Skip to content

Commands: Print leaf cert's SHA256 in tls ping #5628

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
RPRX merged 2 commits into from
Jan 31, 2026
Merged

Commands: Print leaf cert's SHA256 in tls ping #5628

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7a7b2ab
Add hash in tls ping
Fangliding Jan 31, 2026
4b2a8f4
Update ping.go
RPRX Jan 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion infra/conf/transport_internet.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -639,10 +639,14 @@ func (c *TLSConfig) Build() (proto.Message, error) {
if v == "" {
continue
}
hashValue, err := hex.DecodeString(v)
// remove colons for OpenSSL format
hashValue, err := hex.DecodeString(strings.ReplaceAll(v, ":", ""))
if err != nil {
return nil, err
}
if len(hashValue) != 32 {
return nil, errors.New("incorrect pinnedPeerCertSha256 length: ", v)
}
config.PinnedPeerCertSha256 = append(config.PinnedPeerCertSha256, hashValue)
}
}
Expand Down
19 changes: 1 addition & 18 deletions main/commands/all/tls/ping.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,8 +75,6 @@ func executePing(cmd *base.Command, args []string) {
NextProtos: []string{"h2", "http/1.1"},
MaxVersion: gotls.VersionTLS13,
MinVersion: gotls.VersionTLS12,
// Do not release tool before v5's refactor
// VerifyPeerCertificate: showCert(),
})
err = tlsConn.Handshake()
if err != nil {
Expand All @@ -101,8 +99,6 @@ func executePing(cmd *base.Command, args []string) {
NextProtos: []string{"h2", "http/1.1"},
MaxVersion: gotls.VersionTLS13,
MinVersion: gotls.VersionTLS12,
// Do not release tool before v5's refactor
// VerifyPeerCertificate: showCert(),
})
err = tlsConn.Handshake()
if err != nil {
Expand Down Expand Up @@ -133,6 +129,7 @@ func printCertificates(certs []*x509.Certificate) {
fmt.Println("Cert's signature algorithm: ", leaf.SignatureAlgorithm.String())
fmt.Println("Cert's publicKey algorithm: ", leaf.PublicKeyAlgorithm.String())
fmt.Println("Cert's allowed domains: ", leaf.DNSNames)
fmt.Println("Cert's leaf SHA256: ", hex.EncodeToString(GenerateCertHash(leaf)))
}
}

Expand All @@ -153,17 +150,3 @@ func printTLSConnDetail(tlsConn *gotls.Conn) {
fmt.Println("TLS Post-Quantum key exchange: false (RSA Exchange)")
}
}

func showCert() func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
var hash []byte
for _, asn1Data := range rawCerts {
cert, _ := x509.ParseCertificate(asn1Data)
if cert.IsCA {
hash = GenerateCertHash(cert)
}
}
fmt.Println("Certificate Leaf Hash: ", hex.EncodeToString(hash))
return nil
}
}