Add proxy-aware dialing functions, and convert cmd/... tooling over.

cmd/cert-revcheck/main.go

@@ -7,7 +7,6 @@ import (
 	"errors"
 	"flag"
 	"fmt"
-	"net"
 	"os"
 	"strings"
 	"time"
@@ -16,6 +15,7 @@ import (
 	hosts "git.wntrmute.dev/kyle/goutils/certlib/hosts"
 	"git.wntrmute.dev/kyle/goutils/certlib/revoke"
 	"git.wntrmute.dev/kyle/goutils/fileutil"
+	"git.wntrmute.dev/kyle/goutils/lib"
 )
 
 var (
@@ -38,8 +38,10 @@ func main() {
 	flag.Parse()
 
 	revoke.HardFail = hardfail
-	// Set HTTP client timeout for revocation library
-	revoke.HTTPClient.Timeout = timeout
+	// Build a proxy-aware HTTP client for OCSP/CRL fetches
+	if httpClient, err := lib.NewHTTPClient(lib.DialerOpts{Timeout: timeout}); err == nil {
+		revoke.HTTPClient = httpClient
+	}
 
 	if flag.NArg() == 0 {
 		fmt.Fprintf(os.Stderr, "Usage: %s [options] <target> [<target>...]\n", os.Args[0])
@@ -99,28 +101,19 @@ func checkSite(hostport string) (string, error) {
 		return strUnknown, err
 	}
 
-	d := &net.Dialer{Timeout: timeout}
-	tcfg := &tls.Config{
-		InsecureSkipVerify: true,
-		ServerName:         target.Host,
-	} // #nosec G402 -- CLI tool only verifies revocation
-	td := &tls.Dialer{NetDialer: d, Config: tcfg}
-
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
 
-	conn, err := td.DialContext(ctx, "tcp", target.String())
+	// Use proxy-aware TLS dialer
+	conn, err := lib.DialTLS(ctx, target.String(), lib.DialerOpts{Timeout: timeout, TLSConfig: &tls.Config{
+		InsecureSkipVerify: true, // #nosec G402 -- CLI tool only verifies revocation
+		ServerName:         target.Host,
+	}})
 	if err != nil {
 		return strUnknown, err
 	}
 	defer conn.Close()
-
-	tconn, ok := conn.(*tls.Conn)
-	if !ok {
-		return strUnknown, errors.New("connection is not TLS")
-	}
-
-	state := tconn.ConnectionState()
+	state := conn.ConnectionState()
 	if len(state.PeerCertificates) == 0 {
 		return strUnknown, errors.New("no peer certificates presented")
 	}

cmd/certchain/main.go

@@ -11,6 +11,7 @@ import (
 	"strings"
 
 	"git.wntrmute.dev/kyle/goutils/die"
+	"git.wntrmute.dev/kyle/goutils/lib"
 )
 
 var hasPort = regexp.MustCompile(`:\d+$`)
@@ -23,13 +24,9 @@ func main() {
 			server += ":443"
 		}
 
-		d := &tls.Dialer{Config: &tls.Config{}} // #nosec G402
-		nc, err := d.DialContext(context.Background(), "tcp", server)
+		// Use proxy-aware TLS dialer
+		conn, err := lib.DialTLS(context.Background(), server, lib.DialerOpts{TLSConfig: &tls.Config{}}) // #nosec G402
 		die.If(err)
-		conn, ok := nc.(*tls.Conn)
-		if !ok {
-			die.With("invalid TLS connection (not a *tls.Conn)")
-		}
 
 		defer conn.Close()
 

cmd/certdump/main.go

@@ -17,7 +17,6 @@ import (
 
 	"github.com/kr/text"
 
-	"git.wntrmute.dev/kyle/goutils/certlib"
 	"git.wntrmute.dev/kyle/goutils/lib"
 )
 
@@ -351,14 +350,14 @@ func main() {
 	flag.BoolVar(&leafOnly, "l", false, "only show the leaf certificate")
 	flag.Parse()
 
-	opts := &certlib.FetcherOpts{
+	opts := &lib.FetcherOpts{
 		SkipVerify: true,
 		Roots:      nil,
 	}
 
 	for _, filename := range flag.Args() {
 		fmt.Fprintf(os.Stdout, "--%s ---%s", filename, "\n")
-		certs, err := certlib.GetCertificateChain(filename, opts)
+		certs, err := lib.GetCertificateChain(filename, opts)
 		if err != nil {
 			_, _ = lib.Warn(err, "couldn't read certificate")
 			continue

cmd/certexpiry/main.go

@@ -9,7 +9,6 @@ import (
 	"strings"
 	"time"
 
-	"git.wntrmute.dev/kyle/goutils/certlib"
 	"git.wntrmute.dev/kyle/goutils/die"
 	"git.wntrmute.dev/kyle/goutils/lib"
 )
@@ -75,7 +74,7 @@ func checkCert(cert *x509.Certificate) {
 }
 
 func main() {
-	opts := &certlib.FetcherOpts{}
+	opts := &lib.FetcherOpts{}
 
 	flag.BoolVar(&opts.SkipVerify, "k", false, "skip server verification")
 	flag.BoolVar(&warnOnly, "q", false, "only warn about expiring certs")
@@ -83,7 +82,7 @@ func main() {
 	flag.Parse()
 
 	for _, file := range flag.Args() {
-		certs, err := certlib.GetCertificateChain(file, opts)
+		certs, err := lib.GetCertificateChain(file, opts)
 		if err != nil {
 			_, _ = lib.Warn(err, "while parsing certificates")
 			continue

cmd/certser/main.go

@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"strings"
 
