Skip to content

Commit 2c92339

Browse files
RPRXRPRX
committed
TLS config: allowInsecure->pinnedPeerCertSha256; verifyPeerCertInNames->verifyPeerCertByName
And use `,` as the separator instead of `~`/array #5567 (comment) https://t.me/projectXtls/1464 https://t.me/projectXtls/1465 https://t.me/projectXtls/1466 #5625 (comment)
1 parent 9c46a2d commit 2c92339

13 files changed

Lines changed: 177 additions & 226 deletions

File tree

common/protocol/tls/cert/cert.go

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ import (
66
"crypto/elliptic"
77
"crypto/rand"
88
"crypto/rsa"
9+
"crypto/sha256"
910
"crypto/x509"
1011
"encoding/asn1"
1112
"encoding/pem"
@@ -87,10 +88,10 @@ func Organization(org string) Option {
8788
}
8889
}
8990

90-
func MustGenerate(parent *Certificate, opts ...Option) *Certificate {
91+
func MustGenerate(parent *Certificate, opts ...Option) (*Certificate, [32]byte) {
9192
cert, err := Generate(parent, opts...)
9293
common.Must(err)
93-
return cert
94+
return cert, sha256.Sum256(cert.Certificate)
9495
}
9596

9697
func publicKey(priv interface{}) interface{} {

infra/conf/transport_internet.go

Lines changed: 19 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -568,7 +568,7 @@ func (c *TLSCertConfig) Build() (*tls.Certificate, error) {
568568
}
569569

570570
type TLSConfig struct {
571-
Insecure bool `json:"allowInsecure"`
571+
AllowInsecure bool `json:"allowInsecure"`
572572
Certs []*TLSCertConfig `json:"certificates"`
573573
ServerName string `json:"serverName"`
574574
ALPN *StringList `json:"alpn"`
@@ -579,10 +579,10 @@ type TLSConfig struct {
579579
CipherSuites string `json:"cipherSuites"`
580580
Fingerprint string `json:"fingerprint"`
581581
RejectUnknownSNI bool `json:"rejectUnknownSni"`
582-
PinnedPeerCertSha256 string `json:"pinnedPeerCertSha256"`
583582
CurvePreferences *StringList `json:"curvePreferences"`
584583
MasterKeyLog string `json:"masterKeyLog"`
585-
ServerNameToVerify string `json:"serverNameToVerify"`
584+
PinnedPeerCertSha256 string `json:"pinnedPeerCertSha256"`
585+
VerifyPeerCertByName string `json:"verifyPeerCertByName"`
586586
VerifyPeerCertInNames []string `json:"verifyPeerCertInNames"`
587587
ECHServerKeys string `json:"echServerKeys"`
588588
ECHConfigList string `json:"echConfigList"`
@@ -602,10 +602,6 @@ func (c *TLSConfig) Build() (proto.Message, error) {
602602
config.Certificate[idx] = cert
603603
}
604604
serverName := c.ServerName
605-
config.AllowInsecure = c.Insecure
606-
if config.AllowInsecure {
607-
errors.PrintDeprecatedFeatureWarning("allowInsecure", "pinnedPeerCertSha256")
608-
}
609605
if len(c.ServerName) > 0 {
610606
config.ServerName = serverName
611607
}
@@ -632,12 +628,13 @@ func (c *TLSConfig) Build() (proto.Message, error) {
632628
return nil, errors.New(`unknown "fingerprint": `, config.Fingerprint)
633629
}
634630
config.RejectUnknownSni = c.RejectUnknownSNI
631+
config.MasterKeyLog = c.MasterKeyLog
635632

633+
if c.AllowInsecure {
634+
return nil, errors.PrintRemovedFeatureError(`"allowInsecure"`, `"pinnedPeerCertSha256"`)
635+
}
636636
if c.PinnedPeerCertSha256 != "" {
637-
config.PinnedPeerCertSha256 = [][]byte{}
638-
// Split by tilde separator
639-
hashes := strings.Split(c.PinnedPeerCertSha256, "~")
640-
for _, v := range hashes {
637+
for v := range strings.SplitSeq(c.PinnedPeerCertSha256, ",") {
641638
v = strings.TrimSpace(v)
642639
if v == "" {
643640
continue
@@ -650,12 +647,18 @@ func (c *TLSConfig) Build() (proto.Message, error) {
650647
}
651648
}
652649

