Support IP-only hostname and ignore hello.ServerName

Signed-off-by: YanzheL <[email protected]>

Author: YanzheL

dfdaemon/proxy/cert.go

@@ -24,6 +24,7 @@ import (
 	"crypto/x509/pkix"
 	"errors"
 	"math/big"
+	"net"
 	"time"
 
 	"github.com/sirupsen/logrus"
@@ -37,7 +38,8 @@ type LeafCertSpec struct {
 	signatureAlgorithm x509.SignatureAlgorithm
 }
 
-func genLeafCert(ca *tls.Certificate, leafCertSpec *LeafCertSpec, commonName string, dnsNames ...string) (*tls.Certificate, error) {
+// genLeafCert generates a Leaf TLS certificate and sign it with given CA
+func genLeafCert(ca *tls.Certificate, leafCertSpec *LeafCertSpec, host string) (*tls.Certificate, error) {
 	now := time.Now().Add(-1 * time.Hour).UTC()
 	if !ca.Leaf.IsCA {
 		return nil, errors.New("CA cert is not a CA")
@@ -50,14 +52,19 @@ func genLeafCert(ca *tls.Certificate, leafCertSpec *LeafCertSpec, commonName str
 	}
 	tmpl := &x509.Certificate{
 		SerialNumber:          serialNumber,
-		Subject:               pkix.Name{CommonName: commonName},
+		Subject:               pkix.Name{CommonName: host},
 		NotBefore:             now,
 		NotAfter:              now.Add(24 * time.Hour),
 		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment | x509.KeyUsageDataEncipherment | x509.KeyUsageKeyAgreement,
 		BasicConstraintsValid: true,
-		DNSNames:              dnsNames,
 		SignatureAlgorithm:    leafCertSpec.signatureAlgorithm,
 	}
+	ip := net.ParseIP(host)
+	if ip == nil {
+		tmpl.DNSNames = []string{host}
+	} else {
+		tmpl.IPAddresses = []net.IP{ip}
+	}
 	newCert, err := x509.CreateCertificate(rand.Reader, tmpl, ca.Leaf, leafCertSpec.publicKey, ca.PrivateKey)
 	if err != nil {
 		logrus.Errorf("failed to generate leaf cert %s", err)

dfdaemon/proxy/proxy.go

@@ -333,17 +333,16 @@ func (proxy *Proxy) handleHTTPS(w http.ResponseWriter, r *http.Request) {
 			proxy.cert.Leaf.SignatureAlgorithm}
 		host, _, _ := net.SplitHostPort(r.Host)
 		sConfig.GetCertificate = func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
-			cConfig.ServerName = hello.ServerName
+			cConfig.ServerName = host
 			logrus.Debugf("Generate temporal leaf TLS cert for ServerName <%s>, host <%s>", hello.ServerName, host)
-			// cacheKey is (ServerName, host) pair. Just use string concatenation, no need for a tuple struct here.
-			// I'm curious about whether `hello.ServerName` is always same as `host`?
-			cacheKey := hello.ServerName + "," + host
+			// It's assumed that `hello.ServerName` is always same as `host`, in practice.
+			cacheKey := host
 			cached, hit := proxy.certCache.Get(cacheKey)
 			if hit && time.Now().Before(cached.(*tls.Certificate).Leaf.NotAfter) { // If cache hit and the cert is not expired
 				logrus.Debugf("TLS Cache hit, cacheKey = <%s>", cacheKey)
 				return cached.(*tls.Certificate), nil
 			}
-			cert, err := genLeafCert(proxy.cert, &leafCertSpec, hello.ServerName, host)
+			cert, err := genLeafCert(proxy.cert, &leafCertSpec, host)
 			if err == nil {
 				// Put cert in cache only if there is no error. So all certs in cache are always valid.
 				// But certs in cache maybe expired (After 24 hours, see the default duration of generated certs)