-	"git.wntrmute.dev/kyle/goutils/certlib"
 	"git.wntrmute.dev/kyle/goutils/die"
 	"git.wntrmute.dev/kyle/goutils/lib"
 )
@@ -32,7 +31,7 @@ func serialString(cert *x509.Certificate, mode lib.HexEncodeMode) string {
 }
 
 func main() {
-	opts := &certlib.FetcherOpts{}
+	opts := &lib.FetcherOpts{}
 	displayAs := flag.String("d", "int", "display mode (int, hex, uhex)")
 	showExpiry := flag.Bool("e", false, "show expiry date")
 	flag.BoolVar(&opts.SkipVerify, "k", false, "skip server verification")
@@ -41,7 +40,7 @@ func main() {
 	displayMode := parseDisplayMode(*displayAs)
 
 	for _, arg := range flag.Args() {
-		cert, err := certlib.GetCertificate(arg, opts)
+		cert, err := lib.GetCertificate(arg, opts)
 		die.If(err)
 
 		fmt.Printf("%s: %s", arg, serialString(cert, displayMode))

cmd/certverify/main.go

@@ -108,12 +108,12 @@ func run(cfg appConfig) error {
 		return fmt.Errorf("failed to build combined pool: %w", err)
 	}
 
-	opts := &certlib.FetcherOpts{
+	opts := &lib.FetcherOpts{
 		Roots:      combinedPool,
 		SkipVerify: cfg.skipVerify,
 	}
 
-	chain, err := certlib.GetCertificateChain(flag.Arg(0), opts)
+	chain, err := lib.GetCertificateChain(flag.Arg(0), opts)
 	if err != nil {
 		return err
 	}

cmd/rhash/main.go

@@ -9,6 +9,7 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
+	"time"
 
 	"git.wntrmute.dev/kyle/goutils/ahash"
 	"git.wntrmute.dev/kyle/goutils/die"
@@ -82,8 +83,13 @@ func main() {
 			_, _ = lib.Warn(reqErr, "building request for %s", remote)
 			continue
 		}
-		client := &http.Client{}
-		resp, err := client.Do(req)
+		// Use proxy-aware HTTP client with a reasonable timeout for connects/handshakes
+		httpClient, err := lib.NewHTTPClient(lib.DialerOpts{Timeout: 30 * time.Second})
+		if err != nil {
+			_, _ = lib.Warn(err, "building HTTP client for %s", remote)
+			continue
+		}
+		resp, err := httpClient.Do(req)
 		if err != nil {
 			_, _ = lib.Warn(err, "fetching %s", remote)
 			continue

cmd/stealchain/main.go

@@ -11,6 +11,7 @@ import (
 	"os"
 
 	"git.wntrmute.dev/kyle/goutils/die"
+	"git.wntrmute.dev/kyle/goutils/lib"
 )
 
 func main() {
@@ -44,15 +45,10 @@ func main() {
 		if err != nil {
 			site += ":443"
 		}
-		d := &tls.Dialer{Config: cfg}
-		nc, err := d.DialContext(context.Background(), "tcp", site)
+		// Use proxy-aware TLS dialer
+		conn, err := lib.DialTLS(context.Background(), site, lib.DialerOpts{TLSConfig: cfg})
 		die.If(err)
 
-		conn, ok := nc.(*tls.Conn)
-		if !ok {
-			die.With("invalid TLS connection (not a *tls.Conn)")
-		}
-
 		cs := conn.ConnectionState()
 		var chain []byte
 

cmd/tlsinfo/main.go

@@ -9,6 +9,7 @@ import (
 
 	"git.wntrmute.dev/kyle/goutils/certlib/hosts"
 	"git.wntrmute.dev/kyle/goutils/die"
+	"git.wntrmute.dev/kyle/goutils/lib"
 )
 
 func main() {
@@ -20,18 +21,14 @@ func main() {
 	hostPort, err := hosts.ParseHost(os.Args[1])
 	die.If(err)
 
-	d := &tls.Dialer{Config: &tls.Config{
-		InsecureSkipVerify: true,
-	}} // #nosec G402
-
-	nc, err := d.DialContext(context.Background(), "tcp", hostPort.String())
+	// Use proxy-aware TLS dialer; skip verification as before
+	conn, err := lib.DialTLS(
+		context.Background(),
+		hostPort.String(),
+		lib.DialerOpts{TLSConfig: &tls.Config{InsecureSkipVerify: true}},
+	) // #nosec G402
 	die.If(err)
 
-	conn, ok := nc.(*tls.Conn)
-	if !ok {
-		die.With("invalid TLS connection (not a *tls.Conn)")
-	}
-
 	defer conn.Close()
 
 	state := conn.ConnectionState()