use tlsClientConfig instead of custom dialer (#3830)

* use tlsClientConfig instead of custom dialer

* rm debug log

.vscode/launch.json

@@ -7,7 +7,8 @@
       "request": "launch",
       "mode": "debug",
       "program": "${workspaceRoot}/cmd/pomerium",
-      "args": ["-config", "${workspaceRoot}/.config.yaml"]
+      "args": ["-config", "${workspaceRoot}/.config.yaml"],
+      "cwd": "${workspaceRoot}",
     },
     {
       "name": "Connect to server",

authorize/state.go

@@ -84,9 +84,15 @@ func newAuthorizeStateFromConfig(cfg *config.Config, store *store.Store) (*autho
 	}
 
 	state.hpkePrivateKey = hpke.DerivePrivateKey(sharedKey)
-	state.authenticateKeyFetcher = hpke.NewKeyFetcher(authenticateURL.ResolveReference(&url.URL{
+
+	jwksURL := authenticateURL.ResolveReference(&url.URL{
 		Path: "/.well-known/pomerium/jwks.json",
-	}).String())
+	}).String()
+	transport, err := config.GetTLSClientTransport(cfg)
+	if err != nil {
+		return nil, fmt.Errorf("authorize: get tls client config: %w", err)
+	}
+	state.authenticateKeyFetcher = hpke.NewKeyFetcher(jwksURL, transport)
 
 	return state, nil
 }

config/config.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/pomerium/pomerium/internal/hashutil"
 	"github.com/pomerium/pomerium/internal/telemetry/metrics"
+	"github.com/pomerium/pomerium/pkg/cryptutil"
 )
 
 // MetricsScrapeEndpoint defines additional metrics endpoints that would be scraped and exposed by pomerium
@@ -86,3 +87,15 @@ func (cfg *Config) AllocatePorts(ports [6]string) {
 	cfg.DebugPort = ports[4]
 	cfg.ACMETLSALPNPort = ports[5]
 }
+
+// GetTLSClientConfig returns TLS configuration that accounts for additional CA entries
+func (cfg *Config) GetTLSClientConfig() (*tls.Config, error) {
+	roots, err := cryptutil.GetCertPool(cfg.Options.CA, cfg.Options.CAFile)
+	if err != nil {
+		return nil, err
+	}
+	return &tls.Config{
+		RootCAs:    roots,
+		MinVersion: tls.VersionTLS12,
+	}, nil
+}

config/http.go

@@ -117,3 +117,15 @@ func NewPolicyHTTPTransport(options *Options, policy *Policy, disableHTTP2 bool)
 	}
 	return c.Then(transport)
 }
+
+// GetTLSClientTransport returns http transport accounting for custom CAs from config
+func GetTLSClientTransport(cfg *Config) (*http.Transport, error) {
+	tlsConfig, err := cfg.GetTLSClientConfig()
+	if err != nil {
+		return nil, err
+	}
+	return &http.Transport{
+		TLSClientConfig:   tlsConfig,
+		ForceAttemptHTTP2: true,
+	}, nil
+}

pkg/hpke/jwks.go

@@ -81,9 +81,12 @@ func (fetcher *jwksKeyFetcher) FetchPublicKey(ctx context.Context) (*PublicKey,
 }
 
 // NewKeyFetcher returns a new KeyFetcher which fetches keys using an in-memory HTTP cache.
-func NewKeyFetcher(endpoint string) KeyFetcher {
+func NewKeyFetcher(endpoint string, transport http.RoundTripper) KeyFetcher {
 	return &jwksKeyFetcher{
-		client:   httpcache.NewMemoryCacheTransport().Client(),
+		client: (&httpcache.Transport{
+			Transport: transport,
+			Cache:     httpcache.NewMemoryCache(),
+		}).Client(),
 		endpoint: endpoint,
 	}
 }

proxy/state.go

@@ -3,6 +3,7 @@ package proxy
 import (
 	"context"
 	"crypto/cipher"
+	"fmt"
 	"net/url"
 
 	"github.com/pomerium/pomerium/config"
@@ -61,9 +62,15 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {
 	if err != nil {
 		return nil, err
 	}
-	state.authenticateKeyFetcher = hpke.NewKeyFetcher(authenticateURL.ResolveReference(&url.URL{
+
+	jwksURL := authenticateURL.ResolveReference(&url.URL{
 		Path: "/.well-known/pomerium/jwks.json",
-	}).String())
+	}).String()
+	transport, err := config.GetTLSClientTransport(cfg)
+	if err != nil {
+		return nil, fmt.Errorf("authorize: get tls client config: %w", err)
+	}
+	state.authenticateKeyFetcher = hpke.NewKeyFetcher(jwksURL, transport)
 
 	state.sharedCipher, err = cryptutil.NewAEADCipher(state.sharedKey)
 	if err != nil {