653-
config.MasterKeyLog = c.MasterKeyLog
654-
655-
if c.ServerNameToVerify != "" {
656-
return nil, errors.PrintRemovedFeatureError(`"serverNameToVerify"`, `"verifyPeerCertInNames"`)
650+
if c.VerifyPeerCertInNames != nil {
651+
return nil, errors.PrintRemovedFeatureError(`"verifyPeerCertInNames"`, `"verifyPeerCertByName"`)
652+
}
653+
if c.VerifyPeerCertByName != "" {
654+
for v := range strings.SplitSeq(c.VerifyPeerCertByName, ",") {
655+
v = strings.TrimSpace(v)
656+
if v == "" {
657+
continue
658+
}
659+
config.VerifyPeerCertByName = append(config.VerifyPeerCertByName, v)
660+
}
657661
}
658-
config.VerifyPeerCertInNames = c.VerifyPeerCertInNames
659662

660663
if c.ECHServerKeys != "" {
661664
EchPrivateKey, err := base64.StdEncoding.DecodeString(c.ECHServerKeys)

testing/scenarios/tls_test.go

Lines changed: 24 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,8 @@ func TestSimpleTLSConnection(t *testing.T) {
3636
common.Must(err)
3737
defer tcpServer.Close()
3838

39+
ct, ctHash := cert.MustGenerate(nil, cert.CommonName("localhost"))
40+
3941
userID := protocol.NewID(uuid.New())
4042
serverPort := tcp.PickPort()
4143
serverConfig := &core.Config{
@@ -48,7 +50,7 @@ func TestSimpleTLSConnection(t *testing.T) {
4850
SecurityType: serial.GetMessageType(&tls.Config{}),
4951
SecuritySettings: []*serial.TypedMessage{
5052
serial.ToTypedMessage(&tls.Config{
51-
Certificate: []*tls.Certificate{tls.ParseCertificate(cert.MustGenerate(nil))},
53+
Certificate: []*tls.Certificate{tls.ParseCertificate(ct)},
5254
}),
5355
},
5456
},
@@ -104,7 +106,7 @@ func TestSimpleTLSConnection(t *testing.T) {
104106
SecurityType: serial.GetMessageType(&tls.Config{}),
105107
SecuritySettings: []*serial.TypedMessage{
106108
serial.ToTypedMessage(&tls.Config{
107-
AllowInsecure: true,
109+
PinnedPeerCertSha256: [][]byte{ctHash[:]},
108110
}),
109111
},
110112
},
@@ -247,6 +249,8 @@ func TestTLSOverKCP(t *testing.T) {
247249
common.Must(err)
248250
defer tcpServer.Close()
249251

252+
ct, ctHash := cert.MustGenerate(nil, cert.CommonName("localhost"))
253+
250254
userID := protocol.NewID(uuid.New())
251255
serverPort := udp.PickPort()
252256
serverConfig := &core.Config{
@@ -260,7 +264,7 @@ func TestTLSOverKCP(t *testing.T) {
260264
SecurityType: serial.GetMessageType(&tls.Config{}),
261265
SecuritySettings: []*serial.TypedMessage{
262266
serial.ToTypedMessage(&tls.Config{
263-
Certificate: []*tls.Certificate{tls.ParseCertificate(cert.MustGenerate(nil))},
267+
Certificate: []*tls.Certificate{tls.ParseCertificate(ct)},
264268
}),
265269
},
266270
},
@@ -317,7 +321,7 @@ func TestTLSOverKCP(t *testing.T) {
317321
SecurityType: serial.GetMessageType(&tls.Config{}),
318322
SecuritySettings: []*serial.TypedMessage{
319323
serial.ToTypedMessage(&tls.Config{
320-
AllowInsecure: true,
324+
PinnedPeerCertSha256: [][]byte{ctHash[:]},
321325
}),
322326
},
323327
},
@@ -343,6 +347,8 @@ func TestTLSOverWebSocket(t *testing.T) {
343347
common.Must(err)
344348
defer tcpServer.Close()
345349

