go
go copied to clipboard
cloudflare
Go with Cloudflare experimental patches
This PR fixes a number of bugs in the DC implementation. Specifically this addresses Issues #127, #128, #129, and #130. It also adds `generate_delegated_credential.go` which provides a tool matching `generate_cert.go`...
In `delegated_credentials_test.go` `TestDCHandshakeServerAuth` sets `clientConfig.InsecureSkipVerify = true`. Because of how golang handles global state this is propagated to all later tests. This leads to test failures if the tests are...
`getSignatureAlgorithm` should return the signature algorithm of a certificate, but returns the signature algorithm of the certificate's parent (the intermediate cert.) It also doesn't support RSA leaf certificates at all.
`selectSignatureSchemeDC` only checks the client's `supportedSignatureAlgorithmsDC` field. Per the [spec](https://datatracker.ietf.org/doc/html/draft-ietf-tls-subcerts-15#section-4.1.1) the selected signature scheme MUST be in both the `supportedSignatureAlgorithmsDC` and `supportedSignatureAlgorithms` fields.
`signatureSchemeForDelegatedCredential` returns the list of supported signature schemes for a delegated credential; however, per the spec, DCs are explicitly restricted to a single `SignatureAlgorithm` defined in the `dc_cert_verify_algorithm` field. We...
I have a TLS transparent proxy which works like this: ``` Client ==|TLS request|==> Proxy ==|HTTP Connect|==> Target ``` I use https://github.com/inconshreveable/go-vhost to sniff SNI and construct the HTTP Connect...
@Lekensteyn suggested we add a unit test for asserting that the client-facing server rejects if the client sends GREASE ECH with a config id that matches a known config but...
