-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
[bug] Can't establish websocket connection when using NetDialTLSContext
and Proxy
together
#779
Comments
Removed the call to NetDialTLSContext from the HTTP proxy CONNECT step and replaced it with a regular net.Dial in order to prevent connection issues. Custom TLS connections can now be made via the new optional ProxyTLSConnection method, after the proxy connection has been successfully established.
Removed the call to NetDialTLSContext from the HTTP proxy CONNECT step and replaced it with a regular net.Dial in order to prevent connection issues. Custom TLS connections can now be made via the new optional ProxyTLSConnection method, after the proxy connection has been successfully established.
I spent hours trying to debug and understand this issue and I think I finally figured it out! Just had to learn more about the HTTP proxy CONNECT sub-protocol to get a better understanding. In short, what should happen is basically the following:
However, there's currently an issue in the implementation of this flow. See the code snippets below. Here, Lines 34 to 39 in 78cf1bc
If we change this to a regular We get the established proxy connection here: Line 320 in 78cf1bc
But there's currently no API to convert an existing TCP connection // client.go
type Dialer struct {
// ...
ProxyTLSConnection func(ctx context.Context, proxyConn net.Conn) (net.Conn, error)
} Now, further down in the code we can establish the TLS connection to the target host through the proxy connection by calling this new method (if it is defined): // client.go
if u.Scheme == "https" {
if d.ProxyTLSConnection != nil && d.Proxy != nil {
// If we are connected to a proxy, perform the TLS handshake through the existing tunnel
netConn, err = d.ProxyTLSConnection(ctx, netConn)
} else if d.NetDialTLSContext == nil {
// ...
}
} Now the third and final step in the flow is fixed! I hope my detailed explanation is clear and helpful to someone. I'll open a PR soon. |
What bothers me about this is the fact that in Before posting this comment, I went ahead and had a quick peek at the source code. Even the golang source code has some weird behavior if In other words, they "fixed" this issue in their code by completely ignoring it. |
Removed the call to NetDialTLSContext from the HTTP proxy CONNECT step and replaced it with a regular net.Dial in order to prevent connection issues. Custom TLS connections can now be made via the new optional ProxyTLSConnection method, after the proxy connection has been successfully established.
Describe the bug
I can't connect to a websocket server over a HTTP proxy when I set both
NetDialTLSContext
andProxy
fields on thewebsocket.Dialer
struct. See the code snippet below for more details, it's best explained by code.Versions
Go version:
go1.18.1 linux/amd64
.Package version:
v1.5.0
.Steps to Reproduce
Expected behavior
The websocket dialer should be able to establish a websocket connection over a HTTP proxy while also applying a custom TLS connection without issues.
Code Snippets
The following code results in an error like
websocket: bad handshake
orunexpected EOF
(depends on the proxy):When I check the request in burp, it looks like this:
As highlighted in red, the host URL became
http://echo.websocket.events:443/
, which obviously should just behttps://echo.websocket.events/
. I've been trying to debug why this is happening exactly all day but can't seem to find the culprit so I need help.If I remove
NetDialTLSContext
and just specifyTLSClientConfig
everything works as expected. Same result with theProxy
field removed. The issue only occurs when both of these fields are set.Am I missing something obvious?
The text was updated successfully, but these errors were encountered: