From 0c70fd3a1f9121ed148a95b98fca6e414956ceda Mon Sep 17 00:00:00 2001 From: Caleb Doxsey Date: Fri, 6 Jan 2023 09:54:17 -0700 Subject: [PATCH] hpke: fix hpke key fetcher when using self-signed certificates --- authorize/state.go | 7 ++----- internal/httputil/transport.go | 19 +++++++++++++++++++ proxy/state.go | 8 ++------ 3 files changed, 23 insertions(+), 11 deletions(-) create mode 100644 internal/httputil/transport.go diff --git a/authorize/state.go b/authorize/state.go index dd3506c52..e1e003718 100644 --- a/authorize/state.go +++ b/authorize/state.go @@ -10,6 +10,7 @@ import ( "github.com/pomerium/pomerium/authorize/evaluator" "github.com/pomerium/pomerium/authorize/internal/store" "github.com/pomerium/pomerium/config" + "github.com/pomerium/pomerium/internal/httputil" "github.com/pomerium/pomerium/pkg/grpc" "github.com/pomerium/pomerium/pkg/grpc/databroker" "github.com/pomerium/pomerium/pkg/hpke" @@ -88,11 +89,7 @@ func newAuthorizeStateFromConfig(cfg *config.Config, store *store.Store) (*autho jwksURL := authenticateURL.ResolveReference(&url.URL{ Path: "/.well-known/pomerium/jwks.json", }).String() - transport, err := config.GetTLSClientTransport(cfg) - if err != nil { - return nil, fmt.Errorf("authorize: get tls client config: %w", err) - } - state.authenticateKeyFetcher = hpke.NewKeyFetcher(jwksURL, transport) + state.authenticateKeyFetcher = hpke.NewKeyFetcher(jwksURL, httputil.GetInsecureTransport()) return state, nil } diff --git a/internal/httputil/transport.go b/internal/httputil/transport.go new file mode 100644 index 000000000..d1ee2ca15 --- /dev/null +++ b/internal/httputil/transport.go @@ -0,0 +1,19 @@ +package httputil + +import ( + "crypto/tls" + "net/http" +) + +// GetInsecureTransport returns an HTTP transport which skips TLS verification. +func GetInsecureTransport() *http.Transport { + transport := http.DefaultTransport.(*http.Transport).Clone() + transport.Dial = nil + transport.DialContext = nil + transport.DialTLS = nil + transport.DialTLSContext = nil + transport.TLSClientConfig = &tls.Config{ + InsecureSkipVerify: true, + } + return transport +} diff --git a/proxy/state.go b/proxy/state.go index 9a9d79b3e..0b4af658f 100644 --- a/proxy/state.go +++ b/proxy/state.go @@ -3,12 +3,12 @@ package proxy import ( "context" "crypto/cipher" - "fmt" "net/url" "github.com/pomerium/pomerium/config" "github.com/pomerium/pomerium/internal/encoding" "github.com/pomerium/pomerium/internal/encoding/jws" + "github.com/pomerium/pomerium/internal/httputil" "github.com/pomerium/pomerium/internal/sessions" "github.com/pomerium/pomerium/internal/sessions/cookie" "github.com/pomerium/pomerium/pkg/cryptutil" @@ -66,11 +66,7 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) { jwksURL := authenticateURL.ResolveReference(&url.URL{ Path: "/.well-known/pomerium/jwks.json", }).String() - transport, err := config.GetTLSClientTransport(cfg) - if err != nil { - return nil, fmt.Errorf("authorize: get tls client config: %w", err) - } - state.authenticateKeyFetcher = hpke.NewKeyFetcher(jwksURL, transport) + state.authenticateKeyFetcher = hpke.NewKeyFetcher(jwksURL, httputil.GetInsecureTransport()) state.sharedCipher, err = cryptutil.NewAEADCipher(state.sharedKey) if err != nil {