package pool import ( "bufio" "net" ) // PeekForTLS will read the first byte on the conn to determine if the client // request is a TLS connection request or a consul-specific framed rpc request. // // This function does not close the conn on an error. // // The returned conn has the initial read buffered internally for the purposes // of not consuming the first byte. After that buffer is drained the conn is a // pass through to the original conn. // // The TLS record layer governs the very first byte. The available options start // at 20 as per: // // - v1.2: https://tools.ietf.org/html/rfc5246#appendix-A.1 // - v1.3: https://tools.ietf.org/html/rfc8446#appendix-B.1 // // Note: this indicates that '0' is 'invalid'. Given that we only care about // the first byte of a long-lived connection this is irrelevant, since you must // always start out with a client hello handshake which is '22'. func PeekForTLS(conn net.Conn) (net.Conn, bool, error) { br := bufio.NewReader(conn) // Grab enough to read the first byte. Then drain the buffer so future // reads can be direct. peeked, err := br.Peek(1) if err != nil { return nil, false, err } else if len(peeked) == 0 { return conn, false, nil } peeked, err = br.Peek(br.Buffered()) if err != nil { return nil, false, err } isTLS := (peeked[0] > RPCMaxTypeValue) return &peekedConn{ Peeked: peeked, Conn: conn, }, isTLS, nil }