grpc-js: initiate tls connection through http proxy

packages/grpc-js/src/http_proxy.ts

@@ -21,6 +21,8 @@ import { LogVerbosity } from './constants';
 import { parseTarget } from './resolver-dns';
 import { Socket } from 'net';
 import * as http from 'http';
+import * as http2 from 'http2';
+import * as tls from 'tls'
 import * as logging from './logging';
 import {
   SubchannelAddress,
@@ -157,7 +159,8 @@ export interface ProxyConnectionResult {
 
 export function getProxiedConnection(
   address: SubchannelAddress,
-  channelOptions: ChannelOptions
+  channelOptions: ChannelOptions,
+  connectionOptions: http2.SecureClientSessionOptions
 ): Promise<ProxyConnectionResult> {
   if (!('grpc.http_connect_target' in channelOptions)) {
     return Promise.resolve<ProxyConnectionResult>({});
@@ -202,9 +205,15 @@ export function getProxiedConnection(
             ' through proxy ' +
             proxyAddressString
         );
-        resolve({
-          socket,
-          realTarget,
+        var cts = tls.connect({
+            ...connectionOptions,
+            host: options.host,
+            socket: socket
+        }, function () {
+          resolve({
+            socket: cts,
+            realTarget,
+          });
         });
       } else {
         log(

packages/grpc-js/src/subchannel.ts

@@ -302,21 +302,20 @@ export class Subchannel {
       if (proxyConnectionResult.socket) {
         connectionOptions.socket = proxyConnectionResult.socket;
       }
-    } else {
-      /* In all but the most recent versions of Node, http2.connect does not use
-       * the options when establishing plaintext connections, so we need to
-       * establish that connection explicitly. */
-      connectionOptions.createConnection = (authority, option) => {
-        if (proxyConnectionResult.socket) {
-          return proxyConnectionResult.socket;
-        } else {
-          /* net.NetConnectOpts is declared in a way that is more restrictive
-           * than what net.connect will actually accept, so we use the type
-           * assertion to work around that. */
-          return net.connect(this.subchannelAddress);
-        }
-      };
     }
+    /* In all but the most recent versions of Node, http2.connect does not use
+     * the options when establishing plaintext connections, so we need to
+     * establish that connection explicitly. */
+    connectionOptions.createConnection = (authority, option) => {
+      if (proxyConnectionResult.socket) {
+        return proxyConnectionResult.socket;
+      } else {
+        /* net.NetConnectOpts is declared in a way that is more restrictive
+         * than what net.connect will actually accept, so we use the type
+         * assertion to work around that. */
+        return net.connect(this.subchannelAddress);
+      }
+    };
     connectionOptions = Object.assign(
       connectionOptions,
       this.subchannelAddress
@@ -412,7 +411,28 @@ export class Subchannel {
   }
 
   private startConnectingInternal() {
-    getProxiedConnection(this.subchannelAddress, this.options).then(
+    let connectionOptions: http2.SecureClientSessionOptions =
+      this.credentials._getConnectionOptions() || {};
+
+    if ('secureContext' in connectionOptions) {
+      // If provided, the value of grpc.ssl_target_name_override should be used
+      // to override the target hostname when checking server identity.
+      // This option is used for testing only.
+      if (this.options['grpc.ssl_target_name_override']) {
+        const sslTargetNameOverride = this.options[
+          'grpc.ssl_target_name_override'
+        ]!;
+        connectionOptions.checkServerIdentity = (
+          host: string,
+          cert: PeerCertificate
+        ): Error | undefined => {
+          return checkServerIdentity(sslTargetNameOverride, cert);
+        };
+        connectionOptions.servername = sslTargetNameOverride;
+      }
+    }
+
+    getProxiedConnection(this.subchannelAddress, this.options, connectionOptions).then(
       (result) => {
         this.createSession(result);
       },