From 66193dab92637ad5c8ab6565767f1133435f082c Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Mon, 19 Jan 2026 08:54:17 +0000 Subject: [PATCH] fix: wire gateway tls fingerprint for wss --- src/gateway/call.ts | 9 +++++++++ src/gateway/client.ts | 11 ++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/src/gateway/call.ts b/src/gateway/call.ts index 0ccfeaf19..96f239145 100644 --- a/src/gateway/call.ts +++ b/src/gateway/call.ts @@ -14,6 +14,7 @@ import { type GatewayClientMode, type GatewayClientName, } from "../utils/message-channel.js"; +import { loadGatewayTlsRuntime } from "../infra/tls/gateway.js"; import { GatewayClient } from "./client.js"; import { PROTOCOL_VERSION } from "./protocol/index.js"; @@ -134,6 +135,13 @@ export async function callGateway(opts: CallGatewayOptions): Promis ...(opts.configPath ? { configPath: opts.configPath } : {}), }); const url = connectionDetails.url; + const useLocalTls = + config.gateway?.tls?.enabled === true && + !urlOverride && + !remoteUrl && + url.startsWith("wss://"); + const tlsRuntime = useLocalTls ? await loadGatewayTlsRuntime(config.gateway?.tls) : undefined; + const tlsFingerprint = tlsRuntime?.enabled ? tlsRuntime.fingerprintSha256 : undefined; const token = (typeof opts.token === "string" && opts.token.trim().length > 0 ? opts.token.trim() @@ -183,6 +191,7 @@ export async function callGateway(opts: CallGatewayOptions): Promis url, token, password, + tlsFingerprint, instanceId: opts.instanceId ?? randomUUID(), clientName: opts.clientName ?? GATEWAY_CLIENT_NAMES.CLI, clientDisplayName: opts.clientDisplayName, diff --git a/src/gateway/client.ts b/src/gateway/client.ts index 81d2c34da..00f634956 100644 --- a/src/gateway/client.ts +++ b/src/gateway/client.ts @@ -99,7 +99,16 @@ export class GatewayClient { typeof fingerprintValue === "string" ? fingerprintValue : "", ); const expected = normalizeFingerprint(this.opts.tlsFingerprint ?? ""); - return Boolean(fingerprint && fingerprint === expected); + if (!expected) { + return new Error("gateway tls fingerprint missing"); + } + if (!fingerprint) { + return new Error("gateway tls fingerprint unavailable"); + } + if (fingerprint !== expected) { + return new Error("gateway tls fingerprint mismatch"); + } + return undefined; }; } this.ws = new WebSocket(url, wsOptions);