sendnrw/netbird
2
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-04-16 07:16:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

[client] use embedded root CA if system certpool is empty (#3272)

Browse Source 
* Implement custom TLS certificate handling with fallback to embedded roots
This commit is contained in:
hakansa
2025-02-04 18:17:59 +03:00
committed by GitHub
parent 7d385b8dc3
commit 0125cd97d8
8 changed files with 160 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
relay/client/dialer/ws/ws.go
View File

@@ -2,6 +2,8 @@ package ws
import (
"context"
"crypto/tls"
"crypto/x509"
"errors"
"fmt"
"net"
@@ -13,6 +15,7 @@ import (
"nhooyr.io/websocket"
"github.com/netbirdio/netbird/relay/server/listener/ws"
"github.com/netbirdio/netbird/util/embeddedroots"
nbnet "github.com/netbirdio/netbird/util/net"
)
@@ -66,10 +69,19 @@ func prepareURL(address string) (string, error) {
func httpClientNbDialer() *http.Client {
customDialer := nbnet.NewDialer()
certPool, err := x509.SystemCertPool()
if err != nil || certPool == nil {
log.Debugf("System cert pool not available; falling back to embedded cert, error: %v", err)
certPool = embeddedroots.Get()
}
customTransport := &http.Transport{
DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
return customDialer.DialContext(ctx, network, addr)
},
TLSClientConfig: &tls.Config{
RootCAs: certPool,
},
}
return &http.Client{

16
relay/tls/client_dev.go
View File

@@ -2,11 +2,25 @@
package tls
import "crypto/tls"
import (
"crypto/tls"
"crypto/x509"
log "github.com/sirupsen/logrus"
"github.com/netbirdio/netbird/util/embeddedroots"
)
func ClientQUICTLSConfig() *tls.Config {
certPool, err := x509.SystemCertPool()
if err != nil || certPool == nil {
log.Debugf("System cert pool not available; falling back to embedded cert, error: %v", err)
certPool = embeddedroots.Get()
}
return &tls.Config{
InsecureSkipVerify: true, // Debug mode allows insecure connections
NextProtos: []string{nbalpn}, // Ensure this matches the server's ALPN
RootCAs: certPool,
}
}

16
relay/tls/client_prod.go
View File

@@ -2,10 +2,24 @@
package tls
import "crypto/tls"
import (
"crypto/tls"
"crypto/x509"
log "github.com/sirupsen/logrus"
"github.com/netbirdio/netbird/util/embeddedroots"
)
func ClientQUICTLSConfig() *tls.Config {
certPool, err := x509.SystemCertPool()
if err != nil || certPool == nil {
log.Debugf("System cert pool not available; falling back to embedded cert, error: %v", err)
certPool = embeddedroots.Get()
}
return &tls.Config{
NextProtos: []string{nbalpn},
RootCAs: certPool,
}
}