350+
ct, ctHash := cert.MustGenerate(nil, cert.CommonName("localhost"))
351+
346352
userID := protocol.NewID(uuid.New())
347353
serverPort := tcp.PickPort()
348354
serverConfig := &core.Config{
@@ -356,7 +362,7 @@ func TestTLSOverWebSocket(t *testing.T) {
356362
SecurityType: serial.GetMessageType(&tls.Config{}),
357363
SecuritySettings: []*serial.TypedMessage{
358364
serial.ToTypedMessage(&tls.Config{
359-
Certificate: []*tls.Certificate{tls.ParseCertificate(cert.MustGenerate(nil))},
365+
Certificate: []*tls.Certificate{tls.ParseCertificate(ct)},
360366
}),
361367
},
362368
},
@@ -419,7 +425,7 @@ func TestTLSOverWebSocket(t *testing.T) {
419425
SecurityType: serial.GetMessageType(&tls.Config{}),
420426
SecuritySettings: []*serial.TypedMessage{
421427
serial.ToTypedMessage(&tls.Config{
422-
AllowInsecure: true,
428+
PinnedPeerCertSha256: [][]byte{ctHash[:]},
423429
}),
424430
},
425431
},
@@ -449,6 +455,8 @@ func TestGRPC(t *testing.T) {
449455
common.Must(err)
450456
defer tcpServer.Close()
451457

458+
ct, ctHash := cert.MustGenerate(nil, cert.CommonName("localhost"))
459+
452460
userID := protocol.NewID(uuid.New())
453461
serverPort := tcp.PickPort()
454462
serverConfig := &core.Config{
@@ -468,7 +476,7 @@ func TestGRPC(t *testing.T) {
468476
SecurityType: serial.GetMessageType(&tls.Config{}),
469477
SecuritySettings: []*serial.TypedMessage{
470478
serial.ToTypedMessage(&tls.Config{
471-
Certificate: []*tls.Certificate{tls.ParseCertificate(cert.MustGenerate(nil))},
479+
Certificate: []*tls.Certificate{tls.ParseCertificate(ct)},
472480
}),
473481
},
474482
},
@@ -531,7 +539,7 @@ func TestGRPC(t *testing.T) {
531539
SecurityType: serial.GetMessageType(&tls.Config{}),
532540
SecuritySettings: []*serial.TypedMessage{
533541
serial.ToTypedMessage(&tls.Config{
534-
AllowInsecure: true,
542+
PinnedPeerCertSha256: [][]byte{ctHash[:]},
535543
}),
536544
},
537545
},
@@ -561,6 +569,8 @@ func TestGRPCMultiMode(t *testing.T) {
561569
common.Must(err)
562570
defer tcpServer.Close()
563571

