Do not explicitly set SNI in HTTPGetter

2 years ago · 295f825199
parent 2745909d3d
commit 295f825199
4 changed files with 193 additions and 10 deletions
--- a/pkg/getter/httpgetter.go
+++ b/pkg/getter/httpgetter.go
@ -26,7 +26,6 @@ import (
 	"github.com/pkg/errors"
 	"helm.sh/helm/v3/internal/tlsutil"
 	"helm.sh/helm/v3/internal/urlutil"
 	"helm.sh/helm/v3/internal/version"
 )
@ -129,12 +128,6 @@ func (g *HTTPGetter) httpClient() (*http.Client, error) {
 			return nil, errors.Wrap(err, "can't create TLS config for client")
 		}
 		sni, err := urlutil.ExtractHostname(g.opts.url)
 		if err != nil {
 			return nil, err
 		}
 		tlsConf.ServerName = sni
 		g.transport.TLSClientConfig = tlsConf
 	}
--- a/pkg/getter/httpgetter_test.go
+++ b/pkg/getter/httpgetter_test.go
@ -18,6 +18,7 @@ package getter
 import (
 	"fmt"
 	"io"
 	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
@ -331,6 +332,121 @@ func TestDownloadTLS(t *testing.T) {
 	}
 }
 func TestDownloadTLSWithRedirect(t *testing.T) {
 	cd := "../../testdata"
 	srv2Resp := "hello"
 	insecureSkipTLSverify := false
 	// Server 2 that will actually fulfil the request.
 	ca, pub, priv := filepath.Join(cd, "rootca.crt"), filepath.Join(cd, "localhost-crt.pem"), filepath.Join(cd, "key.pem")
 	tlsConf, err := tlsutil.NewClientTLS(pub, priv, ca, insecureSkipTLSverify)
 	if err != nil {
 		t.Fatal(errors.Wrap(err, "can't create TLS config for client"))
 	}
 	tlsSrv2 := httptest.NewUnstartedServer(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		rw.Header().Set("Content-Type", "text/plain")
 		rw.Write([]byte(srv2Resp))
 	}))
 	tlsSrv2.TLS = tlsConf
 	tlsSrv2.StartTLS()
 	defer tlsSrv2.Close()
 	// Server 1 responds with a redirect to Server 2.
 	ca, pub, priv = filepath.Join(cd, "rootca.crt"), filepath.Join(cd, "crt.pem"), filepath.Join(cd, "key.pem")
 	tlsConf, err = tlsutil.NewClientTLS(pub, priv, ca, insecureSkipTLSverify)
 	if err != nil {
 		t.Fatal(errors.Wrap(err, "can't create TLS config for client"))
 	}
 	tlsSrv1 := httptest.NewUnstartedServer(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		u, _ := url.ParseRequestURI(tlsSrv2.URL)
 		// Make the request using the hostname 'localhost' (to which 'localhost-crt.pem' is issued)
 		// to verify that a successful TLS connection is made even if the client doesn't specify
 		// the hostname (SNI) in `tls.Config.ServerName`. By default the hostname is derived from the
 		// request URL for every request (including redirects). Setting `tls.Config.ServerName` on the
 		// client just overrides the remote endpoint's hostname.
 		// See https://golang.org/src/net/http/transport.go#L1505.
