feat: add fingerprint for tls verify

This commit is contained in:
gVisor bot 2022-07-10 20:44:24 +08:00
parent 71afe64a8e
commit 91e1649822
15 changed files with 137 additions and 31 deletions

View file

@ -7,6 +7,7 @@ import (
"encoding/base64" "encoding/base64"
"errors" "errors"
"fmt" "fmt"
tlsC "github.com/Dreamacro/clash/common/tls"
"io" "io"
"net" "net"
"net/http" "net/http"
@ -149,7 +150,7 @@ func NewHttp(option HttpOption) *Http {
}, },
user: option.UserName, user: option.UserName,
pass: option.Password, pass: option.Password,
tlsConfig: tlsConfig, tlsConfig: tlsC.MixinTLSConfig(tlsConfig),
option: &option, option: &option,
} }
} }

View file

@ -5,6 +5,7 @@ import (
"crypto/tls" "crypto/tls"
"crypto/x509" "crypto/x509"
"fmt" "fmt"
tlsC "github.com/Dreamacro/clash/common/tls"
"github.com/Dreamacro/clash/transport/hysteria/core" "github.com/Dreamacro/clash/transport/hysteria/core"
"github.com/Dreamacro/clash/transport/hysteria/obfs" "github.com/Dreamacro/clash/transport/hysteria/obfs"
"github.com/Dreamacro/clash/transport/hysteria/pmtud_fix" "github.com/Dreamacro/clash/transport/hysteria/pmtud_fix"
@ -121,11 +122,11 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
if option.SNI != "" { if option.SNI != "" {
serverName = option.SNI serverName = option.SNI
} }
tlsConfig := &tls.Config{ tlsConfig := tlsC.MixinTLSConfig(&tls.Config{
ServerName: serverName, ServerName: serverName,
InsecureSkipVerify: option.SkipCertVerify, InsecureSkipVerify: option.SkipCertVerify,
MinVersion: tls.VersionTLS13, MinVersion: tls.VersionTLS13,
} })
if len(option.ALPN) > 0 { if len(option.ALPN) > 0 {
tlsConfig.NextProtos = []string{option.ALPN} tlsConfig.NextProtos = []string{option.ALPN}
} else { } else {

View file

@ -5,6 +5,7 @@ import (
"crypto/tls" "crypto/tls"
"errors" "errors"
"fmt" "fmt"
tlsC "github.com/Dreamacro/clash/common/tls"
"io" "io"
"net" "net"
"strconv" "strconv"
@ -160,7 +161,7 @@ func NewSocks5(option Socks5Option) *Socks5 {
pass: option.Password, pass: option.Password,
tls: option.TLS, tls: option.TLS,
skipCertVerify: option.SkipCertVerify, skipCertVerify: option.SkipCertVerify,
tlsConfig: tlsConfig, tlsConfig: tlsC.MixinTLSConfig(tlsConfig),
} }
} }

View file

@ -4,6 +4,7 @@ import (
"context" "context"
"crypto/tls" "crypto/tls"
"fmt" "fmt"
tlsC "github.com/Dreamacro/clash/common/tls"
"net" "net"
"net/http" "net/http"
"strconv" "strconv"
@ -227,12 +228,12 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
return c, nil return c, nil
} }
tlsConfig := &tls.Config{ tlsConfig := tlsC.MixinTLSConfig(&tls.Config{
NextProtos: option.ALPN, NextProtos: option.ALPN,
MinVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS12,
InsecureSkipVerify: tOption.SkipCertVerify, InsecureSkipVerify: tOption.SkipCertVerify,
ServerName: tOption.ServerName, ServerName: tOption.ServerName,
} })
if t.option.Flow != "" { if t.option.Flow != "" {
t.transport = gun.NewHTTP2XTLSClient(dialFn, tlsConfig) t.transport = gun.NewHTTP2XTLSClient(dialFn, tlsConfig)

