Skip to content

deps: bump domainfront (SNI: default strategy without country code + baked-in SNI)#41

Merged
myleshorton merged 1 commit into
mainfrom
fisk/bump-domainfront-sni
Jun 25, 2026
Merged

deps: bump domainfront (SNI: default strategy without country code + baked-in SNI)#41
myleshorton merged 1 commit into
mainfrom
fisk/bump-domainfront-sni

Conversation

@myleshorton

@myleshorton myleshorton commented Jun 25, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Contributor

Summary

Bump getlantern/domainfront to v0.0.0-20260625001429-518c0256669b, picking up domainfront#11.

What #11 changes

ExpandedProvider now resolves each masquerade's SNI so providers can send a legit SNI instead of the conspicuous no-SNI every client uses today (the production client passes no country code, which previously left every provider's arbitrary-SNI strategy inert):

  • The default frontingsnis strategy applies even with no country code → akamai sends its arbitrary SNIs (real akamai-customer domains) globally. Validated: 20/20 sampled edges front identically to no-SNI, no regression.
  • A baked-in per-masquerade SNI is preserved through expansion → lets aliyun pin www.mobgslb.tbcache.com (the service domain its edges actually accept).
  • The SNI path verifies the edge cert against the front Domain (not chain-only) → closes a pre-existing MITM gap; verified it doesn't break akamai (whose arbitrary SNI is a decoy the served cert doesn't cover).

No kindling code changes — build + go test ./... pass. go mod tidy run; go.mod + go.sum committed together.

Rollout

Next link in the chain: radiance bumps kindling → lantern bumps radiance. The companion lantern-cloud#2897 sets aliyun's front SNI; both are backward-safe (pre-bump clients omit SNI exactly as today).

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Updated a direct dependency to a newer version.

@myleshorton @claude
deps: bump domainfront to v0.0.0-20260625001429-518c0256669b
f114bf3 
Picks up getlantern/domainfront#11: ExpandedProvider applies the default
frontingsnis strategy even with no country code (so akamai sends its
arbitrary SNIs globally instead of the conspicuous no-SNI), preserves a
baked-in per-masquerade SNI (for aliyun's www.mobgslb.tbcache.com), and
verifies the SNI-path edge cert against the front Domain instead of
chain-only. No kindling code changes; build + tests pass.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 25, 2026 00:24
@coderabbitai

coderabbitai Bot commented Jun 25, 2026
edited
Loading

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 2a21b162-7318-4d4e-942c-d1c1c1bdd7eb

📥 Commits

Reviewing files that changed from the base of the PR and between 737fcff and f114bf3.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (1)
  • go.mod
📝 Walkthrough

Walkthrough

The pull request updates the github.com/getlantern/domainfront requirement in go.mod to a newer pseudo-version. No other module directives or dependencies change.

Changes

Dependency version update

Layer / File(s) Summary
Domainfront pseudo-version bump
go.mod		 github.com/getlantern/domainfront is updated from one pseudo-version to a newer pseudo-version in the require block.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

Poem

A bunny twitched a whisker bright,
As go.mod took a tiny flight.
One version hopped, then settled near,
With quiet thumps and update cheer. 🐰

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the dependency bump and the main SNI behavior changes introduced by the update.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fisk/bump-domainfront-sni

Comment @coderabbitai help to get the list of available commands.

Copilot AI reviewed Jun 25, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the github.com/getlantern/domainfront dependency to pick up upstream changes (domainfront#11) related to SNI strategy behavior and certificate verification, without modifying Kindling’s application code.

Changes:

  • Bump github.com/getlantern/domainfront to v0.0.0-20260625001429-518c0256669b.
  • Update go.sum checksums to match the new domainfront pseudo-version.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
go.mod Updates the required github.com/getlantern/domainfront version.
go.sum Updates module and go.mod hashes for the bumped domainfront version.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@myleshorton myleshorton merged commit 7cdf718 into main Jun 25, 2026
3 checks passed
myleshorton added a commit to getlantern/radiance that referenced this pull request Jun 25, 2026
@myleshorton @claude
deps: bump domainfront + kindling (SNI default strategy + baked-in SN…
687d6be 
…I) (#539)

domainfront v0.0.0-...-93591749d736 -> 518c0256669b (getlantern/domainfront#11)
kindling    v0.0.0-...-737fcffe2860 -> 7cdf7184420c (getlantern/kindling#41)

Activates legit SNI for fronting: ExpandedProvider applies the default
frontingsnis strategy with no country code (akamai sends arbitrary SNIs
globally), preserves a baked-in per-masquerade SNI (aliyun mobgslb), and
verifies the SNI-path edge cert against the front Domain (not chain-only).

The kindling/fronted packages (which consume domainfront) build and test
green. The pre-existing cmd/lantern build break (ipc.NewClient signature)
is unrelated to this bump and reproduces on main with these changes
stashed.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
myleshorton added a commit to getlantern/lantern that referenced this pull request Jun 25, 2026
@myleshorton @claude
deps: bump radiance/domainfront/kindling (legit SNI for fronting) (#8886
d7564c8 
)

radiance    -> v0.0.0-20260625003855-687d6be3d5f0 (getlantern/radiance#539)
domainfront -> v0.0.0-20260625001429-518c0256669b (getlantern/domainfront#11)
kindling    -> v0.0.0-20260625002640-7cdf7184420c (getlantern/kindling#41)

Final link in the chain that lets fronting send a legit SNI instead of
the conspicuous no-SNI clients use today: ExpandedProvider applies the
default frontingsnis strategy with no country code (akamai sends its
arbitrary SNIs globally), preserves a baked-in per-masquerade SNI (aliyun
www.mobgslb.tbcache.com), and verifies the SNI-path edge cert against the
front Domain rather than chain-only. go build/vet clean; only go.mod and
go.sum change.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@myleshorton