Remove the TLS-ALPN-01 tlsDial helper (#6954)

This minor cleanup was found in the process of fixing tests in https://github.com/letsencrypt/boulder/pull/6952, and resolves a TODO from 2018.
2023-06-26 10:56:52 -07:00 · 2023-06-26 10:56:52 -07:00 · 620699216f
parent 66cfad1892
commit 620699216f
2 changed files with 9 additions and 32 deletions
--- a/va/tlsalpn.go
+++ b/va/tlsalpn.go
@ -128,8 +128,12 @@ func (va *ValidationAuthorityImpl) getChallengeCert(
 	va.log.Info(fmt.Sprintf("%s [%s] Attempting to validate for %s %s", challenge.Type, identifier, hostPort, config.ServerName))
 	// We expect a self-signed challenge certificate, do not verify it here.
 	config.InsecureSkipVerify = true
 	conn, err := va.tlsDial(ctx, hostPort, config)
 	dialCtx, cancel := context.WithTimeout(ctx, va.singleDialTimeout)
 	defer cancel()
 	dialer := &tls.Dialer{Config: config}
 	conn, err := dialer.DialContext(dialCtx, "tcp", hostPort)
 	if err != nil {
 		va.log.Infof("%s connection failure for %s. err=[%#v] errStr=[%s]", challenge.Type, identifier, err, err)
 		host, _, splitErr := net.SplitHostPort(hostPort)
@ -140,14 +144,11 @@ func (va *ValidationAuthorityImpl) getChallengeCert(
 			return nil, nil, detailedError(ipError{net.ParseIP(host), err})
 		}
 		return nil, nil, detailedError(err)
 	}
-	// close errors are not important here
+	defer conn.Close()
 	defer func() {
 		_ = conn.Close()
 	}()
-	cs := conn.ConnectionState()
+	// tls.Dialer.DialContext guarantees that the *net.Conn it returns is a *tls.Conn.
 	cs := conn.(*tls.Conn).ConnectionState()
 	certs := cs.PeerCertificates
 	if len(certs) == 0 {
 		va.log.Infof("%s challenge for %s resulted in no certificates", challenge.Type, identifier.Value)
@ -160,30 +161,6 @@ func (va *ValidationAuthorityImpl) getChallengeCert(
 	return certs[0], &cs, nil
 }
 // tlsDial does the equivalent of tls.Dial, but obeying a context. Once
 // tls.DialContextWithDialer is available, switch to that.
 func (va *ValidationAuthorityImpl) tlsDial(ctx context.Context, hostPort string, config *tls.Config) (*tls.Conn, error) {
 	ctx, cancel := context.WithTimeout(ctx, va.singleDialTimeout)
 	defer cancel()
 	dialer := &net.Dialer{}
 	netConn, err := dialer.DialContext(ctx, "tcp", hostPort)
 	if err != nil {
 		return nil, err
 	}
 	deadline, ok := ctx.Deadline()
 	if !ok {
 		va.log.AuditErr("tlsDial was called without a deadline")
 		return nil, fmt.Errorf("tlsDial was called without a deadline")
 	}
 	_ = netConn.SetDeadline(deadline)
 	conn := tls.Client(netConn, config)
 	err = conn.Handshake()
 	if err != nil {
 		return nil, err
 	}
 	return conn, nil
 }
 func checkExpectedSAN(cert *x509.Certificate, name identifier.ACMEIdentifier) error {
 	if len(cert.DNSNames) != 1 {
 		return errors.New("wrong number of dNSNames")
--- a/va/tlsalpn_test.go
+++ b/va/tlsalpn_test.go
@ -196,7 +196,7 @@ func TestTLSALPNTimeoutAfterConnect(t *testing.T) {
 		t.Fatalf("Connection should've timed out")
 	}
 	test.AssertEquals(t, prob.Type, probs.ConnectionProblem)
-	expected := "127.0.0.1: Timeout during read (your server may be slow or overloaded)"
+	expected := "127.0.0.1: Timeout after connect (your server may be slow or overloaded)"
 	if prob.Detail != expected {
 		t.Errorf("Wrong error detail. Expected %q, got %q", expected, prob.Detail)
 	}