View file

@ -7,6 +7,7 @@ import (
"errors" "errors"
"fmt" "fmt"
"github.com/Dreamacro/clash/common/convert" "github.com/Dreamacro/clash/common/convert"
tlsC "github.com/Dreamacro/clash/common/tls"
"io" "io"
"net" "net"
"net/http" "net/http"
@ -80,12 +81,12 @@ func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
} }
if v.option.TLS { if v.option.TLS {
wsOpts.TLS = true wsOpts.TLS = true
wsOpts.TLSConfig = &tls.Config{ wsOpts.TLSConfig = tlsC.MixinTLSConfig(&tls.Config{
MinVersion: tls.VersionTLS12, MinVersion: tls.VersionTLS12,
ServerName: host, ServerName: host,
InsecureSkipVerify: v.option.SkipCertVerify, InsecureSkipVerify: v.option.SkipCertVerify,
NextProtos: []string{"http/1.1"}, NextProtos: []string{"http/1.1"},
} })
if v.option.ServerName != "" { if v.option.ServerName != "" {
wsOpts.TLSConfig.ServerName = v.option.ServerName wsOpts.TLSConfig.ServerName = v.option.ServerName
} else if host := wsOpts.Headers.Get("Host"); host != "" { } else if host := wsOpts.Headers.Get("Host"); host != "" {
@ -436,10 +437,10 @@ func NewVless(option VlessOption) (*Vless, error) {
ServiceName: v.option.GrpcOpts.GrpcServiceName, ServiceName: v.option.GrpcOpts.GrpcServiceName,
Host: v.option.ServerName, Host: v.option.ServerName,
} }
tlsConfig := &tls.Config{ tlsConfig := tlsC.MixinTLSConfig(&tls.Config{
InsecureSkipVerify: v.option.SkipCertVerify, InsecureSkipVerify: v.option.SkipCertVerify,
ServerName: v.option.ServerName, ServerName: v.option.ServerName,
} })
if v.option.ServerName == "" { if v.option.ServerName == "" {
host, _, _ := net.SplitHostPort(v.addr) host, _, _ := net.SplitHostPort(v.addr)

View file

@ -5,13 +5,13 @@ import (
"crypto/tls" "crypto/tls"
"errors" "errors"
"fmt" "fmt"
tlsC "github.com/Dreamacro/clash/common/tls"
"net" "net"
"net/http" "net/http"
"strconv" "strconv"
"strings" "strings"
"sync" "sync"
"github.com/Dreamacro/clash/common/convert"
"github.com/Dreamacro/clash/component/dialer" "github.com/Dreamacro/clash/component/dialer"
"github.com/Dreamacro/clash/component/resolver" "github.com/Dreamacro/clash/component/resolver"
C "github.com/Dreamacro/clash/constant" C "github.com/Dreamacro/clash/constant"
@ -100,21 +100,16 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
if v.option.TLS { if v.option.TLS {
wsOpts.TLS = true wsOpts.TLS = true
wsOpts.TLSConfig = &tls.Config{ wsOpts.TLSConfig = tlsC.MixinTLSConfig(&tls.Config{
ServerName: host, ServerName: host,
InsecureSkipVerify: v.option.SkipCertVerify, InsecureSkipVerify: v.option.SkipCertVerify,
NextProtos: []string{"http/1.1"}, NextProtos: []string{"http/1.1"},
} })
if v.option.ServerName != "" { if v.option.ServerName != "" {
wsOpts.TLSConfig.ServerName = v.option.ServerName wsOpts.TLSConfig.ServerName = v.option.ServerName
} else if host := wsOpts.Headers.Get("Host"); host != "" { } else if host := wsOpts.Headers.Get("Host"); host != "" {
wsOpts.TLSConfig.ServerName = host wsOpts.TLSConfig.ServerName = host
} }
} else {
if host := wsOpts.Headers.Get("Host"); host == "" {
wsOpts.Headers.Set("Host", convert.RandHost())
convert.SetUserAgent(wsOpts.Headers)
}
} }
c, err = clashVMess.StreamWebsocketConn(c, wsOpts) c, err = clashVMess.StreamWebsocketConn(c, wsOpts)
case "http": case "http":

80
common/tls/config.go Normal file
View file

@ -0,0 +1,80 @@
package tls
import (
"bytes"
"crypto/sha256"
"crypto/tls"
"crypto/x509"
"encoding/hex"
"fmt"
"strings"
"sync"
"time"
)
var fingerprints [][32]byte
var rwLock sync.Mutex
var defaultTLSConfig = &tls.Config{
InsecureSkipVerify: true,
VerifyPeerCertificate: verifyPeerCertificate,
}
var verifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
fingerprints := fingerprints
var preErr error
for i := range rawCerts {
rawCert := rawCerts[i]
cert, err := x509.ParseCertificate(rawCert)
if err == nil {
opts := x509.VerifyOptions{
CurrentTime: time.Now(),
}
if _, err := cert.Verify(opts); err == nil {
return nil
} else {
fingerprint := sha256.Sum256(cert.Raw)
for _, fp := range fingerprints {
if bytes.Equal(fingerprint[:], fp[:]) {
return nil
}
}
preErr = err
}
}
}
return preErr
}
func AddCertFingerprint(fingerprint string) error {
fp := strings.Replace(fingerprint, ":", "", -1)
fpByte, err := hex.DecodeString(fp)
if err != nil {
return err
}
if len(fpByte) != 32 {
return fmt.Errorf("fingerprint string length error,need sha25 fingerprint")
}
rwLock.Lock()
fingerprints = append(fingerprints, *(*[32]byte)(fpByte))
rwLock.Unlock()
return nil
}
func GetDefaultTLSConfig() *tls.Config {
return defaultTLSConfig
}
func MixinTLSConfig(tlsConfig *tls.Config) *tls.Config {
if tlsConfig == nil {
return GetDefaultTLSConfig()
}
tlsConfig.InsecureSkipVerify = true
tlsConfig.VerifyPeerCertificate = verifyPeerCertificate
return tlsConfig
}

