v0.1.4 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Jul 6, 2024 License: MIT Imports: 12 Imported by: 0



Package sni provices logic to work with TLS SNI fields



View Source
const (
	VersionTLS10 = 0x0301
	VersionTLS11 = 0x0302
	VersionTLS12 = 0x0303
	VersionTLS13 = 0x0304

	/* Deprecated: SSLv3 is cryptographically broken, and is no longer
	supported by this package. See*/
	VersionSSL30 = 0x0300
View Source
const (
	// TLS 1.0 - 1.2 cipher suites.
	TLS_RSA_WITH_RC4_128_SHA                      uint16 = 0x0005
	TLS_RSA_WITH_3DES_EDE_CBC_SHA                 uint16 = 0x000a
	TLS_RSA_WITH_AES_128_CBC_SHA                  uint16 = 0x002f
	TLS_RSA_WITH_AES_256_CBC_SHA                  uint16 = 0x0035
	TLS_RSA_WITH_AES_128_CBC_SHA256               uint16 = 0x003c
	TLS_RSA_WITH_AES_128_GCM_SHA256               uint16 = 0x009c
	TLS_RSA_WITH_AES_256_GCM_SHA384               uint16 = 0x009d
	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA              uint16 = 0xc007
	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA          uint16 = 0xc009
	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA          uint16 = 0xc00a
	TLS_ECDHE_RSA_WITH_RC4_128_SHA                uint16 = 0xc011
	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA           uint16 = 0xc012
	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA            uint16 = 0xc013
	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA            uint16 = 0xc014
	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256       uint16 = 0xc023
	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256         uint16 = 0xc027
	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256         uint16 = 0xc02f
	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256       uint16 = 0xc02b
	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384         uint16 = 0xc030
	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384       uint16 = 0xc02c
	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   uint16 = 0xcca8
	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca9

	// TLS 1.3 cipher suites.
	TLS_AES_128_GCM_SHA256       uint16 = 0x1301
	TLS_AES_256_GCM_SHA384       uint16 = 0x1302
	TLS_CHACHA20_POLY1305_SHA256 uint16 = 0x1303

	// TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator
	// that the client is doing version fallback. See RFC 7507.
	TLS_FALLBACK_SCSV uint16 = 0x5600

	// Legacy names for the corresponding cipher suites with the correct _SHA256
	// suffix, retained for backward compatibility.


This section is empty.


func CipherSuites

func CipherSuites(u []uint16) []string

CipherSuites returns the supported Cipher suites

func CompressionMethods

func CompressionMethods(u []uint8) []string

CompressionMethods will return the names of the compression method used. This is Compression None or Unknown

func PeekClientHelloInfo

func PeekClientHelloInfo(ctx context.Context,
	conn net.Conn) (*tls.ClientHelloInfo, net.Conn, error)

PeekClientHelloInfo extracts the ClientHelloInfo from a connection still allowing a future handler have complete untouched access to the stream

func ReadClientHelloInfo

func ReadClientHelloInfo(ctx context.Context,
	f io.Reader) (*tls.ClientHelloInfo, error)

ReadClientHelloInfo mimics a TLS connection to let Go's tls.Server parse the ClientHelloInfo for us -

func SignatureAlgos

func SignatureAlgos(u []SignatureScheme) []string

SignatureAlgos will return the names of the supported Signature Algorithms

func SupportedVersions

func SupportedVersions(u []uint16) []string

SupportedVersions will return the names of the compression method used. This is Compression None or Unknown

func VersionName

func VersionName(u uint16) string

VersionName will return the name of the TLS/SSL version


type ClientHelloInfo

type ClientHelloInfo struct {
	Vers uint16

	CipherSuites       []uint16
	CompressionMethods []uint8
	ServerName         string

	SupportedSignatureAlgorithms     []SignatureScheme
	SupportedSignatureAlgorithmsCert []SignatureScheme

	ALPNProtocols []string

	SupportedVersions []uint16
	// contains filtered or unexported fields

ClientHelloInfo contains information from a ClientHello message in order to guide application logic in the GetCertificate and GetConfigForClient callbacks.

