From 3521e0a30e8d1dafde7f3b70c0c9222e35c7bd20 Mon Sep 17 00:00:00 2001
From: AJ ONeal <aj@therootcompany.com>
Date: Wed, 6 Aug 2025 15:21:47 -0600
Subject: [PATCH] ref!: supply a full *tls.Config for each connection

---
 cmd/sclient/main.go | 17 +++++++++++------
 sclient.go          | 28 ++++++++--------------------
 2 files changed, 19 insertions(+), 26 deletions(-)

diff --git a/cmd/sclient/main.go b/cmd/sclient/main.go
index e3161f4..dbe49fd 100644
--- a/cmd/sclient/main.go
+++ b/cmd/sclient/main.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"crypto/tls"
 	"flag"
 	"fmt"
 	"os"
@@ -79,12 +80,16 @@ func main() {
 	}
 
 	sclient := &sclient.Tunnel{
-		RemotePort:         443,
-		LocalAddress:       "localhost",
-		InsecureSkipVerify: insecure,
-		ServerName:         servername,
-		Silent:             silent,
-		NextProtos:         alpns,
+		RemotePort:   443,
+		LocalAddress: "localhost",
+		Silent:       silent,
+		GetTLSConfig: func() *tls.Config {
+			return &tls.Config{
+				ServerName:         servername,
+				NextProtos:         alpns,
+				InsecureSkipVerify: insecure,
+			}
+		},
 	}
 
 	remote := strings.Split(remotestr, ":")
diff --git a/sclient.go b/sclient.go
index 94da38d..d7c2e02 100644
--- a/sclient.go
+++ b/sclient.go
@@ -12,26 +12,19 @@ import (
 
 // Tunnel specifies which remote encrypted connection to make available as a plain connection locally.
 type Tunnel struct {
-	RemoteAddress      string
-	RemotePort         int
-	LocalAddress       string
-	LocalPort          int
-	InsecureSkipVerify bool
-	NextProtos         []string
-	ServerName         string
-	Silent             bool
+	RemoteAddress string
+	RemotePort    int
+	LocalAddress  string
+	LocalPort     int
+	GetTLSConfig  func() *tls.Config
+	Silent        bool
 }
 
 // DialAndListen will create a test TLS connection to the remote address and then
 // begin listening locally. Each local connection will result in a separate remote connection.
 func (t *Tunnel) DialAndListen() error {
 	remote := t.RemoteAddress + ":" + strconv.Itoa(t.RemotePort)
-	conn, err := tls.Dial("tcp", remote,
-		&tls.Config{
-			ServerName:         t.ServerName,
-			NextProtos:         t.NextProtos,
-			InsecureSkipVerify: t.InsecureSkipVerify,
-		})
+	conn, err := tls.Dial("tcp", remote, t.GetTLSConfig())
 
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "[warn] '%s' may not be accepting connections: %s\n", remote, err)
@@ -142,12 +135,7 @@ func pipe(r netReadWriteCloser, w netReadWriteCloser, t string) {
 }
 
 func (t *Tunnel) handleConnection(remote string, conn netReadWriteCloser) {
-	sclient, err := tls.Dial("tcp", remote,
-		&tls.Config{
-			ServerName:         t.ServerName,
-			NextProtos:         t.NextProtos,
-			InsecureSkipVerify: t.InsecureSkipVerify,
-		})
+	sclient, err := tls.Dial("tcp", remote, t.GetTLSConfig())
 
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "[error] (remote) %s\n", err)