Commonize passthrough logic for client certs, strict HTTPS & trusted CAs

Previously websockets & HTTP handled this slightly separately - it's
helpful to move as much as possible of this into a single place. More to
do around that generally, but step by step.

Author: pimterry

src/rules/passthrough-handling.ts

@@ -43,83 +43,117 @@ const SSL_OP_NO_ENCRYPT_THEN_MAC = 1 << 19;
 
 // All settings are designed to exactly match Firefox v103, since that's a good baseline
 // that seems to be widely accepted and is easy to emulate from Node.js.
-export const getUpstreamTlsOptions = ({ strictHttpsChecks, serverName }: {
-    strictHttpsChecks: boolean,
-    serverName?: string
-}): tls.ConnectionOptions => ({
-    servername: serverName && !isIP(serverName)
-        ? serverName
-        : undefined, // Can't send IPs in SNI
-    ecdhCurve: [
-        'X25519',
-        'prime256v1', // N.B. Equivalent to secp256r1
-        'secp384r1',
-        'secp521r1',
-        ...(NEW_CURVES_SUPPORTED
-            ? [ // Only available with OpenSSL v3+:
-                'ffdhe2048',
-                'ffdhe3072'
-            ] : []
-        )
-    ].join(':'),
-    sigalgs: [
-        'ecdsa_secp256r1_sha256',
-        'ecdsa_secp384r1_sha384',
-        'ecdsa_secp521r1_sha512',
-        'rsa_pss_rsae_sha256',
-        'rsa_pss_rsae_sha384',
-        'rsa_pss_rsae_sha512',
-        'rsa_pkcs1_sha256',
-        'rsa_pkcs1_sha384',
-        'rsa_pkcs1_sha512',
-        'ECDSA+SHA1',
-        'rsa_pkcs1_sha1'
-    ].join(':'),
-    ciphers: [
-        'TLS_AES_128_GCM_SHA256',
-        'TLS_CHACHA20_POLY1305_SHA256',
-        'TLS_AES_256_GCM_SHA384',
-        'ECDHE-ECDSA-AES128-GCM-SHA256',
-        'ECDHE-RSA-AES128-GCM-SHA256',
-        'ECDHE-ECDSA-CHACHA20-POLY1305',
-        'ECDHE-RSA-CHACHA20-POLY1305',
-        'ECDHE-ECDSA-AES256-GCM-SHA384',
-        'ECDHE-RSA-AES256-GCM-SHA384',
-        'ECDHE-ECDSA-AES256-SHA',
-        'ECDHE-ECDSA-AES128-SHA',
-        'ECDHE-RSA-AES128-SHA',
-        'ECDHE-RSA-AES256-SHA',
-        'AES128-GCM-SHA256',
-        'AES256-GCM-SHA384',
-        'AES128-SHA',
-        'AES256-SHA',
-
-        // This magic cipher is the very obtuse way that OpenSSL downgrades the overall
-        // security level to allow various legacy settings, protocols & ciphers:
-        ...(!strictHttpsChecks
-            ? ['@SECLEVEL=0']
-            : []
-        )
-    ].join(':'),
-    secureOptions: strictHttpsChecks
-        ? SSL_OP_TLSEXT_PADDING | SSL_OP_NO_ENCRYPT_THEN_MAC
-        : SSL_OP_TLSEXT_PADDING | SSL_OP_NO_ENCRYPT_THEN_MAC | SSL_OP_LEGACY_SERVER_CONNECT,
-    ...({
-        // Valid, but not included in Node.js TLS module types:
-        requestOSCP: true
-    } as any),
-
-    // Trust intermediate certificates from the trusted CA list too. Without this, trusted CAs
-    // are only used when they are self-signed root certificates. Seems to cause issues in Node v20
-    // in HTTP/2 tests, so disabled below the supported v22 version.
-    allowPartialTrustChain: semver.satisfies(process.version, '>=22.9.0'),
-
-    // Allow TLSv1, if !strict:
-    minVersion: strictHttpsChecks ? tls.DEFAULT_MIN_VERSION : 'TLSv1',
-
-    // Skip certificate validation entirely, if not strict:
-    rejectUnauthorized: strictHttpsChecks,
-});
+export function getUpstreamTlsOptions({
+    hostname,
+    port,
+
+    ignoreHostHttpsErrors,
+    clientCertificateHostMap,
+    trustedCAs
+}: {
+    // The effective hostname & port we're connecting to - note that this isn't exactly
+    // the same as the destination (e.g. if you tunnel to an IP but set a hostname via SNI
+    // then this is the hostname, not the IP).
+    hostname: string,
+    port: number,
+
