MCPcopy Index your code
hub / github.com/subtrace/subtrace / proxyTLS

Method proxyTLS

cmd/run/socket/proxy.go:317–348  ·  view source on GitHub ↗
(cli, srv *bufConn)

Source from the content-addressed store, hash-verified

315}
316
317func (p *proxy) proxyTLS(cli, srv *bufConn) error {
318 slog.Debug("starting proxyTLS", "proxy", p)
319
320 if !p.isOutgoing {
321 // We can't intercept incoming TLS requests (yet). Doing so would require
322 // some kind of cooperation from the tracee because the location of the CA
323 // certificate and private key are application-specific.
324 return p.proxyFallback(cli, srv)
325 }
326
327 if p.tlsServerName.Load() != nil {
328 // TLS server name already exists? Could this be TLS within TLS? Bail out.
329 return p.proxyFallback(cli, srv)
330 }
331
332 tcli, tsrv, serverName, err := tls.Handshake(slog.GroupValue(slog.Any("proxy", p)), cli, srv)
333 if err != nil {
334 // If the ephemeral MITM certificate we generated is not recognized, most
335 // clients will close the connection during TLS handshake. This probably
336 // means: (a) the application is using an unknown CA root store location,
337 // (b) it's using certificate pinning, (c) it's an mTLS connection, or (d)
338 // something else.
339 return fmt.Errorf("proxy tls handshake: %w", err)
340 }
341
342 p.tlsServerName.Store(&serverName)
343 if err := p.proxyOptimistic(newBufConn(tcli), newBufConn(tsrv)); err != nil {
344 return fmt.Errorf("proxy tls: %w", err)
345 }
346
347 return nil
348}
349
350func (p *proxy) discardMulti(r ...io.Reader) error {
351 var wg sync.WaitGroup

Callers 1

proxyOptimisticMethod · 0.95

Calls 5

proxyFallbackMethod · 0.95
proxyOptimisticMethod · 0.95
HandshakeFunction · 0.92
newBufConnFunction · 0.85
LoadMethod · 0.80

Tested by

no test coverage detected