tools.

Expand All @@ -52,6 +52,10 @@ and many tests will fail; it still seems to be fine under Linux.

## Usage

TODO(bassosimone): this section needs to be updated because we have
recently removed the `stdlib.go` file and functionality, since we have
much better functionality inside of ooni/probe-cli.

Existing Go code needs to be adjusted to support netem.

Suppose you have this Go code:
Expand Down
3 changes: 3 additions & 0 deletions ca.go
Original file line number Diff line number Diff line change
Expand Up @@ -145,8 +145,11 @@ func (ca *CA) DefaultCertPool() *x509.CertPool {

// MustNewServerTLSConfig implements [CertificationAuthority].
func (ca *CA) MustNewServerTLSConfig(commonName string, extraNames ...string) *tls.Config {
// Implementation note: we want to force http/1.1 because we have several tests
// where the connection is hijackable and we cannot hijack http2 connections.
return &tls.Config{
Certificates: []tls.Certificate{*ca.MustNewTLSCertificate(commonName, extraNames...)},
NextProtos: []string{"http/1.1"},
}
}

Expand Down

0 comments on commit 15f3ffe

Please sign in to comment.