+    // The general config that's relevant to this request:
+    ignoreHostHttpsErrors: string[] | boolean,
+    clientCertificateHostMap: { [host: string]: { pfx: Buffer, passphrase?: string } },
+    trustedCAs: Array<string> | undefined
+}): tls.ConnectionOptions {
+    const strictHttpsChecks = shouldUseStrictHttps(hostname, port, ignoreHostHttpsErrors);
+
+    const hostWithPort = `${hostname}:${port}`;
+    const clientCert = clientCertificateHostMap[hostWithPort] ||
+        clientCertificateHostMap[hostname] ||
+        {};
+
+    return {
+        servername: hostname && !isIP(hostname)
+            ? hostname
+            : undefined, // Can't send IPs in SNI
+
+        // We precisely control the various TLS parameters here to limit TLS fingerprinting issues:
+        ecdhCurve: [
+            'X25519',
+            'prime256v1', // N.B. Equivalent to secp256r1
+            'secp384r1',
+            'secp521r1',
+            ...(NEW_CURVES_SUPPORTED
+                ? [ // Only available with OpenSSL v3+:
+                    'ffdhe2048',
+                    'ffdhe3072'
+                ] : []
+            )
+        ].join(':'),
+        sigalgs: [
+            'ecdsa_secp256r1_sha256',
+            'ecdsa_secp384r1_sha384',
+            'ecdsa_secp521r1_sha512',
+            'rsa_pss_rsae_sha256',
+            'rsa_pss_rsae_sha384',
+            'rsa_pss_rsae_sha512',
+            'rsa_pkcs1_sha256',
+            'rsa_pkcs1_sha384',
+            'rsa_pkcs1_sha512',
+            'ECDSA+SHA1',
+            'rsa_pkcs1_sha1'
+        ].join(':'),
+        ciphers: [
+            'TLS_AES_128_GCM_SHA256',
+            'TLS_CHACHA20_POLY1305_SHA256',
+            'TLS_AES_256_GCM_SHA384',
+            'ECDHE-ECDSA-AES128-GCM-SHA256',
+            'ECDHE-RSA-AES128-GCM-SHA256',
+            'ECDHE-ECDSA-CHACHA20-POLY1305',
+            'ECDHE-RSA-CHACHA20-POLY1305',
+            'ECDHE-ECDSA-AES256-GCM-SHA384',
+            'ECDHE-RSA-AES256-GCM-SHA384',
+            'ECDHE-ECDSA-AES256-SHA',
+            'ECDHE-ECDSA-AES128-SHA',
+            'ECDHE-RSA-AES128-SHA',
+            'ECDHE-RSA-AES256-SHA',
+            'AES128-GCM-SHA256',
+            'AES256-GCM-SHA384',
+            'AES128-SHA',
+            'AES256-SHA',
+
+            // This magic cipher is the very obtuse way that OpenSSL downgrades the overall
+            // security level to allow various legacy settings, protocols & ciphers:
+            ...(!strictHttpsChecks
+                ? ['@SECLEVEL=0']
+                : []
+            )
+        ].join(':'),
+        secureOptions: strictHttpsChecks
+            ? SSL_OP_TLSEXT_PADDING | SSL_OP_NO_ENCRYPT_THEN_MAC
+            : SSL_OP_TLSEXT_PADDING | SSL_OP_NO_ENCRYPT_THEN_MAC | SSL_OP_LEGACY_SERVER_CONNECT,
+        ...({
+            // Valid, but not included in Node.js TLS module types:
+            requestOSCP: true
+        } as any),
+
+        // Trust intermediate certificates from the trusted CA list too. Without this, trusted CAs
+        // are only used when they are self-signed root certificates. Seems to cause issues in Node v20
+        // in HTTP/2 tests, so disabled below the supported v22 version.
+        allowPartialTrustChain: semver.satisfies(process.version, '>=22.9.0'),
+
+        // Allow TLSv1, if !strict:
+        minVersion: strictHttpsChecks ? tls.DEFAULT_MIN_VERSION : 'TLSv1',
+
+        // Skip certificate validation entirely, if not strict:
+        rejectUnauthorized: strictHttpsChecks,
+
+        // Override the set of trusted CAs, if configured to do so:
+        ...(trustedCAs ? {
+            ca: trustedCAs
+        } : {}),
+
+        // Use a client cert, if one matches for this hostname+port:
+        ...clientCert
+    }
+}
 