View file

@ -2,6 +2,7 @@ package http
import ( import (
"context" "context"
"github.com/Dreamacro/clash/common/tls"
"github.com/Dreamacro/clash/listener/inner" "github.com/Dreamacro/clash/listener/inner"
"github.com/Dreamacro/clash/log" "github.com/Dreamacro/clash/log"
"io" "io"
@ -56,6 +57,7 @@ func HttpRequest(ctx context.Context, url, method string, header map[string][]st
conn := inner.HandleTcp(address, urlRes.Hostname()) conn := inner.HandleTcp(address, urlRes.Hostname())
return conn, nil return conn, nil
}, },
TLSClientConfig: tls.GetDefaultTLSConfig(),
} }
client := http.Client{Transport: transport} client := http.Client{Transport: transport}

View file

@ -136,7 +136,9 @@ type Sniffer struct {
} }
// Experimental config // Experimental config
type Experimental struct{} type Experimental struct {
Fingerprints []string `yaml:"fingerprints"`
}
// Config is clash config manager // Config is clash config manager
type Config struct { type Config struct {

View file

@ -4,6 +4,7 @@ import (
"context" "context"
"crypto/tls" "crypto/tls"
"fmt" "fmt"
tlsC "github.com/Dreamacro/clash/common/tls"
"go.uber.org/atomic" "go.uber.org/atomic"
"net" "net"
"net/netip" "net/netip"
@ -77,7 +78,7 @@ func (c *client) ExchangeContext(ctx context.Context, m *D.Msg) (*D.Msg, error)
ch := make(chan result, 1) ch := make(chan result, 1)
go func() { go func() {
if strings.HasSuffix(c.Client.Net, "tls") { if strings.HasSuffix(c.Client.Net, "tls") {
conn = tls.Client(conn, c.Client.TLSConfig) conn = tls.Client(conn, tlsC.MixinTLSConfig(c.Client.TLSConfig))
} }
msg, _, err := c.Client.ExchangeWithConn(m, &D.Conn{ msg, _, err := c.Client.ExchangeWithConn(m, &D.Conn{

View file

@ -4,6 +4,7 @@ import (
"bytes" "bytes"
"context" "context"
"crypto/tls" "crypto/tls"
tls2 "github.com/Dreamacro/clash/common/tls"
"github.com/Dreamacro/clash/component/dialer" "github.com/Dreamacro/clash/component/dialer"
"github.com/Dreamacro/clash/component/resolver" "github.com/Dreamacro/clash/component/resolver"
"github.com/lucas-clemente/quic-go" "github.com/lucas-clemente/quic-go"
@ -119,6 +120,7 @@ func newDohTransport(r *Resolver, preferH3 bool, proxyAdapter string) *dohTransp
return dialContextExtra(ctx, proxyAdapter, "tcp", ip, port) return dialContextExtra(ctx, proxyAdapter, "tcp", ip, port)
} }
}, },
TLSClientConfig: tls2.GetDefaultTLSConfig(),
}, },
preferH3: preferH3, preferH3: preferH3,
} }
@ -156,6 +158,7 @@ func newDohTransport(r *Resolver, preferH3 bool, proxyAdapter string) *dohTransp
} }
} }
}, },
TLSClientConfig: tls2.GetDefaultTLSConfig(),
} }
} }

