feat: add fingerprint for tls verify

This commit is contained in:
gVisor bot 2022-07-10 20:44:24 +08:00
parent 71afe64a8e
commit 91e1649822
15 changed files with 137 additions and 31 deletions

View file

@ -7,6 +7,7 @@ import (
"encoding/base64"
"errors"
"fmt"
tlsC "github.com/Dreamacro/clash/common/tls"
"io"
"net"
"net/http"
@ -149,7 +150,7 @@ func NewHttp(option HttpOption) *Http {
},
user: option.UserName,
pass: option.Password,
tlsConfig: tlsConfig,
tlsConfig: tlsC.MixinTLSConfig(tlsConfig),
option: &option,
}
}

View file

@ -5,6 +5,7 @@ import (
"crypto/tls"
"crypto/x509"
"fmt"
tlsC "github.com/Dreamacro/clash/common/tls"
"github.com/Dreamacro/clash/transport/hysteria/core"
"github.com/Dreamacro/clash/transport/hysteria/obfs"
"github.com/Dreamacro/clash/transport/hysteria/pmtud_fix"
@ -121,11 +122,11 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
if option.SNI != "" {
serverName = option.SNI
}
tlsConfig := &tls.Config{
tlsConfig := tlsC.MixinTLSConfig(&tls.Config{
ServerName: serverName,
InsecureSkipVerify: option.SkipCertVerify,
MinVersion: tls.VersionTLS13,
}
})
if len(option.ALPN) > 0 {
tlsConfig.NextProtos = []string{option.ALPN}
} else {

View file

@ -5,6 +5,7 @@ import (
"crypto/tls"
"errors"
"fmt"
tlsC "github.com/Dreamacro/clash/common/tls"
"io"
"net"
"strconv"
@ -160,7 +161,7 @@ func NewSocks5(option Socks5Option) *Socks5 {
pass: option.Password,
tls: option.TLS,
skipCertVerify: option.SkipCertVerify,
tlsConfig: tlsConfig,
tlsConfig: tlsC.MixinTLSConfig(tlsConfig),
}
}

View file

@ -4,6 +4,7 @@ import (
"context"
"crypto/tls"
"fmt"
tlsC "github.com/Dreamacro/clash/common/tls"
"net"
"net/http"
"strconv"
@ -227,12 +228,12 @@ func NewTrojan(option TrojanOption) (*Trojan, error) {
return c, nil
}
tlsConfig := &tls.Config{
tlsConfig := tlsC.MixinTLSConfig(&tls.Config{
NextProtos: option.ALPN,
MinVersion: tls.VersionTLS12,
InsecureSkipVerify: tOption.SkipCertVerify,
ServerName: tOption.ServerName,
}
})
if t.option.Flow != "" {
t.transport = gun.NewHTTP2XTLSClient(dialFn, tlsConfig)

View file

@ -7,6 +7,7 @@ import (
"errors"
"fmt"
"github.com/Dreamacro/clash/common/convert"
tlsC "github.com/Dreamacro/clash/common/tls"
"io"
"net"
"net/http"
@ -80,12 +81,12 @@ func (v *Vless) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
}
if v.option.TLS {
wsOpts.TLS = true
wsOpts.TLSConfig = &tls.Config{
wsOpts.TLSConfig = tlsC.MixinTLSConfig(&tls.Config{
MinVersion: tls.VersionTLS12,
ServerName: host,
InsecureSkipVerify: v.option.SkipCertVerify,
NextProtos: []string{"http/1.1"},
}
})
if v.option.ServerName != "" {
wsOpts.TLSConfig.ServerName = v.option.ServerName
} else if host := wsOpts.Headers.Get("Host"); host != "" {
@ -436,10 +437,10 @@ func NewVless(option VlessOption) (*Vless, error) {
ServiceName: v.option.GrpcOpts.GrpcServiceName,
Host: v.option.ServerName,
}
tlsConfig := &tls.Config{
tlsConfig := tlsC.MixinTLSConfig(&tls.Config{
InsecureSkipVerify: v.option.SkipCertVerify,
ServerName: v.option.ServerName,
}
})
if v.option.ServerName == "" {
host, _, _ := net.SplitHostPort(v.addr)

