Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

martian: move TLS handshake from forwarder.Listener #941

Merged
merged 2 commits into from
Oct 16, 2024
Merged

martian: move TLS handshake from forwarder.Listener #941

merged 2 commits into from
Oct 16, 2024

Conversation

Choraden
Copy link
Contributor

@Choraden Choraden commented Oct 14, 2024
edited
Loading

Listener is not the right place to do the handshake. It may block main accept loop.
Martian Proxy will explicitly do the handshake if accepted connection is tls.Conn.

Consequences:

  • Metrics no longer report TLS handshake errors.

Fixes #917

@mmatczuk
Copy link
Contributor

The question is what do we do with the tls handshake metric?

@Choraden
net: remove TLS handshake timeout from listener
d5e6021 
Listener is not the right place to do the handshake. It may block main accept loop.
@Choraden Choraden marked this pull request as ready for review October 15, 2024 13:56
@Choraden
Copy link
Contributor Author

I rebased and added a test.

The question is what do we do with the tls handshake metric?

That approach resigns from having a tls error metrics in forwarder. We don't have any metrics directly in martian and I see no point in adding it only for that.
If we want to have it, we need to implement conn wrapper that would do the handshake.

mmatczuk
mmatczuk reviewed Oct 16, 2024
View reviewed changes
internal/martian/proxy.go Outdated
pc := newProxyConn(p, conn)
pc, err := newProxyConn(p, conn)
if err != nil {
log.Errorf(context.TODO(), "failed to create proxy connection: %v", err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe initialize would be better?

mmatczuk
mmatczuk reviewed Oct 16, 2024
View reviewed changes
internal/martian/proxy_conn.go Outdated
Comment on lines 51 to 61
ctx := context.Background()
if p.TLSHandshakeTimeout > 0 {
var cancel context.CancelFunc
ctx, cancel = context.WithTimeout(context.Background(), p.TLSHandshakeTimeout)
defer cancel()
}
if err := tconn.HandshakeContext(ctx); err != nil {
return nil, fmt.Errorf("failed to do TLS handshake: %w", err)
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps this should be extracted to method so that newProxyConn does not return error.
This would give us the opportunity to provide better errors.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A separate method to do the handshake has been added.

mmatczuk
mmatczuk reviewed Oct 16, 2024
View reviewed changes
internal/martian/proxy_conn.go Outdated
if tconn, ok := conn.(*tls.Conn); ok {
v.secure = true
v.cs = tconn.ConnectionState()
func (p *proxyConn) tlsHandshake() error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd call that maybeHandshakeTLS

mmatczuk
mmatczuk reviewed Oct 16, 2024
View reviewed changes
internal/martian/proxy_conn.go Outdated
v.secure = true
v.cs = tconn.ConnectionState()
func (p *proxyConn) tlsHandshake() error {
if tconn, ok := p.conn.(*tls.Conn); ok {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Return early.

@Choraden
martian: add support for TLSHandshakeTimeout
06a73d5 
Martian Proxy will explicitly do the handshake if accepted connection is tls.Conn.
@mmatczuk mmatczuk self-requested a review October 16, 2024 10:25
@mmatczuk mmatczuk merged commit af3e220 into main Oct 16, 2024
6 checks passed
@mmatczuk mmatczuk deleted the hg/move_tls branch October 16, 2024 10:25
@mmatczuk
Copy link
Contributor

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mmatczuk mmatczuk mmatczuk approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

martian: move TLS handshake from Listener to matrtian
2 participants
@Choraden @mmatczuk