 		u.Host = fmt.Sprintf("localhost:%s", u.Port())
 		http.Redirect(rw, r, u.String(), http.StatusTemporaryRedirect)
 	}))
 	tlsSrv1.TLS = tlsConf
 	tlsSrv1.StartTLS()
 	defer tlsSrv1.Close()
 	u, _ := url.ParseRequestURI(tlsSrv1.URL)
 	t.Run("Test with TLS", func(t *testing.T) {
 		g, err := NewHTTPGetter(
 			WithURL(u.String()),
 			WithTLSClientConfig(pub, priv, ca),
 		)
 		if err != nil {
 			t.Fatal(err)
 		}
 		buf, err := g.Get(u.String())
 		if err != nil {
 			t.Error(err)
 		}
 		b, err := ioutil.ReadAll(buf)
 		if err != nil {
 			t.Error(err)
 		}
 		if string(b) != srv2Resp {
 			t.Errorf("expected response from Server2 to be '%s', instead got: %s", srv2Resp, string(b))
 		}
 	})
 	t.Run("Test with TLS config being passed along in .Get (see #6635)", func(t *testing.T) {
 		g, err := NewHTTPGetter()
 		if err != nil {
 			t.Fatal(err)
 		}
 		buf, err := g.Get(u.String(), WithURL(u.String()), WithTLSClientConfig(pub, priv, ca))
 		if err != nil {
 			t.Error(err)
 		}
 		b, err := ioutil.ReadAll(buf)
 		if err != nil {
 			t.Error(err)
 		}
 		if string(b) != srv2Resp {
 			t.Errorf("expected response from Server2 to be '%s', instead got: %s", srv2Resp, string(b))
 		}
 	})
 	t.Run("Test with only the CA file (see also #6635)", func(t *testing.T) {
 		g, err := NewHTTPGetter()
 		if err != nil {
 			t.Fatal(err)
 		}
 		buf, err := g.Get(u.String(), WithURL(u.String()), WithTLSClientConfig("", "", ca))
 		if err != nil {
 			t.Error(err)
 		}
 		b, err := ioutil.ReadAll(buf)
 		if err != nil {
 			t.Error(err)
 		}
 		if string(b) != srv2Resp {
 			t.Errorf("expected response from Server2 to be '%s', instead got: %s", srv2Resp, string(b))
 		}
 	})
 }
 func TestDownloadInsecureSkipTLSVerify(t *testing.T) {
 	ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {}))
 	defer ts.Close()
@ -423,9 +539,6 @@ func TestHttpClientInsecureSkipVerify(t *testing.T) {
 	if len(transport.TLSClientConfig.Certificates) <= 0 {
 		t.Fatal("transport.TLSClientConfig.Certificates is not present")
 	}
 	if transport.TLSClientConfig.ServerName == "" {
 		t.Fatal("TLSClientConfig.ServerName is blank")
 	}
 }
 func verifyInsecureSkipVerify(t *testing.T, g *HTTPGetter, caseName string, expectedValue bool) *http.Transport {
--- a/testdata/localhost-cert.pem
+++ b/testdata/localhost-cert.pem
@ -0,0 +1,73 @@
 Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            21:73:9a:e7:be:ce:22:31:b5:21:c9:0c:ee:b6:08:1f:37:df:25:bb
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=CO, L=Boulder, O=Helm, CN=helm.sh
        Validity
            Not Before: Mar 25 00:42:21 2021 GMT
            Not After : Mar 23 00:42:21 2031 GMT
        Subject: C=CA, ST=ON, L=Kitchener, O=Helm, CN=localhost
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:c8:89:55:0d:0b:f1:da:e6:c0:70:7d:d3:27:cd:
                    b8:a8:81:8b:7c:a4:89:e5:d1:b1:78:01:1d:df:44:
                    88:0b:fc:d6:81:35:3d:d1:3b:5e:8f:bb:93:b3:7e:
                    28:db:ed:ff:a0:13:3a:70:a3:fe:94:6b:0b:fe:fb:
                    63:00:b0:cb:dc:81:cd:80:dc:d0:2f:bf:b2:4f:9a:
                    81:d4:22:dc:97:c8:8f:27:86:59:91:fa:92:05:75:
                    c4:cc:6b:f5:a9:6b:74:1e:f5:db:a9:f8:bf:8c:a2:
