(cli, srv *bufConn)
| 315 | } |
| 316 | |
| 317 | func (p *proxy) proxyTLS(cli, srv *bufConn) error { |
| 318 | slog.Debug("starting proxyTLS", "proxy", p) |
| 319 | |
| 320 | if !p.isOutgoing { |
| 321 | // We can't intercept incoming TLS requests (yet). Doing so would require |
| 322 | // some kind of cooperation from the tracee because the location of the CA |
| 323 | // certificate and private key are application-specific. |
| 324 | return p.proxyFallback(cli, srv) |
| 325 | } |
| 326 | |
| 327 | if p.tlsServerName.Load() != nil { |
| 328 | // TLS server name already exists? Could this be TLS within TLS? Bail out. |
| 329 | return p.proxyFallback(cli, srv) |
| 330 | } |
| 331 | |
| 332 | tcli, tsrv, serverName, err := tls.Handshake(slog.GroupValue(slog.Any("proxy", p)), cli, srv) |
| 333 | if err != nil { |
| 334 | // If the ephemeral MITM certificate we generated is not recognized, most |
| 335 | // clients will close the connection during TLS handshake. This probably |
| 336 | // means: (a) the application is using an unknown CA root store location, |
| 337 | // (b) it's using certificate pinning, (c) it's an mTLS connection, or (d) |
| 338 | // something else. |
| 339 | return fmt.Errorf("proxy tls handshake: %w", err) |
| 340 | } |
| 341 | |
| 342 | p.tlsServerName.Store(&serverName) |
| 343 | if err := p.proxyOptimistic(newBufConn(tcli), newBufConn(tsrv)); err != nil { |
| 344 | return fmt.Errorf("proxy tls: %w", err) |
| 345 | } |
| 346 | |
| 347 | return nil |
| 348 | } |
| 349 | |
| 350 | func (p *proxy) discardMulti(r ...io.Reader) error { |
| 351 | var wg sync.WaitGroup |
no test coverage detected