logpolicy: also set up TLS dialing (for iOS) for log uploads

This was the last of the three places that do TLS from clients (logs, control, derp). With this, iOS should be able to use the memory-efficient x509 root CertPool.
2020-04-26 08:31:14 -07:00 · 2020-04-26 08:31:14 -07:00 · 9497921f52
parent c726c1eec9
commit 9497921f52
1 changed files with 8 additions and 3 deletions
--- a/logpolicy/logpolicy.go
+++ b/logpolicy/logpolicy.go
@ -29,6 +29,7 @@ import (
 	"tailscale.com/atomicfile"
 	"tailscale.com/logtail"
 	"tailscale.com/logtail/filch"
+	"tailscale.com/net/tlsdial"
 	"tailscale.com/version"
 )

@ -188,7 +189,7 @@ func New(collection string) *Policy {
 			}
 			return w
 		},
-		HTTPC: &http.Client{Transport: newLogtailTransport()},
+		HTTPC: &http.Client{Transport: newLogtailTransport(logtail.DefaultHost)},
 	}

 	filchBuf, filchErr := filch.New(filepath.Join(dir, version.CmdName()), filch.Options{})
@ -231,8 +232,9 @@ func (p *Policy) Shutdown(ctx context.Context) error {
 	return nil
 }

-// newLogtailTransport returns the HTTP Transport we use for uploading logs.
-func newLogtailTransport() *http.Transport {
+// newLogtailTransport returns the HTTP Transport we use for uploading
+// logs to the given host name.
+func newLogtailTransport(host string) *http.Transport {
 	// Start with a copy of http.DefaultTransport and tweak it a bit.
 	tr := http.DefaultTransport.(*http.Transport).Clone()

@ -273,5 +275,8 @@ func newLogtailTransport() *http.Transport {
 		tr.ForceAttemptHTTP2 = false
 		tr.TLSNextProto = map[string]func(authority string, c *tls.Conn) http.RoundTripper{}
 	}
+
+	tr.TLSClientConfig = tlsdial.Config(host, tr.TLSClientConfig)
+
 	return tr
 }