ooni · bassosimone · Sep 15, 2023 · Sep 15, 2023 · Sep 15, 2023
@@ -26,7 +26,7 @@ require (
 	github.com/mitchellh/go-wordwrap v1.0.1
 	github.com/montanaflynn/stats v0.7.1
 	github.com/ooni/go-libtor v1.1.8
-	github.com/ooni/netem v0.0.0-20230906091637-85d962536ff3
+	github.com/ooni/netem v0.0.0-20230915101649-ab0dc13be014
 	github.com/ooni/oocrypto v0.5.3
 	github.com/ooni/oohttp v0.6.3
 	github.com/ooni/probe-assets v0.18.0

@@ -483,8 +483,8 @@ github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAl
 github.com/onsi/gomega v1.27.7 h1:fVih9JD6ogIiHUN6ePK7HJidyEDpWGVB5mzM7cWNXoU=
 github.com/ooni/go-libtor v1.1.8 h1:Wo3V3DVTxl5vZdxtQakqYP+DAHx7pPtAFSl1bnAa08w=
 github.com/ooni/go-libtor v1.1.8/go.mod h1:q1YyLwRD9GeMyeerVvwc0vJ2YgwDLTp2bdVcrh/JXyI=
-github.com/ooni/netem v0.0.0-20230906091637-85d962536ff3 h1:zpTbzNzpo00cKbjLLnWMKjZeGLdoNC81vMiBDiur7NU=
-github.com/ooni/netem v0.0.0-20230906091637-85d962536ff3/go.mod h1:3LJOzTIu2O4ADDJN2ILG4ViJOqyH/u9fKY8QT2Rma8Y=
+github.com/ooni/netem v0.0.0-20230915101649-ab0dc13be014 h1:4kOSV4D6mwrdoNUkAbGz1XoFUPcjsuNlLhZMc2CoHGg=
+github.com/ooni/netem v0.0.0-20230915101649-ab0dc13be014/go.mod h1:3LJOzTIu2O4ADDJN2ILG4ViJOqyH/u9fKY8QT2Rma8Y=
 github.com/ooni/oocrypto v0.5.3 h1:CAb0Ze6q/EWD1PRGl9KqpzMfkut4O3XMaiKYsyxrWOs=
 github.com/ooni/oocrypto v0.5.3/go.mod h1:HjEQ5pQBl6btcWgAsKKq1tFo8CfBrZu63C/vPAUGIDk=
 github.com/ooni/oohttp v0.6.3 h1:MHydpeAPU/LSDSI/hIFJwZm4afBhd2Yo+rNxxFdeMCY=

@@ -1,6 +1,7 @@
 package netxlite
 
 import (
+	"crypto/tls"
 	"net/url"
 
 	oohttp "github.com/ooni/oohttp"
@@ -94,3 +95,14 @@ func HTTPTransportOptionDisableCompression(value bool) HTTPTransportOption {
 		txp.DisableCompression = value
 	}
 }
+
+// HTTPTransportOptionTLSClientConfig configures the .TLSClientConfig field, which
+// otherwise is left nil, meaning we're using the crypto/tls or ooni/ootls defaults
+// including the default cert pool. Because leaving the default .TLSClientConfig
+// has implications when dialing TLS connections over an HTTP proxy, be aware that
+// this default value could change in a future release of ooni/probe-cli.
+func HTTPTransportOptionTLSClientConfig(config *tls.Config) HTTPTransportOption {
+	return func(txp *oohttp.Transport) {
+		txp.TLSClientConfig = config
+	}
+}
@@ -255,18 +255,18 @@ func (h *tlsHandshakerLogger) Handshake(
 	ctx context.Context, conn net.Conn, config *tls.Config,
 ) (net.Conn, tls.ConnectionState, error) {
 	h.DebugLogger.Debugf(
-		"tls {sni=%s next=%+v}...", config.ServerName, config.NextProtos)
+		"tls_handshake {sni=%s next=%+v}...", config.ServerName, config.NextProtos)
 	start := time.Now()
 	tlsconn, state, err := h.TLSHandshaker.Handshake(ctx, conn, config)
 	elapsed := time.Since(start)
 	if err != nil {
 		h.DebugLogger.Debugf(
-			"tls {sni=%s next=%+v}... %s in %s", config.ServerName,
+			"tls_handshake {sni=%s next=%+v}... %s in %s", config.ServerName,
 			config.NextProtos, err, elapsed)
 		return nil, tls.ConnectionState{}, err
 	}
 	h.DebugLogger.Debugf(
-		"tls {sni=%s next=%+v}... ok in %s {next=%s cipher=%s v=%s}",
+		"tls_handshake {sni=%s next=%+v}... ok in %s {next=%s cipher=%s v=%s}",
 		config.ServerName, config.NextProtos, elapsed, state.NegotiatedProtocol,
 		TLSCipherSuiteString(state.CipherSuite),
 		TLSVersionString(state.Version))

@@ -25,6 +25,10 @@ import (
 //
 // Use the former when you're using netem; the latter when using the stdlib.
 type TLSMITMProvider interface {
+	// CACert returns the CA certificate used by the server, which
+	// allows you to add to an existing [*x509.CertPool].
+	CACert() *x509.Certificate
+
 	// DefaultCertPool returns the default cert pool to use.
 	DefaultCertPool() (*x509.CertPool, error)
 
@@ -43,6 +47,11 @@ type netemTLSMITMProvider struct {
 	cfg *netem.TLSMITMConfig
 }
 
+// CACert implements TLSMITMProvider.
+func (p *netemTLSMITMProvider) CACert() *x509.Certificate {
+	return p.cfg.Cert
+}
+
 // DefaultCertPool implements TLSMITMProvider.
 func (p *netemTLSMITMProvider) DefaultCertPool() (*x509.CertPool, error) {
 	return p.cfg.CertPool()