Skip to content

martian: move TLS handshake from forwarder.Listener#941

Merged
mmatczuk merged 2 commits intomainfrom
hg/move_tls
Oct 16, 2024
Merged

martian: move TLS handshake from forwarder.Listener#941
mmatczuk merged 2 commits intomainfrom
hg/move_tls

Conversation

@Choraden
Copy link
Contributor

@Choraden Choraden commented Oct 14, 2024
edited
Loading

Listener is not the right place to do the handshake. It may block main accept loop.
Martian Proxy will explicitly do the handshake if accepted connection is tls.Conn.

Consequences:

  • Metrics no longer report TLS handshake errors.

Fixes #917

@mmatczuk
Copy link
Contributor

mmatczuk commented Oct 15, 2024

The question is what do we do with the tls handshake metric?

@Choraden
net: remove TLS handshake timeout from listener
d5e6021 
Listener is not the right place to do the handshake. It may block main accept loop.
@Choraden Choraden marked this pull request as ready for review October 15, 2024 13:56
@Choraden
Copy link
Contributor Author

Choraden commented Oct 15, 2024

I rebased and added a test.

The question is what do we do with the tls handshake metric?

That approach resigns from having a tls error metrics in forwarder. We don't have any metrics directly in martian and I see no point in adding it only for that.
If we want to have it, we need to implement conn wrapper that would do the handshake.

mmatczuk
mmatczuk reviewed Oct 16, 2024
View reviewed changes
internal/martian/proxy.go Outdated
pc := newProxyConn(p, conn)
pc, err := newProxyConn(p, conn)
if err != nil {
log.Errorf(context.TODO(), "failed to create proxy connection: %v", err)
Copy link
Contributor

@mmatczuk mmatczuk Oct 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe initialize would be better?

mmatczuk
mmatczuk reviewed Oct 16, 2024
View reviewed changes
internal/martian/proxy_conn.go Outdated
Comment on lines +51 to +61
ctx := context.Background()
if p.TLSHandshakeTimeout > 0 {
var cancel context.CancelFunc
ctx, cancel = context.WithTimeout(context.Background(), p.TLSHandshakeTimeout)
defer cancel()
}
if err := tconn.HandshakeContext(ctx); err != nil {
return nil, fmt.Errorf("failed to do TLS handshake: %w", err)
}
Copy link
Contributor

@mmatczuk mmatczuk Oct 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps this should be extracted to method so that newProxyConn does not return error.
This would give us the opportunity to provide better errors.

Copy link
Contributor Author

@Choraden Choraden Oct 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A separate method to do the handshake has been added.

mmatczuk
mmatczuk reviewed Oct 16, 2024
View reviewed changes
internal/martian/proxy_conn.go Outdated
if tconn, ok := conn.(*tls.Conn); ok {
v.secure = true
v.cs = tconn.ConnectionState()
func (p *proxyConn) tlsHandshake() error {
Copy link
Contributor

@mmatczuk mmatczuk Oct 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd call that maybeHandshakeTLS

mmatczuk
mmatczuk reviewed Oct 16, 2024
View reviewed changes
internal/martian/proxy_conn.go Outdated
v.secure = true
v.cs = tconn.ConnectionState()
func (p *proxyConn) tlsHandshake() error {
if tconn, ok := p.conn.(*tls.Conn); ok {
Copy link
Contributor

@mmatczuk mmatczuk Oct 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Return early.

@Choraden
martian: add support for TLSHandshakeTimeout
06a73d5 
Martian Proxy will explicitly do the handshake if accepted connection is tls.Conn.
@mmatczuk mmatczuk self-requested a review October 16, 2024 10:25
@mmatczuk mmatczuk merged commit af3e220 into main Oct 16, 2024
@mmatczuk mmatczuk deleted the hg/move_tls branch October 16, 2024 10:25
@mmatczuk
Copy link
Contributor

mmatczuk commented Oct 16, 2024

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@mmatczuk mmatczuk mmatczuk approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

martian: move TLS handshake from Listener to matrtian

2 participants

@Choraden @mmatczuk