Fix check if NegotiatedProtocol is empty

If peer doesn't support ALPN, ConnectionState.NegotiatedProtocol will be empty. NegotiatedProtocol should only be passed when not empty otherwise connection will fail. We pass what the client supports to the server and look at what was negotiated with the server. On the local end, we pick the exact protocol so that ALPN works.
buffrr · May 16, 2022 · 2258e51 · 2258e51
1 parent 7eea7b1
commit 2258e51
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/tunnel.go b/tunnel.go
@@ -123,7 +123,9 @@ func (h *tunneler) Tunnel(ctx context.Context, clientConn *proxy.Conn, network,
 	// used by the remote server
 	clientTLSConfig := h.mitm.configForTLSADomain(tlsaDomain)
 	if alpn {
-		clientTLSConfig.NextProtos = []string{remote.ConnectionState().NegotiatedProtocol}
+		if serverProto := remote.ConnectionState().NegotiatedProtocol; serverProto != "" {
+			clientTLSConfig.NextProtos = []string{serverProto}
+		}
 	}
 
 	clientTLS := tls.Server(clientConn, clientTLSConfig)