Merge pull request #507 from projectdiscovery/dwisiswant0/feat/add-TLS-session-cache-for-conn-resumption

feat: add TLS session cache for conn resumption

Author: Mzack9999

buggyhttp/buggyhttp.go

@@ -67,7 +67,7 @@ func messyEncoding(w http.ResponseWriter, req *http.Request) {
 	}
 
 	for _, oneencodingfrommany := range soManyEncodings {
-		fmt.Fprint(w, oneencodingfrommany)
+		_, _ = fmt.Fprint(w, oneencodingfrommany)
 	}
 }
 
@@ -77,7 +77,7 @@ func superSlow(w http.ResponseWriter, req *http.Request) {
 	z := w.(http.Flusher)
 	for name, headers := range req.Header {
 		for _, h := range headers {
-			fmt.Fprintf(w, "%v: %v\n", name, h)
+			_, _ = fmt.Fprintf(w, "%v: %v\n", name, h)
 			z.Flush()
 			time.Sleep(250 * time.Millisecond)
 		}
@@ -98,7 +98,9 @@ func superSlow(w http.ResponseWriter, req *http.Request) {
 func emptyResponse(w http.ResponseWriter, req *http.Request) {
 	hj, _ := w.(http.Hijacker)
 	conn, _, _ := hj.Hijack()
-	defer conn.Close()
+	defer func() {
+		_ = conn.Close()
+	}()
 }
 
 // SO MANY REDIRECTS
@@ -111,7 +113,9 @@ func infiniteRedirects(w http.ResponseWriter, req *http.Request) {
 func unexpectedEOF(w http.ResponseWriter, req *http.Request) {
 	hj, _ := w.(http.Hijacker)
 	conn, bufrw, _ := hj.Hijack()
-	defer conn.Close()
+	defer func() {
+		_ = conn.Close()
+	}()
 	// reply with bogus data - this should either crash the client or trigger a recoverable error on
 	// default retryablehttp requests
 	_, _ = bufrw.WriteString("HTTP/1.1 200 OK\n" +
@@ -121,18 +125,18 @@ func unexpectedEOF(w http.ResponseWriter, req *http.Request) {
 	// "Content-Length: -124" +
 	// "Content-Type: whatzdacontenttype" +
 	// "Connection: drunk")
-	bufrw.Flush()
+	_ = bufrw.Flush()
 }
 
 // Simulate normal 200 answer with body
 func foo(w http.ResponseWriter, req *http.Request) {
-	fmt.Fprintf(w, "foo")
+	_, _ = fmt.Fprintf(w, "foo")
 }
 
 // generates recoverable errors until SuccessAfter attempts => after it 200 + body
 var count int // as of now a local horrible variable suffice
 func successAfter(w http.ResponseWriter, req *http.Request) {
-	var successAfter int = defaultSuccessAfterThreshold
+	successAfter := defaultSuccessAfterThreshold
 	if req.FormValue("successAfter") != "" {
 		if i, err := strconv.Atoi(req.FormValue("successAfter")); err == nil {
 			successAfter = i
@@ -143,7 +147,9 @@ func successAfter(w http.ResponseWriter, req *http.Request) {
 	if count <= successAfter {
 		hj, _ := w.(http.Hijacker)
 		conn, bufrw, _ := hj.Hijack()
-		defer conn.Close()
+		defer func() {
+			_ = conn.Close()
+		}()
 		// reply with bogus data - this should either crash the client or trigger a recoverable error on
 		// default retryablehttp requests
 		_, _ = bufrw.WriteString("HHHTTP\\1,.1 -500 MAYBEOK\n" +
@@ -153,17 +159,15 @@ func successAfter(w http.ResponseWriter, req *http.Request) {
 			"Content-Length: -124\n" +
 			"Content-Type: whatzdacontenttype\n" +
 			"Connection: drunk")
-		bufrw.Flush()
+		_ = bufrw.Flush()
 		return
 	}
 
 	// zeroes attempts and return 200 + valid body
 	count = 0
-	fmt.Fprintf(w, "foo")
+	_, _ = fmt.Fprintf(w, "foo")
 }
 
-
-
 var (
 	server    *http.Server
 	serverTLS *http.Server

client.go

@@ -68,30 +68,36 @@ type Options struct {
 	WrapTransport func(http.RoundTripper) http.RoundTripper
 	// Trace enables tracing of the HTTP request
 	Trace bool
+	// TLSSessionCacheSize specifies the size of the TLS session cache.
+	//
+	// If less than or equal to zero, defaults to 1024.
+	TLSSessionCacheSize int
 }
 
 // DefaultOptionsSpraying contains the default options for host spraying
 // scenarios where lots of requests need to be sent to different hosts.
 var DefaultOptionsSpraying = Options{
-	RetryWaitMin:    1 * time.Second,
-	RetryWaitMax:    30 * time.Second,
-	Timeout:         30 * time.Second,
-	RetryMax:        5,
-	RespReadLimit:   4096,
-	KillIdleConn:    true,
-	NoAdjustTimeout: true,
+	RetryWaitMin:        1 * time.Second,
+	RetryWaitMax:        30 * time.Second,
+	Timeout:             30 * time.Second,
+	RetryMax:            5,
+	RespReadLimit:       4096,
+	KillIdleConn:        true,
+	NoAdjustTimeout:     true,
+	TLSSessionCacheSize: 1024,
 }
 
