Skip to content

Instantly share code, notes, and snippets.

@oxtoacart oxtoacart/domainfront.go
Last active Aug 29, 2015

What would you like to do?
package main
import (
const (
MASQUERADE_AS = "" // the host to which we open a TLS connection
REAL_DEST = "" // the host for which we make an HTTP request over the TLS connection
func main() {
client := &http.Client{
Transport: &http.Transport{
Dial: dialTLS,
req, _ := http.NewRequest("GET", "http://"+REAL_DEST+"/lookup", nil)
resp, err := client.Do(req)
log.Println("Made request")
if err != nil {
log.Fatalf("Unable to do GET: %s", err)
defer resp.Body.Close()
io.Copy(os.Stdout, resp.Body)
func dialTLS(network, addr string) (net.Conn, error) {
// Dial with net.Dial
conn, err := net.Dial("tcp", MASQUERADE_AS+":443")
if err != nil {
return nil, err
// Then wrap the connection with a tls Client. The combination of net.Dial
// + tls.Client allows us to avoid using a ServerName, unlike tls.Dial which
// automatically populates ServerName based on the dialed address.
tlsConn := tls.Client(conn, &tls.Config{
// Need to set this so that the client handshake code doesn't complain
// about having neither a ServerName nor InsecureSkipVerify being true.
InsecureSkipVerify: true,
err = tlsConn.Handshake()
if err != nil {
return nil, err
// Because we set InsecureSkipVerify, tls won't be verifying the server's
// cert for us, so we have to do it ourselves
err = verifyServerCerts(tlsConn)
if err != nil {
return nil, fmt.Errorf("Unable to verify server cert: %s", err)
return tlsConn, nil
func verifyServerCerts(conn *tls.Conn) error {
certs := conn.ConnectionState().PeerCertificates
opts := x509.VerifyOptions{
Roots: nil,
CurrentTime: time.Now(),
Intermediates: x509.NewCertPool(),
for i, cert := range certs {
if i == 0 {
_, err := certs[0].Verify(opts)
return err
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.