                    25:fd:a0:cc:79:f4:25:57:74:a9:23:9b:e2:b7:22:
                    7a:14:7a:3d:ea:f1:7e:32:6b:57:6c:2e:c6:4f:75:
                    54:f9:6b:54:d2:ca:eb:54:1c:af:39:15:9b:d0:7c:
                    0f:f8:55:51:04:ea:da:fa:7b:8b:63:0f:ac:39:b1:
                    f6:4b:8e:4e:f6:ea:e9:7b:e6:ba:5e:5a:8e:91:ef:
                    dc:b1:7d:52:3f:73:83:52:46:83:48:49:ff:f2:2d:
                    ca:54:f2:36:bb:49:cc:59:99:c0:9e:cf:8e:78:55:
                    6c:ed:7d:7e:83:b8:59:2c:7d:f8:1a:81:f0:7d:f5:
                    27:f2:db:ae:d4:31:54:38:fe:47:b2:ee:16:20:0f:
                    f1:db:2d:28:bf:6f:38:eb:11:bb:9a:d4:b2:5a:3a:
                    4a:7f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:localhost
    Signature Algorithm: sha256WithRSAEncryption
         bd:f8:df:36:d9:9e:14:3b:4f:68:b6:d4:40:e0:89:51:e1:a1:
         f1:4d:ec:9f:f2:78:e8:f1:4c:45:aa:4b:4a:7c:39:db:b1:9f:
         76:56:5b:d1:7e:46:67:9a:7a:52:f3:f8:3d:26:92:d8:c9:06:
         6e:00:a9:ce:4d:98:24:0a:5a:4b:cc:49:91:9a:ef:ce:77:67:
         df:50:d3:66:d1:34:32:aa:17:c8:71:d5:b4:97:b0:a3:a0:9c:
         3b:c4:c2:d6:b6:91:77:4d:68:89:d3:84:c9:6d:42:db:55:96:
         2c:25:40:60:1d:38:41:76:0b:3f:b7:e1:7e:05:82:db:7a:56:
         e0:25:ad:34:62:1f:fa:49:18:3e:62:6a:ef:5b:8f:0d:3f:06:
         8a:9b:f7:a7:5f:b3:8e:26:62:5f:92:ab:43:e7:dd:79:90:c8:
         01:09:c3:42:cd:d8:e0:16:17:4f:71:20:18:07:51:b8:60:c1:
         61:3f:76:f1:3e:1e:ad:d5:52:33:27:c3:ef:0f:78:ab:c1:95:
         0e:34:b4:5f:92:54:33:fd:e0:7d:34:27:80:e5:94:a9:2d:db:
         7e:d9:c8:e2:ec:8e:cf:ec:dd:41:6e:d4:c9:2c:2d:a4:eb:63:
         a7:4e:62:a7:44:a8:19:e6:7c:47:4f:d2:aa:7f:21:fd:90:a6:
         4c:b4:b3:7a
 -----BEGIN CERTIFICATE-----
 MIIDRDCCAiygAwIBAgIUIXOa577OIjG1IckM7rYIHzffJbswDQYJKoZIhvcNAQEL
 BQAwTTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNPMRAwDgYDVQQHDAdCb3VsZGVy
 MQ0wCwYDVQQKDARIZWxtMRAwDgYDVQQDDAdoZWxtLnNoMB4XDTIxMDMyNTAwNDIy
 MVoXDTMxMDMyMzAwNDIyMVowUTELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAk9OMRIw
 EAYDVQQHDAlLaXRjaGVuZXIxDTALBgNVBAoMBEhlbG0xEjAQBgNVBAMMCWxvY2Fs
 aG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMiJVQ0L8drmwHB9
 0yfNuKiBi3ykieXRsXgBHd9EiAv81oE1PdE7Xo+7k7N+KNvt/6ATOnCj/pRrC/77
 YwCwy9yBzYDc0C+/sk+agdQi3JfIjyeGWZH6kgV1xMxr9alrdB7126n4v4yiJf2g
 zHn0JVd0qSOb4rciehR6PerxfjJrV2wuxk91VPlrVNLK61QcrzkVm9B8D/hVUQTq
 2vp7i2MPrDmx9kuOTvbq6Xvmul5ajpHv3LF9Uj9zg1JGg0hJ//ItylTyNrtJzFmZ
 wJ7PjnhVbO19foO4WSx9+BqB8H31J/LbrtQxVDj+R7LuFiAP8dstKL9vOOsRu5rU
 slo6Sn8CAwEAAaMYMBYwFAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEB
 CwUAA4IBAQC9+N822Z4UO09ottRA4IlR4aHxTeyf8njo8UxFqktKfDnbsZ92VlvR
 fkZnmnpS8/g9JpLYyQZuAKnOTZgkClpLzEmRmu/Od2ffUNNm0TQyqhfIcdW0l7Cj
 oJw7xMLWtpF3TWiJ04TJbULbVZYsJUBgHThBdgs/t+F+BYLbelbgJa00Yh/6SRg+
 YmrvW48NPwaKm/enX7OOJmJfkqtD5915kMgBCcNCzdjgFhdPcSAYB1G4YMFhP3bx
 Ph6t1VIzJ8PvD3irwZUONLRfklQz/eB9NCeA5ZSpLdt+2cji7I7P7N1BbtTJLC2k
 62OnTmKnRKgZ5nxHT9KqfyH9kKZMtLN6
 -----END CERTIFICATE-----
--- a/testdata/openssl.conf
+++ b/testdata/openssl.conf
@ -40,3 +40,7 @@ subjectAltName = @alternate_names
 [alternate_names]
 DNS.1   = helm.sh
 IP.1    = 127.0.0.1
 # # Used to generate localhost-crt.pem
 # [alternate_names]
 # DNS.1   = localhost