View file

@ -5,6 +5,7 @@ import (
"context" "context"
"crypto/tls" "crypto/tls"
"fmt" "fmt"
tlsC "github.com/Dreamacro/clash/common/tls"
"github.com/Dreamacro/clash/component/dialer" "github.com/Dreamacro/clash/component/dialer"
"github.com/Dreamacro/clash/component/resolver" "github.com/Dreamacro/clash/component/resolver"
"github.com/lucas-clemente/quic-go" "github.com/lucas-clemente/quic-go"
@ -128,13 +129,15 @@ func (dc *quicClient) getSession(ctx context.Context) (quic.Connection, error) {
} }
func (dc *quicClient) openSession(ctx context.Context) (quic.Connection, error) { func (dc *quicClient) openSession(ctx context.Context) (quic.Connection, error) {
tlsConfig := &tls.Config{ tlsConfig := tlsC.MixinTLSConfig(
InsecureSkipVerify: false, &tls.Config{
NextProtos: []string{ InsecureSkipVerify: false,
NextProtoDQ, NextProtos: []string{
}, NextProtoDQ,
SessionTicketsDisabled: false, },
} SessionTicketsDisabled: false,
})
quicConfig := &quic.Config{ quicConfig := &quic.Config{
ConnectionIDLength: 12, ConnectionIDLength: 12,
HandshakeIdleTimeout: time.Second * 8, HandshakeIdleTimeout: time.Second * 8,

View file

@ -25,7 +25,12 @@ external-ui: /path/to/ui/folder # 配置WEB UI目录使用http://{{external-c
# interface-name: en0 # 设置出口网卡 # interface-name: en0 # 设置出口网卡
# routing-mark: 6666 # 配置fwmark 仅用于Linux # routing-mark: 6666 # 配置fwmark 仅用于Linux
experimental:
# 具体配置待定
# 证书指纹,SHA256格式,补充校验TLS证书
# 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
fingerprints:
- "8F:11:1F:A9:AD:3C:D8:E9:17:A1:18:52:2C:AC:39:EA:33:74:1B:3B:BE:73:F9:1C:EC:E5:48:D5:CC:B0:E5:E8"
# 类似于/etc/hosts, 仅支持配置单个IP # 类似于/etc/hosts, 仅支持配置单个IP
hosts: hosts:
# '*.clash.dev': 127.0.0.1 # '*.clash.dev': 127.0.0.1

View file

@ -2,6 +2,7 @@ package executor
import ( import (
"fmt" "fmt"
"github.com/Dreamacro/clash/common/tls"
"github.com/Dreamacro/clash/listener/inner" "github.com/Dreamacro/clash/listener/inner"
"net/netip" "net/netip"
"os" "os"
@ -72,7 +73,7 @@ func ParseWithBytes(buf []byte) (*config.Config, error) {
func ApplyConfig(cfg *config.Config, force bool) { func ApplyConfig(cfg *config.Config, force bool) {
mux.Lock() mux.Lock()
defer mux.Unlock() defer mux.Unlock()
preUpdateExperimental(cfg)
updateUsers(cfg.Users) updateUsers(cfg.Users)
updateProxies(cfg.Proxies, cfg.Providers) updateProxies(cfg.Proxies, cfg.Providers)
updateRules(cfg.Rules, cfg.RuleProviders) updateRules(cfg.Rules, cfg.RuleProviders)
@ -134,6 +135,14 @@ func updateExperimental(c *config.Config) {
runtime.GC() runtime.GC()
} }
func preUpdateExperimental(c *config.Config) {
for _, fingerprint := range c.Experimental.Fingerprints {
if err := tls.AddCertFingerprint(fingerprint); err != nil {
log.Warnln("fingerprint[%s] is err, %s", fingerprint, err.Error())
}
}
}
func updateDNS(c *config.DNS, generalIPv6 bool) { func updateDNS(c *config.DNS, generalIPv6 bool) {
if !c.Enable { if !c.Enable {
resolver.DisableIPv6 = !generalIPv6 resolver.DisableIPv6 = !generalIPv6

View file

@ -3,6 +3,7 @@ package vmess
import ( import (
"context" "context"
"crypto/tls" "crypto/tls"
tlsC "github.com/Dreamacro/clash/common/tls"
"net" "net"
C "github.com/Dreamacro/clash/constant" C "github.com/Dreamacro/clash/constant"
@ -15,11 +16,11 @@ type TLSConfig struct {
} }
func StreamTLSConn(conn net.Conn, cfg *TLSConfig) (net.Conn, error) { func StreamTLSConn(conn net.Conn, cfg *TLSConfig) (net.Conn, error) {
tlsConfig := &tls.Config{ tlsConfig := tlsC.MixinTLSConfig(&tls.Config{
ServerName: cfg.Host, ServerName: cfg.Host,
InsecureSkipVerify: cfg.SkipCertVerify, InsecureSkipVerify: cfg.SkipCertVerify,
NextProtos: cfg.NextProtos, NextProtos: cfg.NextProtos,
} })
tlsConn := tls.Client(conn, tlsConfig) tlsConn := tls.Client(conn, tlsConfig)