View file

@ -5,13 +5,13 @@ import (
"crypto/tls"
"errors"
"fmt"
tlsC "github.com/Dreamacro/clash/common/tls"
"net"
"net/http"
"strconv"
"strings"
"sync"
"github.com/Dreamacro/clash/common/convert"
"github.com/Dreamacro/clash/component/dialer"
"github.com/Dreamacro/clash/component/resolver"
C "github.com/Dreamacro/clash/constant"
@ -100,21 +100,16 @@ func (v *Vmess) StreamConn(c net.Conn, metadata *C.Metadata) (net.Conn, error) {
if v.option.TLS {
wsOpts.TLS = true
wsOpts.TLSConfig = &tls.Config{
wsOpts.TLSConfig = tlsC.MixinTLSConfig(&tls.Config{
ServerName: host,
InsecureSkipVerify: v.option.SkipCertVerify,
NextProtos: []string{"http/1.1"},
}
})
if v.option.ServerName != "" {
wsOpts.TLSConfig.ServerName = v.option.ServerName
} else if host := wsOpts.Headers.Get("Host"); host != "" {
wsOpts.TLSConfig.ServerName = host
}
} else {
if host := wsOpts.Headers.Get("Host"); host == "" {
wsOpts.Headers.Set("Host", convert.RandHost())
convert.SetUserAgent(wsOpts.Headers)
}
}
c, err = clashVMess.StreamWebsocketConn(c, wsOpts)
case "http":

80
common/tls/config.go Normal file
View file

@ -0,0 +1,80 @@
package tls
import (
"bytes"
"crypto/sha256"
"crypto/tls"
"crypto/x509"
"encoding/hex"
"fmt"
"strings"
"sync"
"time"
)
var fingerprints [][32]byte
var rwLock sync.Mutex
var defaultTLSConfig = &tls.Config{
InsecureSkipVerify: true,
VerifyPeerCertificate: verifyPeerCertificate,
}
var verifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
fingerprints := fingerprints
var preErr error
for i := range rawCerts {
rawCert := rawCerts[i]
cert, err := x509.ParseCertificate(rawCert)
if err == nil {
opts := x509.VerifyOptions{
CurrentTime: time.Now(),
}
if _, err := cert.Verify(opts); err == nil {
return nil
} else {
fingerprint := sha256.Sum256(cert.Raw)
for _, fp := range fingerprints {
if bytes.Equal(fingerprint[:], fp[:]) {
return nil
}
}
preErr = err
}
}
}
return preErr
}
func AddCertFingerprint(fingerprint string) error {
fp := strings.Replace(fingerprint, ":", "", -1)
fpByte, err := hex.DecodeString(fp)
if err != nil {
return err
}
if len(fpByte) != 32 {
return fmt.Errorf("fingerprint string length error,need sha25 fingerprint")
}
rwLock.Lock()
fingerprints = append(fingerprints, *(*[32]byte)(fpByte))
rwLock.Unlock()
return nil
}
func GetDefaultTLSConfig() *tls.Config {
return defaultTLSConfig
}
func MixinTLSConfig(tlsConfig *tls.Config) *tls.Config {
if tlsConfig == nil {
return GetDefaultTLSConfig()
}
tlsConfig.InsecureSkipVerify = true
tlsConfig.VerifyPeerCertificate = verifyPeerCertificate
return tlsConfig
}

View file

@ -2,6 +2,7 @@ package http
import (
"context"
"github.com/Dreamacro/clash/common/tls"
"github.com/Dreamacro/clash/listener/inner"
"github.com/Dreamacro/clash/log"
"io"
@ -56,6 +57,7 @@ func HttpRequest(ctx context.Context, url, method string, header map[string][]st
conn := inner.HandleTcp(address, urlRes.Hostname())
return conn, nil
},
TLSClientConfig: tls.GetDefaultTLSConfig(),
}
client := http.Client{Transport: transport}

View file

@ -136,7 +136,9 @@ type Sniffer struct {
}
// Experimental config
type Experimental struct{}
type Experimental struct {
Fingerprints []string `yaml:"fingerprints"`
}
// Config is clash config manager
type Config struct {

View file

@ -4,6 +4,7 @@ import (
"context"
"crypto/tls"
"fmt"
tlsC "github.com/Dreamacro/clash/common/tls"
"go.uber.org/atomic"
"net"
"net/netip"
@ -77,7 +78,7 @@ func (c *client) ExchangeContext(ctx context.Context, m *D.Msg) (*D.Msg, error)
ch := make(chan result, 1)
go func() {
if strings.HasSuffix(c.Client.Net, "tls") {
conn = tls.Client(conn, c.Client.TLSConfig)
conn = tls.Client(conn, tlsC.MixinTLSConfig(c.Client.TLSConfig))
}
msg, _, err := c.Client.ExchangeWithConn(m, &D.Conn{

