Add tooling to enable strict TLS.

cmd/stealchain/main.go

@@ -3,50 +3,47 @@ package main
 import (
 	"context"
 	"crypto/tls"
-	"crypto/x509"
 	"encoding/pem"
 	"flag"
 	"fmt"
 	"net"
 	"os"
 
+	"git.wntrmute.dev/kyle/goutils/certlib"
 	"git.wntrmute.dev/kyle/goutils/die"
 	"git.wntrmute.dev/kyle/goutils/lib"
 )
 
 func main() {
-	var cfg = &tls.Config{} // #nosec G402
-
 	var sysRoot, serverName string
+	var skipVerify bool
+	var strictTLS bool
+	lib.StrictTLSFlag(&strictTLS)
 	flag.StringVar(&sysRoot, "ca", "", "provide an alternate CA bundle")
-	flag.StringVar(&cfg.ServerName, "sni", cfg.ServerName, "provide an SNI name")
-	flag.BoolVar(&cfg.InsecureSkipVerify, "noverify", false, "don't verify certificates")
+	flag.StringVar(&serverName, "sni", "", "provide an SNI name")
+	flag.BoolVar(&skipVerify, "noverify", false, "don't verify certificates")
 	flag.Parse()
 
+	tlsCfg, err := lib.BaselineTLSConfig(skipVerify, strictTLS)
+	die.If(err)
+
 	if sysRoot != "" {
-		pemList, err := os.ReadFile(sysRoot)
+		tlsCfg.RootCAs, err = certlib.LoadPEMCertPool(sysRoot)
 		die.If(err)
-
-		roots := x509.NewCertPool()
-		if !roots.AppendCertsFromPEM(pemList) {
-			fmt.Printf("[!] no valid roots found")
-			roots = nil
-		}
-
-		cfg.RootCAs = roots
 	}
 
 	if serverName != "" {
-		cfg.ServerName = serverName
+		tlsCfg.ServerName = serverName
 	}
 
 	for _, site := range flag.Args() {
-		_, _, err := net.SplitHostPort(site)
+		_, _, err = net.SplitHostPort(site)
 		if err != nil {
 			site += ":443"
 		}
-		// Use proxy-aware TLS dialer
-		conn, err := lib.DialTLS(context.Background(), site, lib.DialerOpts{TLSConfig: cfg})
+
+		var conn *tls.Conn
+		conn, err = lib.DialTLS(context.Background(), site, lib.DialerOpts{TLSConfig: tlsCfg})
 		die.If(err)
 
 		cs := conn.ConnectionState()