From 419982688f8a6128fa7b705247f9803965c5c926 Mon Sep 17 00:00:00 2001 From: gVisor bot Date: Thu, 12 Jan 2023 17:55:01 -0800 Subject: [PATCH] fix: skip-cert-verify is true by default (#333) * fix: skip-cert-verify is true by default * fix: format * fix: typo Co-authored-by: 3andero <3andero@github.com> Co-authored-by: Hellojack <106379370+H1JK@users.noreply.github.com> --- adapter/outbound/http.go | 4 ++-- adapter/outbound/hysteria.go | 2 +- adapter/outbound/shadowsocks.go | 2 +- adapter/outbound/socks5.go | 4 ++-- adapter/outbound/trojan.go | 2 +- adapter/outbound/tuic.go | 2 +- adapter/outbound/vless.go | 4 ++-- adapter/outbound/vmess.go | 7 ++++--- component/tls/config.go | 24 +++++++++++++++--------- dns/client.go | 7 ++++--- dns/doh.go | 2 +- dns/doq.go | 2 +- transport/trojan/trojan.go | 4 ++-- transport/v2ray-plugin/websocket.go | 4 ++-- transport/vless/xtls.go | 4 ++-- transport/vmess/tls.go | 4 ++-- 16 files changed, 43 insertions(+), 35 deletions(-) diff --git a/adapter/outbound/http.go b/adapter/outbound/http.go index b734290a..088dd8ff 100644 --- a/adapter/outbound/http.go +++ b/adapter/outbound/http.go @@ -7,7 +7,6 @@ import ( "encoding/base64" "errors" "fmt" - tlsC "github.com/Dreamacro/clash/component/tls" "io" "net" "net/http" @@ -15,6 +14,7 @@ import ( "strconv" "github.com/Dreamacro/clash/component/dialer" + tlsC "github.com/Dreamacro/clash/component/tls" C "github.com/Dreamacro/clash/constant" ) @@ -150,7 +150,7 @@ func NewHttp(option HttpOption) (*Http, error) { sni = option.SNI } if len(option.Fingerprint) == 0 { - tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(&tls.Config{ + tlsConfig = tlsC.GetGlobalFingerprintTLSConfig(&tls.Config{ InsecureSkipVerify: option.SkipCertVerify, ServerName: sni, }) diff --git a/adapter/outbound/hysteria.go b/adapter/outbound/hysteria.go index a1276415..9d32cb33 100644 --- a/adapter/outbound/hysteria.go +++ b/adapter/outbound/hysteria.go @@ -178,7 +178,7 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) { return nil, err } } else { - tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig) + tlsConfig = tlsC.GetGlobalFingerprintTLSConfig(tlsConfig) } if len(option.ALPN) > 0 { diff --git a/adapter/outbound/shadowsocks.go b/adapter/outbound/shadowsocks.go index 8df84c7c..3e04b6ef 100644 --- a/adapter/outbound/shadowsocks.go +++ b/adapter/outbound/shadowsocks.go @@ -223,7 +223,7 @@ func NewShadowSocks(option ShadowSocksOption) (*ShadowSocks, error) { } if len(shadowTLSOpt.Fingerprint) == 0 { - tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig) + tlsConfig = tlsC.GetGlobalFingerprintTLSConfig(tlsConfig) } else { if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, shadowTLSOpt.Fingerprint); err != nil { return nil, err diff --git a/adapter/outbound/socks5.go b/adapter/outbound/socks5.go index 28d41180..c76707c3 100644 --- a/adapter/outbound/socks5.go +++ b/adapter/outbound/socks5.go @@ -5,12 +5,12 @@ import ( "crypto/tls" "errors" "fmt" - tlsC "github.com/Dreamacro/clash/component/tls" "io" "net" "strconv" "github.com/Dreamacro/clash/component/dialer" + tlsC "github.com/Dreamacro/clash/component/tls" C "github.com/Dreamacro/clash/constant" "github.com/Dreamacro/clash/transport/socks5" ) @@ -167,7 +167,7 @@ func NewSocks5(option Socks5Option) (*Socks5, error) { } if len(option.Fingerprint) == 0 { - tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig) + tlsConfig = tlsC.GetGlobalFingerprintTLSConfig(tlsConfig) } else { var err error if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint); err != nil { diff --git a/adapter/outbound/trojan.go b/adapter/outbound/trojan.go index e7928b50..99c49345 100644 --- a/adapter/outbound/trojan.go +++ b/adapter/outbound/trojan.go @@ -268,7 +268,7 @@ func NewTrojan(option TrojanOption) (*Trojan, error) { } if len(option.Fingerprint) == 0 { - tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig) + tlsConfig = tlsC.GetGlobalFingerprintTLSConfig(tlsConfig) } else { var err error if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint); err != nil { diff --git a/adapter/outbound/tuic.go b/adapter/outbound/tuic.go index fa24ae39..3bd750c1 100644 --- a/adapter/outbound/tuic.go +++ b/adapter/outbound/tuic.go @@ -143,7 +143,7 @@ func NewTuic(option TuicOption) (*Tuic, error) { return nil, err } } else { - tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig) + tlsConfig = tlsC.GetGlobalFingerprintTLSConfig(tlsConfig) } if len(option.ALPN) > 0 { diff --git a/adapter/outbound/vless.go b/adapter/outbound/vless.go index e9e382c4..a0d711cb 100644 --- a/adapter/outbound/vless.go +++ b/adapter/outbound/vless.go @@ -98,7 +98,7 @@ func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) { } if len(v.option.Fingerprint) == 0 { - wsOpts.TLSConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig) + wsOpts.TLSConfig = tlsC.GetGlobalFingerprintTLSConfig(tlsConfig) } else { wsOpts.TLSConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, v.option.Fingerprint) } @@ -522,7 +522,7 @@ func NewVless(option VlessOption) (*Vless, error) { ServiceName: v.option.GrpcOpts.GrpcServiceName, Host: v.option.ServerName, } - tlsConfig := tlsC.GetGlobalFingerprintTLCConfig(&tls.Config{ + tlsConfig := tlsC.GetGlobalFingerprintTLSConfig(&tls.Config{ InsecureSkipVerify: v.option.SkipCertVerify, ServerName: v.option.ServerName, }) diff --git a/adapter/outbound/vmess.go b/adapter/outbound/vmess.go index 4d3bb3d7..26ed400e 100644 --- a/adapter/outbound/vmess.go +++ b/adapter/outbound/vmess.go @@ -5,14 +5,15 @@ import ( "crypto/tls" "errors" "fmt" - tlsC "github.com/Dreamacro/clash/component/tls" - vmess "github.com/sagernet/sing-vmess" "net" "net/http" "strconv" "strings" "sync" + tlsC "github.com/Dreamacro/clash/component/tls" + vmess "github.com/sagernet/sing-vmess" + "github.com/Dreamacro/clash/component/dialer" "github.com/Dreamacro/clash/component/resolver" C "github.com/Dreamacro/clash/constant" @@ -114,7 +115,7 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) { } if len(v.option.Fingerprint) == 0 { - wsOpts.TLSConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig) + wsOpts.TLSConfig = tlsC.GetGlobalFingerprintTLSConfig(tlsConfig) } else { if wsOpts.TLSConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, v.option.Fingerprint); err != nil { return nil, err diff --git a/component/tls/config.go b/component/tls/config.go index 4470658f..6f5b1107 100644 --- a/component/tls/config.go +++ b/component/tls/config.go @@ -7,12 +7,13 @@ import ( "crypto/x509" "encoding/hex" "fmt" - xtls "github.com/xtls/go" "sync" "time" + + xtls "github.com/xtls/go" ) -var globalFingerprints = make([][32]byte, 0, 0) +var globalFingerprints = make([][32]byte, 0) var mutex sync.Mutex func verifyPeerCertificateAndFingerprints(fingerprints *[][32]byte, insecureSkipVerify bool) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { @@ -74,7 +75,7 @@ func convertFingerprint(fingerprint string) (*[32]byte, error) { } func GetDefaultTLSConfig() *tls.Config { - return GetGlobalFingerprintTLCConfig(nil) + return