 export async function getTrustedCAs(
     trustedCAs: Array<CADefinition> | undefined,
@@ -478,7 +512,7 @@ export function getResponseContentLengthAfterModification(
 
 // Function to check if we should skip https errors for the current hostname and port,
 // based on the given config
-export function shouldUseStrictHttps(
+function shouldUseStrictHttps(
     hostname: string,
     port: number,
     ignoreHostHttpsErrors: string[] | boolean

src/rules/requests/request-step-impls.ts

@@ -22,7 +22,7 @@ import {
 } from "../../types";
 
 import { MaybePromise, ErrorLike, isErrorLike, delay } from '@httptoolkit/util';
-import { isAbsoluteUrl, getEffectivePort, getDefaultPort } from '../../util/url';
+import { isAbsoluteUrl, getEffectivePort } from '../../util/url';
 import {
     waitForCompletedRequest,
     buildBodyReader,
@@ -39,7 +39,6 @@ import {
     rawHeadersToObjectPreservingCase,
     flattenPairedRawHeaders,
     pairFlatRawHeaders,
-    findRawHeaderIndex,
     dropDefaultHeaders,
     validateHeader,
     updateRawHeaders,
@@ -81,7 +80,6 @@ import {
     MODIFIABLE_PSEUDOHEADERS,
     buildOverriddenBody,
     getUpstreamTlsOptions,
-    shouldUseStrictHttps,
     getClientRelativeHostname,
     getDnsLookupFunction,
     getTrustedCAs,
@@ -656,23 +654,7 @@ export class PassThroughStepImpl extends PassThroughStep {
         }
 
         const effectivePort = getEffectivePort({ protocol, port });
-
-        const strictHttpsChecks = shouldUseStrictHttps(
-            hostname!,
-            effectivePort,
-            this.ignoreHostHttpsErrors
-        );
-
-        // Use a client cert if it's listed for the host+port or whole hostname
-        const hostWithPort = `${hostname}:${effectivePort}`;
-        const clientCert = this.clientCertificateHostMap[hostWithPort] ||
-            this.clientCertificateHostMap[hostname!] ||
-            {};
-
-        const trustedCerts = await this.trustedCACertificates();
-        const caConfig = trustedCerts
-            ? { ca: trustedCerts }
-            : {};
+        const trustedCAs = await this.trustedCACertificates();
 
         // We only do H2 upstream for HTTPS. Http2-wrapper doesn't support H2C, it's rarely used
         // and we can't use ALPN to detect HTTP/2 support cleanly.
@@ -753,9 +735,13 @@ export class PassThroughStepImpl extends PassThroughStep {
                 agent,
 
                 // TLS options:
-                ...getUpstreamTlsOptions({ strictHttpsChecks, serverName: hostname }),
-                ...clientCert,
-                ...caConfig
+                ...getUpstreamTlsOptions({
+                    hostname,
+                    port: effectivePort,
+                    ignoreHostHttpsErrors: this.ignoreHostHttpsErrors,
+                    clientCertificateHostMap: this.clientCertificateHostMap,
+                    trustedCAs
+                })
             }, (serverRes) => (async () => {
                 serverRes.on('error', (e: any) => {
                     reportUpstreamAbort(e)

src/rules/websockets/websocket-step-impls.ts

@@ -28,7 +28,6 @@ import { getDefaultPort, getEffectivePort } from '../../util/url';
 import { resetOrDestroy } from '../../util/socket-util';
 import { isHttp2 } from '../../util/request-utils';
 import {
-    findRawHeader,
     findRawHeaders,
     objectHeadersToRaw,
     pairFlatRawHeaders,
@@ -43,7 +42,6 @@ import {
     getUpstreamTlsOptions,
     getClientRelativeHostname,
     getDnsLookupFunction,
-    shouldUseStrictHttps,
     getTrustedCAs,
     getEffectiveHostname,
     applyDestinationTransforms
@@ -319,22 +317,7 @@ export class PassThroughWebSocketStepImpl extends PassThroughWebSocketStep {
         const effectiveHostname = parsedUrl.hostname!; // N.b. not necessarily the same as destination
         const effectivePort = getEffectivePort(parsedUrl);
 
-        const strictHttpsChecks = shouldUseStrictHttps(
-            effectiveHostname,
-            effectivePort,
-            this.ignoreHostHttpsErrors
-        );
-
-        // Use a client cert if it's listed for the host+port or whole hostname
-        const hostWithPort = `${parsedUrl.hostname}:${effectivePort}`;
-        const clientCert = this.clientCertificateHostMap[hostWithPort] ||
-            this.clientCertificateHostMap[effectiveHostname] ||
-            {};
-
-        const trustedCerts = await this.trustedCACertificates();
-        const caConfig = trustedCerts
-            ? { ca: trustedCerts }
-            : {};
+        const trustedCAs = await this.trustedCACertificates();
 
         const proxySettingSource = assertParamDereferenced(this.proxyConfig) as ProxySettingSource;
 
@@ -385,9 +368,13 @@ export class PassThroughWebSocketStepImpl extends PassThroughWebSocketStep {
             ) as { [key: string]: string }, // Simplify to string - doesn't matter though, only used by http module anyway
 
             // TLS options:
-            ...getUpstreamTlsOptions({ strictHttpsChecks, serverName: effectiveHostname }),
-            ...clientCert,
-            ...caConfig
+            ...getUpstreamTlsOptions({
+                hostname: effectiveHostname,
+                port: effectivePort,
+                ignoreHostHttpsErrors: this.ignoreHostHttpsErrors,
+                clientCertificateHostMap: this.clientCertificateHostMap,
+                trustedCAs,
+            })
         } as WebSocket.ClientOptions & { lookup: any, maxPayload: number });
 
         if (options.emitEventCallback) {