Skip to content

http: Add missing tls setup when using proxy tunnel #23365

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

http: Add missing tls setup when using proxy tunnel #23365

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 34 additions & 1 deletion lib/std/http/Client.zig
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1434,6 +1434,7 @@ pub fn connectTunnel(
proxy: *Proxy,
tunnel_host: []const u8,
tunnel_port: u16,
tunnel_protocol: Connection.Protocol,
) !*Connection {
if (!proxy.supports_connect) return error.TunnelNotSupported;

Expand Down Expand Up @@ -1487,6 +1488,38 @@ pub fn connectTunnel(
conn.port = tunnel_port;
conn.closing = false;

if (tunnel_protocol == .tls) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This block just mimics what we did in connectTcp.

if (disable_tls) unreachable;

conn.tls_client = try client.allocator.create(std.crypto.tls.Client);
errdefer client.allocator.destroy(conn.tls_client);

const ssl_key_log_file: ?std.fs.File = if (std.options.http_enable_ssl_key_log_file) ssl_key_log_file: {
const ssl_key_log_path = std.process.getEnvVarOwned(client.allocator, "SSLKEYLOGFILE") catch |err| switch (err) {
error.EnvironmentVariableNotFound, error.InvalidWtf8 => break :ssl_key_log_file null,
error.OutOfMemory => return error.OutOfMemory,
};
defer client.allocator.free(ssl_key_log_path);
break :ssl_key_log_file std.fs.cwd().createFile(ssl_key_log_path, .{
.truncate = false,
.mode = switch (builtin.os.tag) {
.windows, .wasi => 0,
else => 0o600,
},
}) catch null;
} else null;
errdefer if (ssl_key_log_file) |key_log_file| key_log_file.close();

conn.tls_client.* = std.crypto.tls.Client.init(conn.stream, .{
.host = .{ .explicit = tunnel_host },
.ca = .{ .bundle = client.ca_bundle },
.ssl_key_log_file = ssl_key_log_file,
}) catch return error.TlsInitializationFailed;
// This is appropriate for HTTPS because the HTTP headers contain
// the content length which is used to detect truncation attacks.
conn.tls_client.allow_truncation_attacks = true;
conn.protocol = .tls;
}
return conn;
}) catch {
// something went wrong with the tunnel
Expand Down Expand Up @@ -1524,7 +1557,7 @@ pub fn connect(
}

if (proxy.supports_connect) tunnel: {
return connectTunnel(client, proxy, host, port) catch |err| switch (err) {
return connectTunnel(client, proxy, host, port, protocol) catch |err| switch (err) {
error.TunnelNotSupported => break :tunnel,
else => |e| return e,
};
Expand Down
Loading