DialTLS + Context with http Transport

259 views
Skip to first unread message

Gabriel Rosenhouse

unread,
Aug 17, 2017, 6:33:14 PM8/17/17
to golang-nuts
Hello,

We're trying to configure a http.Transport such that the client does extra validation of the server-provided certificate before sending any data. We want this client to compare server-provided certificate fields against values present on the request Context.  In essence, we'd like to be able to write:

tr := http.Transport{
 
DialTLSContext: func(ctx context.Context, network, addr string) (net.Conn, err) {
    conn
, err := tls.Dial(network, addr, myConfig)
   
if err != nil {
     
return err
   
}
    connState
:= conn.(*tls.Conn).ConnectionState()
    ok
:= extraValidation(connState, ctx)
   
if !ok {
     
return nil, errors.New("extra validation failed")
   
}
   
return conn
 
},
}

But DialTLSContext doesn't exist today.  We see Transport.DialContext(), but if you try to tls.Dial() inside there while leaving DialTLS nil, the http.Transport won't know that the conn is already TLS, and it will attempt to TLS handshake again [0]

Could anyone suggest a workaround for this, short of modifying the `http.Transport` source code itself?

Thank you,

Gabe Rosenhouse

Joshua Boelter

unread,
Aug 19, 2017, 12:36:57 AM8/19/17
to golang-nuts

Gabriel Rosenhouse

unread,
Aug 21, 2017, 4:45:51 PM8/21/17
to golang-nuts
Thanks for the suggestion.  Unfortunately VerifyPeerCertificate does not receive the request's Context, so it is not possible to have its behavior depend on per-request data.

As a follow-up, we've opened https://github.com/golang/go/issues/21526

Regards,
Gabe
Reply all
Reply to author
Forward
0 new messages