func GetInfo

func GetInfo(buf []byte) *ClientHelloInfo

GetInfo returns a pointer to a ClientHelloInfo:

type Conn

type Conn struct {

Conn is a net.Conn with custom Reader

func (*Conn) Read

func (c *Conn) Read(b []byte) (int, error)

type CurveID

type CurveID uint16

CurveID is the type of a TLS identifier for an elliptic curve. See

type Dispatcher

type Dispatcher struct {

	// Logger to report errors
	Logger slog.Logger
	// Context to be used as parent of the internal Canceller
	Context context.Context

	// GetHandler tells the Dispatcher if the connection associated with
	// a given ClientHelloInfo should be passed to a dedicated Handler
	// instead of passing it to the outer tls.Listener
	GetHandler func(*tls.ClientHelloInfo) Handler

	// OnAccept is optionally used to configure the inbound net.Conn
	OnAccept func(net.Conn) (net.Conn, error)

	// OnError let's the use decide if we shut down on critical errors or not
	// it also allows the user to act accordingly
	OnError func(err error) bool
	// contains filtered or unexported fields

The Dispatcher screens TCP connections and uses SNI to decide if they should be handled by a dedicated system or passed to the tls.Listener using it via Accept()

dispatcher := &sni.Dispatcher{ GetHandler: func() { ..... }, }

conf := &tls.Config{...} lsn, err := tls.NewListener(dispatcher, config)

func (*Dispatcher) Accept

func (d *Dispatcher) Accept() (net.Conn, error)

Accept returns a connection that wasn't dispatched through the Handler provided by GetHandler

func (*Dispatcher) Addr

func (d *Dispatcher) Addr() net.Addr

Addr returns the address the underlying listener is using

func (*Dispatcher) Cancel

func (d *Dispatcher) Cancel()

Cancel initiates a shut down. it will prevent new dispatches and cancel existing workers, but the responsibility of closing the listener is on the tls.Listener

func (*Dispatcher) Cancelled

func (d *Dispatcher) Cancelled() bool

Cancelled tells if the Dispatcher has been shut down

func (*Dispatcher) Close

func (d *Dispatcher) Close() error

Close initiates a shut down but also returns the first fatal error if there was one

func (*Dispatcher) Err

func (d *Dispatcher) Err() error

Err tells the first fatal error

func (*Dispatcher) Serve

func (d *Dispatcher) Serve(ln net.Listener) error

Serve starts processing the underlying net.Listener

func (*Dispatcher) Shutdown

func (d *Dispatcher) Shutdown(ctx context.Context) error

Shutdown initiates a shutdown and waits until the workers are done or the given context times out.

func (*Dispatcher) Wait

func (d *Dispatcher) Wait() error

Wait waits until all workers are done

type Handler

type Handler func(context.Context, net.Conn) error

A Handler is a function that will take responsibility over a given connection. The Provided Context is used to indicate when a shut down has been initiated

type SignatureScheme

type SignatureScheme uint16
const (
	// RSASSA-PKCS1-v1_5 algorithms.
	PKCS1WithSHA256 SignatureScheme = 0x0401
	PKCS1WithSHA384 SignatureScheme = 0x0501
	PKCS1WithSHA512 SignatureScheme = 0x0601

	// RSASSA-PSS algorithms with public key OID rsaEncryption.
	PSSWithSHA256 SignatureScheme = 0x0804
	PSSWithSHA384 SignatureScheme = 0x0805
	PSSWithSHA512 SignatureScheme = 0x0806

	// ECDSA algorithms. Only constrained to a specific curve in TLS 1.3.
	ECDSAWithP256AndSHA256 SignatureScheme = 0x0403
	ECDSAWithP384AndSHA384 SignatureScheme = 0x0503
	ECDSAWithP521AndSHA512 SignatureScheme = 0x0603

	// EdDSA algorithms.
	Ed25519 SignatureScheme = 0x0807

	// Legacy signature and hash algorithms for TLS 1.2.
	PKCS1WithSHA1 SignatureScheme = 0x0201
	ECDSAWithSHA1 SignatureScheme = 0x0203

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL