Can the client support a custom TLS package?

[zhangyongding]

Because crypto/tls does not support some required cipher suites, so it needs to be customized

[erikdubbelboer]

I haven't tried it but I think you can use any tls package by using Client.Dial to supply your own Dial function using your own tls package. As long as that returns anything implementing net.Conn it doesn't matter which tls library is used.

[zhangyongding]

There is no way to use custom tls config

[erikdubbelboer]

I guess there is no way for it to know that it shouldn't wrap the conn in a new tls.Conn here: https://github.com/valyala/fasthttp/blob/a5f448fc970972ab47113971d898a22fb28fef52/client.go#L1983-L1989

I would be open to a pull that somehow makes this work. Either by seeing some property on conn that tells it it doesn't have to wrap it, or some other way.

[zhangyongding]

Thank you. Looking forward to your solution

[zhangyongding]

PipelineClient and HostClient cannot use custom TLS Dial. When a custom Dial is used, the TLS handshake is not checked. expample code:

func dialAddr(addr string, dial DialFunc, dialDualStack, isTLS bool, tlsConfig *tls.Config, timeout time.Duration) (net.Conn, error) {
	deadline := time.Now().Add(timeout)
	var customDial bool
	if dial == nil {
		if dialDualStack {
			dial = DialDualStack
		} else {
			dial = Dial
		}
		addr = addMissingPort(addr, isTLS)
	}else{
		customDial = true
	}
	conn, err := dial(addr)
	if err != nil {
		return nil, err
	}
	if conn == nil {
		panic("BUG: DialFunc returned (nil, nil)")
	}
	if !customDial{
		_, isTLSAlready := conn.(*tls.Conn)
		if isTLS && !isTLSAlready {
			if timeout == 0 {
				return tls.Client(conn, tlsConfig), nil
			}
			return tlsClientHandshake(conn, tlsConfig, deadline)
		}
	}
	return conn, nil
}

[erikdubbelboer]

Should be fixed in https://github.com/valyala/fasthttp/commit/2f1e949d91d0ba1817afd80d7c981fafe7154774 will tag a release next week.