View file

@ -4,6 +4,7 @@ import (
"bytes"
"context"
"crypto/tls"
tls2 "github.com/Dreamacro/clash/common/tls"
"github.com/Dreamacro/clash/component/dialer"
"github.com/Dreamacro/clash/component/resolver"
"github.com/lucas-clemente/quic-go"
@ -119,6 +120,7 @@ func newDohTransport(r *Resolver, preferH3 bool, proxyAdapter string) *dohTransp
return dialContextExtra(ctx, proxyAdapter, "tcp", ip, port)
}
},
TLSClientConfig: tls2.GetDefaultTLSConfig(),
},
preferH3: preferH3,
}
@ -156,6 +158,7 @@ func newDohTransport(r *Resolver, preferH3 bool, proxyAdapter string) *dohTransp
}
}
},
TLSClientConfig: tls2.GetDefaultTLSConfig(),
}
}

View file

@ -5,6 +5,7 @@ import (
"context"
"crypto/tls"
"fmt"
tlsC "github.com/Dreamacro/clash/common/tls"
"github.com/Dreamacro/clash/component/dialer"
"github.com/Dreamacro/clash/component/resolver"
"github.com/lucas-clemente/quic-go"
@ -128,13 +129,15 @@ func (dc *quicClient) getSession(ctx context.Context) (quic.Connection, error) {
}
func (dc *quicClient) openSession(ctx context.Context) (quic.Connection, error) {
tlsConfig := &tls.Config{
tlsConfig := tlsC.MixinTLSConfig(
&tls.Config{
InsecureSkipVerify: false,
NextProtos: []string{
NextProtoDQ,
},
SessionTicketsDisabled: false,
}
})
quicConfig := &quic.Config{
ConnectionIDLength: 12,
HandshakeIdleTimeout: time.Second * 8,

View file

@ -25,7 +25,12 @@ external-ui: /path/to/ui/folder # 配置WEB UI目录使用http://{{external-c
# interface-name: en0 # 设置出口网卡
# routing-mark: 6666 # 配置fwmark 仅用于Linux
experimental:
# 具体配置待定
# 证书指纹,SHA256格式,补充校验TLS证书
# 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
fingerprints:
- "8F:11:1F:A9:AD:3C:D8:E9:17:A1:18:52:2C:AC:39:EA:33:74:1B:3B:BE:73:F9:1C:EC:E5:48:D5:CC:B0:E5:E8"
# 类似于/etc/hosts, 仅支持配置单个IP
hosts:
# '*.clash.dev': 127.0.0.1

View file

@ -2,6 +2,7 @@ package executor
import (
"fmt"
"github.com/Dreamacro/clash/common/tls"
"github.com/Dreamacro/clash/listener/inner"
"net/netip"
"os"
@ -72,7 +73,7 @@ func ParseWithBytes(buf []byte) (*config.Config, error) {
func ApplyConfig(cfg *config.Config, force bool) {
mux.Lock()
defer mux.Unlock()
preUpdateExperimental(cfg)
updateUsers(cfg.Users)
updateProxies(cfg.Proxies, cfg.Providers)
updateRules(cfg.Rules, cfg.RuleProviders)
@ -134,6 +135,14 @@ func updateExperimental(c *config.Config) {
runtime.GC()
}
func preUpdateExperimental(c *config.Config) {
for _, fingerprint := range c.Experimental.Fingerprints {
if err := tls.AddCertFingerprint(fingerprint); err != nil {
log.Warnln("fingerprint[%s] is err, %s", fingerprint, err.Error())
}
}
}
func updateDNS(c *config.DNS, generalIPv6 bool) {
if !c.Enable {
resolver.DisableIPv6 = !generalIPv6

View file

@ -3,6 +3,7 @@ package vmess
import (
"context"
"crypto/tls"
tlsC "github.com/Dreamacro/clash/common/tls"
"net"
C "github.com/Dreamacro/clash/constant"
@ -15,11 +16,11 @@ type TLSConfig struct {
}
func StreamTLSConn(conn net.Conn, cfg *TLSConfig) (net.Conn, error) {
tlsConfig := &tls.Config{
tlsConfig := tlsC.MixinTLSConfig(&tls.Config{
ServerName: cfg.Host,
InsecureSkipVerify: cfg.SkipCertVerify,
NextProtos: cfg.NextProtos,
}
})
tlsConn := tls.Client(conn, tlsConfig)