572+
ct, ctHash := cert.MustGenerate(nil, cert.CommonName("localhost"))
573+
564574
userID := protocol.NewID(uuid.New())
565575
serverPort := tcp.PickPort()
566576
serverConfig := &core.Config{
@@ -580,7 +590,7 @@ func TestGRPCMultiMode(t *testing.T) {
580590
SecurityType: serial.GetMessageType(&tls.Config{}),
581591
SecuritySettings: []*serial.TypedMessage{
582592
serial.ToTypedMessage(&tls.Config{
583-
Certificate: []*tls.Certificate{tls.ParseCertificate(cert.MustGenerate(nil))},
593+
Certificate: []*tls.Certificate{tls.ParseCertificate(ct)},
584594
}),
585595
},
586596
},
@@ -643,7 +653,7 @@ func TestGRPCMultiMode(t *testing.T) {
643653
SecurityType: serial.GetMessageType(&tls.Config{}),
644654
SecuritySettings: []*serial.TypedMessage{
645655
serial.ToTypedMessage(&tls.Config{
646-
AllowInsecure: true,
656+
PinnedPeerCertSha256: [][]byte{ctHash[:]},
647657
}),
648658
},
649659
},
@@ -672,7 +682,7 @@ func TestSimpleTLSConnectionPinned(t *testing.T) {
672682
dest, err := tcpServer.Start()
673683
common.Must(err)
674684
defer tcpServer.Close()
675-
certificateDer := cert.MustGenerate(nil)
685+
certificateDer, _ := cert.MustGenerate(nil)
676686
certificate := tls.ParseCertificate(certificateDer)
677687
certHash := tls.GenerateCertHash(certificateDer.Certificate)
678688
userID := protocol.NewID(uuid.New())
@@ -743,7 +753,6 @@ func TestSimpleTLSConnectionPinned(t *testing.T) {
743753
SecurityType: serial.GetMessageType(&tls.Config{}),
744754
SecuritySettings: []*serial.TypedMessage{
745755
serial.ToTypedMessage(&tls.Config{
746-
AllowInsecure: true,
747756
PinnedPeerCertSha256: [][]byte{certHash},
748757
}),
749758
},
@@ -769,7 +778,7 @@ func TestSimpleTLSConnectionPinnedWrongCert(t *testing.T) {
769778
dest, err := tcpServer.Start()
770779
common.Must(err)
771780
defer tcpServer.Close()
772-
certificateDer := cert.MustGenerate(nil)
781+
certificateDer, _ := cert.MustGenerate(nil)
773782
certificate := tls.ParseCertificate(certificateDer)
774783
certHash := tls.GenerateCertHash(certificateDer.Certificate)
775784
certHash[1] += 1
@@ -841,7 +850,6 @@ func TestSimpleTLSConnectionPinnedWrongCert(t *testing.T) {
841850
SecurityType: serial.GetMessageType(&tls.Config{}),
842851
SecuritySettings: []*serial.TypedMessage{
843852
serial.ToTypedMessage(&tls.Config{
844-
AllowInsecure: true,
845853
PinnedPeerCertSha256: [][]byte{certHash},
846854
}),
847855
},
@@ -867,7 +875,7 @@ func TestUTLSConnectionPinned(t *testing.T) {
867875
dest, err := tcpServer.Start()
868876
common.Must(err)
869877
defer tcpServer.Close()
870-
certificateDer := cert.MustGenerate(nil)
878+
certificateDer, _ := cert.MustGenerate(nil)
871879
certificate := tls.ParseCertificate(certificateDer)
872880
certHash := tls.GenerateCertHash(certificateDer.Certificate)
873881
userID := protocol.NewID(uuid.New())
@@ -939,7 +947,6 @@ func TestUTLSConnectionPinned(t *testing.T) {
939947
SecuritySettings: []*serial.TypedMessage{
940948
serial.ToTypedMessage(&tls.Config{
941949
Fingerprint: "random",
942-
AllowInsecure: true,
943950
PinnedPeerCertSha256: [][]byte{certHash},
944951
}),
945952
},
@@ -965,7 +972,7 @@ func TestUTLSConnectionPinnedWrongCert(t *testing.T) {
965972
dest, err := tcpServer.Start()
966973
common.Must(err)
967974
defer tcpServer.Close()
968-
certificateDer := cert.MustGenerate(nil)
975+
certificateDer, _ := cert.MustGenerate(nil)
969976
certificate := tls.ParseCertificate(certificateDer)
970977
certHash := tls.GenerateCertHash(certificateDer.Certificate)
971978
certHash[1] += 1
@@ -1038,7 +1045,6 @@ func TestUTLSConnectionPinnedWrongCert(t *testing.T) {
10381045
SecuritySettings: []*serial.TypedMessage{
10391046
serial.ToTypedMessage(&tls.Config{
10401047
Fingerprint: "random",
1041-
AllowInsecure: true,
10421048
PinnedPeerCertSha256: [][]byte{certHash},
10431049
}),
10441050
},

testing/scenarios/vless_test.go

Lines changed: 12 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -97,7 +97,7 @@ func TestVless(t *testing.T) {
9797
Vnext: &protocol.ServerEndpoint{
9898
Address: net.NewIPOrDomain(net.LocalHostIP),
9999
Port: uint32(serverPort),
100-
User: &protocol.User{
100+
User: &protocol.User{
101101
Account: serial.ToTypedMessage(&vless.Account{
102102
Id: userID.String(),
103103
}),
@@ -129,6 +129,8 @@ func TestVlessTls(t *testing.T) {
129129
common.Must(err)
130130
defer tcpServer.Close()
131131