GetGlobalFingerprintTLSConfig(nil) } // GetSpecifiedFingerprintTLSConfig specified fingerprint @@ -95,16 +96,20 @@ func GetSpecifiedFingerprintTLSConfig(tlsConfig *tls.Config, fingerprint string) } } -func GetGlobalFingerprintTLCConfig(tlsConfig *tls.Config) *tls.Config { +func GetGlobalFingerprintTLSConfig(tlsConfig *tls.Config) *tls.Config { + // If there's at least one fingerprint then we could skip the general check + // If there's no fingerprints but the config insists then we should skip. + // Otherwise we should do a general verification. + shouldSkipVerify := len(globalFingerprints) != 0 || tlsConfig != nil && tlsConfig.InsecureSkipVerify if tlsConfig == nil { return &tls.Config{ - InsecureSkipVerify: true, + InsecureSkipVerify: shouldSkipVerify, VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(&globalFingerprints, false), } } tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(&globalFingerprints, tlsConfig.InsecureSkipVerify) - tlsConfig.InsecureSkipVerify = true + tlsConfig.InsecureSkipVerify = shouldSkipVerify return tlsConfig } @@ -126,15 +131,16 @@ func GetSpecifiedFingerprintXTLSConfig(tlsConfig *xtls.Config, fingerprint strin } } -func GetGlobalFingerprintXTLCConfig(tlsConfig *xtls.Config) *xtls.Config { +func GetGlobalFingerprintXTLSConfig(tlsConfig *xtls.Config) *xtls.Config { + shouldSkipVerify := len(globalFingerprints) != 0 || tlsConfig != nil && tlsConfig.InsecureSkipVerify if tlsConfig == nil { return &xtls.Config{ - InsecureSkipVerify: true, + InsecureSkipVerify: shouldSkipVerify, VerifyPeerCertificate: verifyPeerCertificateAndFingerprints(&globalFingerprints, false), } } tlsConfig.VerifyPeerCertificate = verifyPeerCertificateAndFingerprints(&globalFingerprints, tlsConfig.InsecureSkipVerify) - tlsConfig.InsecureSkipVerify = true + tlsConfig.InsecureSkipVerify = shouldSkipVerify return tlsConfig } diff --git a/dns/client.go b/dns/client.go index a7bf5eb3..30fd25c8 100644 --- a/dns/client.go +++ b/dns/client.go @@ -4,13 +4,14 @@ import ( "context" "crypto/tls" "fmt" - tlsC "github.com/Dreamacro/clash/component/tls" - "go.uber.org/atomic" "math/rand" "net" "net/netip" "strings" + tlsC "github.com/Dreamacro/clash/component/tls" + "go.uber.org/atomic" + "github.com/Dreamacro/clash/component/dialer" "github.com/Dreamacro/clash/component/resolver" @@ -77,7 +78,7 @@ func (c *client) ExchangeContext(ctx context.Context, m *D.Msg) (*D.Msg, error) ch := make(chan result, 1) go func() { if strings.HasSuffix(c.Client.Net, "tls") { - conn = tls.Client(conn, tlsC.GetGlobalFingerprintTLCConfig(c.Client.TLSConfig)) + conn = tls.Client(conn, tlsC.GetGlobalFingerprintTLSConfig(c.Client.TLSConfig)) } msg, _, err := c.Client.ExchangeWithConn(m, &D.Conn{ diff --git a/dns/doh.go b/dns/doh.go index 34685578..ca694fb9 100644 --- a/dns/doh.go +++ b/dns/doh.go @@ -374,7 +374,7 @@ func (doh *dnsOverHTTPS) createClient(ctx context.Context) (*http.Client, error) // HTTP3 is enabled in the upstream options). If this attempt is successful, // it returns an HTTP3 transport, otherwise it returns the H1/H2 transport. func (doh *dnsOverHTTPS) createTransport(ctx context.Context) (t http.RoundTripper, err error) { - tlsConfig := tlsC.GetGlobalFingerprintTLCConfig( + tlsConfig := tlsC.GetGlobalFingerprintTLSConfig( &tls.Config{ InsecureSkipVerify: false, MinVersion: tls.VersionTLS12, diff --git a/dns/doq.go b/dns/doq.go index 1c5956af..85c3a85c 100644 --- a/dns/doq.go +++ b/dns/doq.go @@ -298,7 +298,7 @@ func (doq *dnsOverQUIC) openStream(ctx context.Context, conn quic.Connection) (q // openConnection opens a new QUIC connection. func (doq *dnsOverQUIC) openConnection(ctx context.Context) (conn quic.Connection, err error) { - tlsConfig := tlsC.GetGlobalFingerprintTLCConfig( + tlsConfig := tlsC.GetGlobalFingerprintTLSConfig( &tls.Config{ InsecureSkipVerify: false, NextProtos: []string{ diff --git a/transport/trojan/trojan.go b/transport/trojan/trojan.go index 86de2f65..561f8765 100644 --- a/transport/trojan/trojan.go +++ b/transport/trojan/trojan.go @@ -82,7 +82,7 @@ func (t *Trojan) StreamConn(conn net.Conn) (net.Conn, error) { } if len(t.option.Fingerprint) == 0 { - xtlsConfig = tlsC.GetGlobalFingerprintXTLCConfig(xtlsConfig) + xtlsConfig = tlsC.GetGlobalFingerprintXTLSConfig(xtlsConfig) } else { var err error if xtlsConfig, err = tlsC.GetSpecifiedFingerprintXTLSConfig(xtlsConfig, t.option.Fingerprint); err != nil { @@ -107,7 +107,7 @@ func (t *Trojan) StreamConn(conn net.Conn) (net.Conn, error) { } if len(t.option.Fingerprint) == 0 { - tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig) + tlsConfig = tlsC.GetGlobalFingerprintTLSConfig(tlsConfig) } else { var err error if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, t.option.Fingerprint); err != nil { diff --git a/transport/v2ray-plugin/websocket.go b/transport/v2ray-plugin/websocket.go index 2a052888..56b0e481 100644 --- a/transport/v2ray-plugin/websocket.go +++ b/transport/v2ray-plugin/websocket.go @@ -2,10 +2,10 @@ package obfs import ( "crypto/tls" - tlsC "github.com/Dreamacro/clash/component/tls" "net" "net/http" + tlsC "github.com/Dreamacro/clash/component/tls" "github.com/Dreamacro/clash/transport/vmess" ) @@ -43,7 +43,7 @@ func NewV2rayObfs(conn net.Conn, option *Option) (net.Conn, error) { NextProtos: []string{"http/1.1"}, } if len(option.Fingerprint) == 0 { - config.TLSConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig) + config.TLSConfig = tlsC.GetGlobalFingerprintTLSConfig(tlsConfig) } else { var err error if config.TLSConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint); err != nil { diff --git a/transport/vless/xtls.go b/transport/vless/xtls.go index ab8248af..0b461c56 100644 --- a/transport/vless/xtls.go +++ b/transport/vless/xtls.go @@ -2,9 +2,9 @@ package vless import ( "context" - tlsC "github.com/Dreamacro/clash/component/tls" "net" + tlsC "github.com/Dreamacro/clash/component/tls" C "github.com/Dreamacro/clash/constant" xtls "github.com/xtls/go" ) @@ -23,7 +23,7 @@ func StreamXTLSConn(conn net.Conn, cfg *XTLSConfig) (net.Conn, error) { NextProtos: cfg.NextProtos, } if len(cfg.Fingerprint) == 0 { - xtlsConfig = tlsC.GetGlobalFingerprintXTLCConfig(xtlsConfig) + xtlsConfig = tlsC.GetGlobalFingerprintXTLSConfig(xtlsConfig) } else { var err error if xtlsConfig, err = tlsC.GetSpecifiedFingerprintXTLSConfig(xtlsConfig, cfg.Fingerprint); err != nil { diff --git a/transport/vmess/tls.go b/transport/vmess/tls.go index 75434095..8ac80ce6 100644 --- a/transport/vmess/tls.go +++ b/transport/vmess/tls.go @@ -3,9 +3,9 @@ package vmess import ( "context" "crypto/tls" - tlsC "github.com/Dreamacro/clash/component/tls" "net" + tlsC "github.com/Dreamacro/clash/component/tls" C "github.com/Dreamacro/clash/constant" ) @@ -24,7 +24,7 @@ func StreamTLSConn(conn net.Conn, cfg *TLSConfig) (net.Conn, error) { } if len(cfg.FingerPrint) == 0 { - tlsConfig = tlsC.GetGlobalFingerprintTLCConfig(tlsConfig) + tlsConfig = tlsC.GetGlobalFingerprintTLSConfig(tlsConfig) } else { var err error if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, cfg.FingerPrint); err != nil {