In the socket system, only WebSocket sockets are allowed to tunnel
through HTTP/1 proxies. "Raw" sockets in the normal socket pool don't
have it, and their CONNECT headers are not sent, instead the raw
payload is sent as-is to the HTTP/1 proxy, breaking the proxying.
The socket system works like this:
- HTTP sockets via HTTP/1 proxies: normal pool, no tunneling.
- HTTPS sockets via HTTP/1 proxies: normal pool, no tunneling,
but does its own proxy encapsulation.
- WS sockets via HTTP/1 proxies: WS pool, tunneling.
In Naive, we need the normal pool because the WS pool has some extra
restrictions but we also need tunneling to produce a client socket
with proxy tunneling built in.
Therefore force tunneling for all sockets and have them always send
CONNECT headers. This will otherwise break regular HTTP client sockets
via HTTP/1 proxies, but as we don't use this combination, it is ok.
It reads CA certificates from:
* The file in environment variable SSL_CERT_FILE
* The first available file of
/etc/ssl/certs/ca-certificates.crt (Debian/Ubuntu/Gentoo etc.)
/etc/pki/tls/certs/ca-bundle.crt (Fedora/RHEL 6)
/etc/ssl/ca-bundle.pem (OpenSUSE)
/etc/pki/tls/cacert.pem (OpenELEC)
/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem (CentOS/RHEL 7)
/etc/ssl/cert.pem (Alpine Linux)
* Files in the directory of environment variable SSL_CERT_DIR
* Files in the first available directory of
/etc/ssl/certs (SLES10/SLES11, https://golang.org/issue/12139)
/etc/pki/tls/certs (Fedora/RHEL)
/system/etc/security/cacerts (Android)