132+
ct, ctHash := cert.MustGenerate(nil, cert.CommonName("localhost"))
133+
132134
userID := protocol.NewID(uuid.New())
133135
serverPort := tcp.PickPort()
134136
serverConfig := &core.Config{
@@ -148,7 +150,7 @@ func TestVlessTls(t *testing.T) {
148150
SecurityType: serial.GetMessageType(&tls.Config{}),
149151
SecuritySettings: []*serial.TypedMessage{
150152
serial.ToTypedMessage(&tls.Config{
151-
Certificate: []*tls.Certificate{tls.ParseCertificate(cert.MustGenerate(nil))},
153+
Certificate: []*tls.Certificate{tls.ParseCertificate(ct)},
152154
}),
153155
},
154156
},
@@ -198,7 +200,7 @@ func TestVlessTls(t *testing.T) {
198200
Vnext: &protocol.ServerEndpoint{
199201
Address: net.NewIPOrDomain(net.LocalHostIP),
200202
Port: uint32(serverPort),
201-
User: &protocol.User{
203+
User: &protocol.User{
202204
Account: serial.ToTypedMessage(&vless.Account{
203205
Id: userID.String(),
204206
}),
@@ -217,7 +219,7 @@ func TestVlessTls(t *testing.T) {
217219
SecurityType: serial.GetMessageType(&tls.Config{}),
218220
SecuritySettings: []*serial.TypedMessage{
219221
serial.ToTypedMessage(&tls.Config{
220-
AllowInsecure: true,
222+
PinnedPeerCertSha256: [][]byte{ctHash[:]},
221223
}),
222224
},
223225
},
@@ -247,6 +249,8 @@ func TestVlessXtlsVision(t *testing.T) {
247249
common.Must(err)
248250
defer tcpServer.Close()
249251

252+
ct, ctHash := cert.MustGenerate(nil, cert.CommonName("localhost"))
253+
250254
userID := protocol.NewID(uuid.New())
251255
serverPort := tcp.PickPort()
252256
serverConfig := &core.Config{
@@ -266,7 +270,7 @@ func TestVlessXtlsVision(t *testing.T) {
266270
SecurityType: serial.GetMessageType(&tls.Config{}),
267271
SecuritySettings: []*serial.TypedMessage{
268272
serial.ToTypedMessage(&tls.Config{
269-
Certificate: []*tls.Certificate{tls.ParseCertificate(cert.MustGenerate(nil))},
273+
Certificate: []*tls.Certificate{tls.ParseCertificate(ct)},
270274
}),
271275
},
272276
},
@@ -317,7 +321,7 @@ func TestVlessXtlsVision(t *testing.T) {
317321
Vnext: &protocol.ServerEndpoint{
318322
Address: net.NewIPOrDomain(net.LocalHostIP),
319323
Port: uint32(serverPort),
320-
User: &protocol.User{
324+
User: &protocol.User{
321325
Account: serial.ToTypedMessage(&vless.Account{
322326
Id: userID.String(),
323327
Flow: vless.XRV,
@@ -337,7 +341,7 @@ func TestVlessXtlsVision(t *testing.T) {
337341
SecurityType: serial.GetMessageType(&tls.Config{}),
338342
SecuritySettings: []*serial.TypedMessage{
339343
serial.ToTypedMessage(&tls.Config{
340-
AllowInsecure: true,
344+
PinnedPeerCertSha256: [][]byte{ctHash[:]},
341345
}),
342346
},
343347
},
@@ -447,7 +451,7 @@ func TestVlessXtlsVisionReality(t *testing.T) {
447451
Vnext: &protocol.ServerEndpoint{
448452
Address: net.NewIPOrDomain(net.LocalHostIP),
449453
Port: uint32(serverPort),
450-
User: &protocol.User{
454+
User: &protocol.User{
451455
Account: serial.ToTypedMessage(&vless.Account{
452456
Id: userID.String(),
453457
Flow: vless.XRV,

0 commit comments

Comments
 (0)