tailscale/derp
Brad Fitzpatrick 7cf8ec8108 net/tlsdial: bake in LetsEncrypt's ISRG Root X1 root
We still try the host's x509 roots first, but if that fails (like if
the host is old), we fall back to using LetsEncrypt's root and
retrying with that.

tlsdial was used in the three main places: logs, control, DERP. But it
was missing in dnsfallback. So added it there too, so we can run fine
now on a machine with no DNS config and no root CAs configured.

Also, move SSLKEYLOGFILE support out of DERP. tlsdial is the logical place
for that support.

Fixes #1609

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-01 08:30:07 -07:00
..
derphttp net/tlsdial: bake in LetsEncrypt's ISRG Root X1 root 2021-10-01 08:30:07 -07:00
testdata derp: add debug traffic handler 2021-06-18 15:47:55 -07:00
derp.go derp: add new health update and server restarting frame types 2021-08-31 13:31:51 -07:00
derp_client.go derp: throttle client sends if server advertises rate limits 2021-09-16 09:21:55 -07:00
derp_server.go derp: throttle client sends if server advertises rate limits 2021-09-16 09:21:55 -07:00
derp_test.go derp: throttle client sends if server advertises rate limits 2021-09-16 09:21:55 -07:00
dropreason_string.go derp: accept dup clients without closing prior's connection 2021-08-31 08:21:21 -07:00