()
| 1246 | } |
| 1247 | |
| 1248 | func (c *Client) http2DialTLSFunc() func(network, addr string, cfg *tls.Config) (net.Conn, error) { |
| 1249 | trustedCerts := c.getTrustedCerts() |
| 1250 | if !c.insecureAnyTLSCert && len(trustedCerts) == 0 { |
| 1251 | // TLS with normal/full verification. |
| 1252 | // nil means http2 uses its default dialer. |
| 1253 | return nil |
| 1254 | } |
| 1255 | return func(network, addr string, cfg *tls.Config) (net.Conn, error) { |
| 1256 | // we own cfg, so we can mutate it: |
| 1257 | cfg.InsecureSkipVerify = true |
| 1258 | conn, err := tls.Dial(network, addr, cfg) |
| 1259 | if err != nil { |
| 1260 | return nil, err |
| 1261 | } |
| 1262 | if c.insecureAnyTLSCert { |
| 1263 | return conn, err |
| 1264 | } |
| 1265 | state := conn.ConnectionState() |
| 1266 | if p := state.NegotiatedProtocol; p != http2.NextProtoTLS { |
| 1267 | return nil, fmt.Errorf("http2: unexpected ALPN protocol %q; want %q", p, http2.NextProtoTLS) |
| 1268 | } |
| 1269 | certs := state.PeerCertificates |
| 1270 | if len(certs) < 1 { |
| 1271 | return nil, fmt.Errorf("no TLS peer certificates from %s", addr) |
| 1272 | } |
| 1273 | sig := hashutil.SHA256Prefix(certs[0].Raw) |
| 1274 | for _, v := range trustedCerts { |
| 1275 | if v == sig { |
| 1276 | return conn, nil |
| 1277 | } |
| 1278 | } |
| 1279 | return nil, fmt.Errorf("TLS server at %v presented untrusted certificate (signature %q)", addr, sig) |
| 1280 | } |
| 1281 | } |
| 1282 | |
| 1283 | // DialTLSFunc returns the adequate dial function, when using SSL, depending on |
| 1284 | // whether we're using insecure TLS (certificate verification is disabled), or we |
no test coverage detected