package checker import ( "fmt" sdk "git.happydns.org/checker-sdk-go/checker" ) // directTLSServices enumerates SRV service names (the "service" part of // _service._proto.domain) that by convention mean "direct TLS on connect", // as opposed to STARTTLS or plaintext. // // Matching on the service name is more authoritative than matching on the // port: port 636 could carry anything, but _ldaps._tcp unambiguously // designates LDAP over TLS — even on a non-standard port. Conversely, a // site may run HTTPS on a non-443 port and still want it probed. // // STARTTLS variants (_xmpp-client, _smtp, _submission, _imap, _pop3…) are // intentionally excluded here; a dedicated endpoint type (e.g. // "smtp-starttls") will be introduced when a TLS checker grows the // capability to upgrade those protocols. var directTLSServices = map[string]bool{ "https": true, "ftps": true, // FTPS implicit "smtps": true, // SMTP over TLS (legacy port 465 semantics) "submissions": true, // RFC 8314: SMTP submission over TLS "imaps": true, "pop3s": true, "nntps": true, "ircs": true, "telnets": true, "ldaps": true, "sips": true, "ipps": true, // IPP over TLS (printing) "xmpps-client": true, // XMPP client over direct TLS "xmpps-server": true, // XMPP server-to-server over direct TLS "mqtts": true, "coaps": true, "stuns": true, "turns": true, } // DiscoverEndpoints is invoked right after Collect. It declares (host, port) // pairs worth testing by other checkers — here: TLS endpoints whose SRV // service name is a known direct-TLS protocol (see directTLSServices). func (p *srvProvider) DiscoverEndpoints(data any) ([]sdk.DiscoveredEndpoint, error) { d, ok := data.(*SRVData) if !ok { return nil, fmt.Errorf("unexpected data type %T", data) } var out []sdk.DiscoveredEndpoint for _, r := range d.Records { if r.IsNullTarget || r.Target == "" { continue } if !directTLSServices[r.Service] { continue } out = append(out, sdk.DiscoveredEndpoint{ Type: "tls", Host: r.Target, Port: r.Port, SNI: r.Target, }) } return out, nil }