50 lines
1.4 KiB
Go
50 lines
1.4 KiB
Go
package pool
|
|
|
|
import (
|
|
"bufio"
|
|
"net"
|
|
)
|
|
|
|
// PeekForTLS will read the first byte on the conn to determine if the client
|
|
// request is a TLS connection request or a consul-specific framed rpc request.
|
|
//
|
|
// This function does not close the conn on an error.
|
|
//
|
|
// The returned conn has the initial read buffered internally for the purposes
|
|
// of not consuming the first byte. After that buffer is drained the conn is a
|
|
// pass through to the original conn.
|
|
//
|
|
// The TLS record layer governs the very first byte. The available options start
|
|
// at 20 as per:
|
|
//
|
|
// - v1.2: https://tools.ietf.org/html/rfc5246#appendix-A.1
|
|
// - v1.3: https://tools.ietf.org/html/rfc8446#appendix-B.1
|
|
//
|
|
// Note: this indicates that '0' is 'invalid'. Given that we only care about
|
|
// the first byte of a long-lived connection this is irrelevant, since you must
|
|
// always start out with a client hello handshake which is '22'.
|
|
func PeekForTLS(conn net.Conn) (net.Conn, bool, error) {
|
|
br := bufio.NewReader(conn)
|
|
|
|
// Grab enough to read the first byte. Then drain the buffer so future
|
|
// reads can be direct.
|
|
peeked, err := br.Peek(1)
|
|
if err != nil {
|
|
return nil, false, err
|
|
} else if len(peeked) == 0 {
|
|
return conn, false, nil
|
|
}
|
|
|
|
peeked, err = br.Peek(br.Buffered())
|
|
if err != nil {
|
|
return nil, false, err
|
|
}
|
|
|
|
isTLS := (peeked[0] > RPCMaxTypeValue)
|
|
|
|
return &peekedConn{
|
|
Peeked: peeked,
|
|
Conn: conn,
|
|
}, isTLS, nil
|
|
}
|