Append Let's Encrypt ISRG Root X1 to cert pool

This is a workaround for older versions of android that do not trust
the Let's Encrypt root certificate.
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40087
This commit is contained in:
Cecylia Bocovich 2023-06-12 20:34:41 -04:00
parent 9edaee6547
commit f8eb86f24d
No known key found for this signature in database
GPG key ID: 009DE379FD9B7B90
2 changed files with 63 additions and 2 deletions

View file

@ -4,6 +4,7 @@
package snowflake_client
import (
"crypto/tls"
"errors"
"fmt"
@ -14,6 +15,7 @@ import (
"github.com/pion/webrtc/v3"
utls "github.com/refraction-networking/utls"
"gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/v2/common/certs"
"gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/v2/common/event"
"gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/v2/common/messages"
"gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/v2/common/nat"
@ -50,7 +52,10 @@ type BrokerChannel struct {
// and TLSHandshakeTimeout settings. But we want to disable the default
// ProxyFromEnvironment setting.
func createBrokerTransport() http.RoundTripper {
transport := http.DefaultTransport.(*http.Transport)
tlsConfig := &tls.Config{
RootCAs: certs.GetRootCAs(),
}
transport := &http.Transport{TLSClientConfig: tlsConfig}
transport.Proxy = nil
transport.ResponseHeaderTimeout = 15 * time.Second
return transport
@ -70,7 +75,9 @@ func newBrokerChannelFromConfig(config ClientConfig) (*BrokerChannel, error) {
if err != nil {
return nil, fmt.Errorf("unable to create broker channel: %v", err)
}
utlsConfig := &utls.Config{}
utlsConfig := &utls.Config{
RootCAs: certs.GetRootCAs(),
}
brokerTransport = utlsutil.NewUTLSHTTPRoundTripper(utlsClientHelloID, utlsConfig, brokerTransport, config.UTLSRemoveSNI)
}