DialTLSFunc returns the adequate dial function, when using SSL, depending on whether we're using insecure TLS (certificate verification is disabled), or we have some trusted certs, or we're on android. If the client's config has some trusted certs, the server's certificate will be checked against th
()
| 1286 | // If the client's config has some trusted certs, the server's certificate will |
| 1287 | // be checked against those in the config after the TLS handshake. |
| 1288 | func (c *Client) DialTLSFunc() func(network, addr string) (net.Conn, error) { |
| 1289 | if !c.useTLS() { |
| 1290 | return nil |
| 1291 | } |
| 1292 | trustedCerts := c.getTrustedCerts() |
| 1293 | var stdTLS bool |
| 1294 | if !c.insecureAnyTLSCert && len(trustedCerts) == 0 { |
| 1295 | // TLS with normal/full verification. |
| 1296 | stdTLS = true |
| 1297 | if !android.IsChild() { |
| 1298 | // Not android, so let the stdlib deal with it |
| 1299 | return nil |
| 1300 | } |
| 1301 | } |
| 1302 | |
| 1303 | return func(network, addr string) (net.Conn, error) { |
| 1304 | var conn *tls.Conn |
| 1305 | var err error |
| 1306 | if android.IsChild() { |
| 1307 | ac, err := android.Dial(network, addr) |
| 1308 | if err != nil { |
| 1309 | return nil, err |
| 1310 | } |
| 1311 | var tlsConfig *tls.Config |
| 1312 | if stdTLS { |
| 1313 | tlsConfig, err = android.TLSConfig() |
| 1314 | if err != nil { |
| 1315 | return nil, err |
| 1316 | } |
| 1317 | } else { |
| 1318 | tlsConfig = &tls.Config{InsecureSkipVerify: true} |
| 1319 | } |
| 1320 | // Since we're doing the TLS handshake ourselves, we need to set the ServerName, |
| 1321 | // in case the server uses SNI (as is the case if it's relying on Let's Encrypt, |
| 1322 | // for example). |
| 1323 | tlsConfig.ServerName = c.serverNameOfAddr(addr) |
| 1324 | conn = tls.Client(ac, tlsConfig) |
| 1325 | if err := conn.Handshake(); err != nil { |
| 1326 | return nil, err |
| 1327 | } |
| 1328 | if stdTLS { |
| 1329 | // Normal TLS verification succeeded and we do not have |
| 1330 | // additional trusted certificate fingerprints to check for. |
| 1331 | return conn, nil |
| 1332 | } |
| 1333 | } else { |
| 1334 | conn, err = tls.Dial(network, addr, &tls.Config{InsecureSkipVerify: true}) |
| 1335 | if err != nil { |
| 1336 | return nil, err |
| 1337 | } |
| 1338 | } |
| 1339 | if c.insecureAnyTLSCert { |
| 1340 | return conn, nil |
| 1341 | } |
| 1342 | certs := conn.ConnectionState().PeerCertificates |
| 1343 | if len(certs) < 1 { |
| 1344 | return nil, fmt.Errorf("no TLS peer certificates from %s", addr) |
| 1345 | } |
no test coverage detected