diff options
| author | Sean McArthur <sean@seanmonstar.com> | 2024-07-24 13:20:06 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-07-24 20:20:06 +0000 |
| commit | c7f468d33b5d0814b56036639eb2a8226d4bfbbf (patch) | |
| tree | 7464522c9574c57d2c3e9c4902278864631d83f1 /ext/fetch/lib.rs | |
| parent | b305ba3e1c155a33139ec0d764f547ffde4d4de4 (diff) | |
fix(ext/fetch): use correct ALPN to proxies (#24696)
Sending ALPN to a proxy, and then when tunneling, requires better
juggling of TLS configs. This improves the choice of TLS config in the
proxy connector, based on what reqwest does. It also includes some
`ext/fetch/tests.rs` that check the different combinations.
Fixes #24632
Fixes #24691
Diffstat (limited to 'ext/fetch/lib.rs')
| -rw-r--r-- | ext/fetch/lib.rs | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/ext/fetch/lib.rs b/ext/fetch/lib.rs index 1372329c4..9912ff307 100644 --- a/ext/fetch/lib.rs +++ b/ext/fetch/lib.rs @@ -2,6 +2,8 @@ mod fs_fetch_handler; mod proxy; +#[cfg(test)] +mod tests; use std::borrow::Cow; use std::cell::RefCell; @@ -62,7 +64,6 @@ use http::Method; use http::Uri; use http_body_util::BodyExt; use hyper::body::Frame; -use hyper_rustls::HttpsConnector; use hyper_util::client::legacy::connect::HttpConnector; use hyper_util::rt::TokioExecutor; use hyper_util::rt::TokioIo; @@ -975,6 +976,10 @@ pub fn create_http_client( deno_tls::SocketUse::Http, )?; + // Proxy TLS should not send ALPN + tls_config.alpn_protocols.clear(); + let proxy_tls_config = Arc::from(tls_config.clone()); + let mut alpn_protocols = vec![]; if options.http2 { alpn_protocols.push("h2".into()); @@ -987,7 +992,6 @@ pub fn create_http_client( let mut http_connector = HttpConnector::new(); http_connector.enforce_http(false); - let connector = HttpsConnector::from((http_connector, tls_config.clone())); let user_agent = user_agent .parse::<HeaderValue>() @@ -1008,9 +1012,13 @@ pub fn create_http_client( proxies.prepend(intercept); } let proxies = Arc::new(proxies); - let mut connector = - proxy::ProxyConnector::new(proxies.clone(), connector, tls_config); - connector.user_agent(user_agent.clone()); + let connector = proxy::ProxyConnector { + http: http_connector, + proxies: proxies.clone(), + tls: tls_config, + tls_proxy: proxy_tls_config, + user_agent: Some(user_agent.clone()), + }; if let Some(pool_max_idle_per_host) = options.pool_max_idle_per_host { builder.pool_max_idle_per_host(pool_max_idle_per_host); @@ -1059,7 +1067,7 @@ pub struct Client { user_agent: HeaderValue, } -type Connector = proxy::ProxyConnector<HttpsConnector<HttpConnector>>; +type Connector = proxy::ProxyConnector<HttpConnector>; // clippy is wrong here #[allow(clippy::declare_interior_mutable_const)] |