Merge pull request #278 from depot/feat/tls-config-sni-validation

feat: add server name to verify the hostname on the returned certificates
depot · May 2, 2024 · 6023b8a · 6023b8a
2 parents 7dfab95 + 7ec7731
commit 6023b8a
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 3 deletions.
diff --git a/pkg/cmd/buildctl/dial-stdio.go b/pkg/cmd/buildctl/dial-stdio.go
@@ -255,7 +255,7 @@ func tlsConn(ctx context.Context, builder *machine.Machine) (net.Conn, error) {
 		return nil, fmt.Errorf("failed to append ca certs")
 	}
 
-	cfg := &tls.Config{RootCAs: certPool}
+	cfg := &tls.Config{RootCAs: certPool, ServerName: builder.ServerName}
 	if builder.Cert != "" || builder.Key != "" {
 		cert, err := tls.X509KeyPair([]byte(builder.Cert), []byte(builder.Key))
 		if err != nil {

diff --git a/pkg/connection/machine.go b/pkg/connection/machine.go
@@ -25,7 +25,7 @@ func TLSConn(ctx context.Context, builder *machine.Machine) (net.Conn, error) {
 		return nil, fmt.Errorf("failed to append ca certs")
 	}
 
-	cfg := &tls.Config{RootCAs: certPool}
+	cfg := &tls.Config{RootCAs: certPool, ServerName: builder.ServerName}
 	if builder.Cert != "" || builder.Key != "" {
 		cert, err := tls.X509KeyPair([]byte(builder.Cert), []byte(builder.Key))
 		if err != nil {

diff --git a/pkg/machine/machine.go b/pkg/machine/machine.go
@@ -194,7 +194,7 @@ func (m *Machine) Client(ctx context.Context) (*client.Client, error) {
 		}
 		caCert := file.Name()
 
-		opts = append(opts, client.WithCredentials("", caCert, cert, key))
+		opts = append(opts, client.WithCredentials(m.ServerName, caCert, cert, key))
 	}
 
 	if m.useGzip {