 // DefaultOptionsSingle contains the default options for host bruteforce
 // scenarios where lots of requests need to be sent to a single host.
 var DefaultOptionsSingle = Options{
-	RetryWaitMin:    1 * time.Second,
-	RetryWaitMax:    30 * time.Second,
-	Timeout:         30 * time.Second,
-	RetryMax:        5,
-	RespReadLimit:   4096,
-	KillIdleConn:    false,
-	NoAdjustTimeout: true,
+	RetryWaitMin:        1 * time.Second,
+	RetryWaitMax:        30 * time.Second,
+	Timeout:             30 * time.Second,
+	RetryMax:            5,
+	RespReadLimit:       4096,
+	KillIdleConn:        false,
+	NoAdjustTimeout:     true,
+	TLSSessionCacheSize: 1024,
 }
 
 // NewClient creates a new Client with default settings.
@@ -110,6 +116,11 @@ func NewClient(options Options) *Client {
 		return nil
 	}
 
+	if options.HttpClient == nil && options.TLSSessionCacheSize > 0 {
+		applyTLSSessionCache(httpclient, options.TLSSessionCacheSize)
+		applyTLSSessionCache(httpclient2, options.TLSSessionCacheSize)
+	}
+
 	// Apply transport wrapper if provided
 	if options.WrapTransport != nil {
 		httpclient.Transport = options.WrapTransport(httpclient.Transport)

examples/main.go

@@ -45,7 +45,7 @@ func main() {
 
 	router := httprouter.New()
 	router.GET("/", func(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
-		fmt.Fprintf(w, "this is a test")
+		_, _ = fmt.Fprintf(w, "this is a test")
 	})
 	ts := httptest.NewServer(router)
 	defer ts.Close()
@@ -63,8 +63,8 @@ func main() {
 					log.Println(err)
 					continue
 				}
-				io.Copy(io.Discard, resp.Body)
-				resp.Body.Close()
+				_, _ = io.Copy(io.Discard, resp.Body)
+				_ = resp.Body.Close()
 			}
 		}()
 	}

http.go

@@ -41,6 +41,7 @@ func DefaultReusePooledTransport() *http.Transport {
 		MaxIdleConnsPerHost:    100,
 		MaxResponseHeaderBytes: 4096, // net/http default is 10Mb
 		TLSClientConfig: &tls.Config{
+			ClientSessionCache: tls.NewLRUClientSessionCache(1024),
 			Renegotiation:      tls.RenegotiateOnceAsClient, // Renegotiation is not supported in TLS 1.3 as per docs
 			InsecureSkipVerify: true,
 			MinVersion:         tls.VersionTLS10,
@@ -76,6 +77,19 @@ func DefaultPooledClient() *http.Client {
 	}
 }
 
+// applyTLSSessionCache configures the TLS session cache size for an
+// [http.Client].
+//
+// It only applies if the client has an [http.Transport] with a
+// TLSClientConfig.
+func applyTLSSessionCache(client *http.Client, size int) {
+	if transport, ok := client.Transport.(*http.Transport); ok {
+		if transport.TLSClientConfig != nil {
+			transport.TLSClientConfig.ClientSessionCache = tls.NewLRUClientSessionCache(size)
+		}
+	}
+}
+
 var (
 	fdInit = &sync.Once{}
 	fd     *fastdialer.Dialer

request.go

@@ -159,7 +159,9 @@ func (r *Request) SetBodyString(body string) error {
 // read into the reusable reader.
 func (r *Request) SetBodyStream(bodyStream io.Reader, bodySize int64) error {
 	if closer, ok := bodyStream.(io.Closer); ok {
-		defer closer.Close()
+		defer func() {
+			_ = closer.Close()
+		}()
 
 		// Wrap in NopCloser to prevent NewReusableReadCloser from closing it,
 		// since we are handling the close via defer.

request_test.go

@@ -376,7 +376,7 @@ func verifyGetBody(t *testing.T, req *retryablehttp.Request, expected []byte) {
 		t.Fatalf("GetBody failed: %v", err)
 	}
 	data1, _ := io.ReadAll(rc1)
-	rc1.Close()
+	_ = rc1.Close()
 
 	if !bytes.Equal(data1, expected) {
 		t.Errorf("Read 1 mismatch. Got %s, want %s", string(data1), string(expected))
@@ -388,7 +388,7 @@ func verifyGetBody(t *testing.T, req *retryablehttp.Request, expected []byte) {
 		t.Fatalf("GetBody failed 2nd time: %v", err)
 	}
 	data2, _ := io.ReadAll(rc2)
-	rc2.Close()
+	_ = rc2.Close()
 
 	if !bytes.Equal(data2, expected) {
 		t.Errorf("Read 2 mismatch. Got %s, want %s", string(data2), string(expected))