diff --git a/adapter/outbound/http.go b/adapter/outbound/http.go index acc75d37..19074bb3 100644 --- a/adapter/outbound/http.go +++ b/adapter/outbound/http.go @@ -14,9 +14,9 @@ import ( "strconv" N "github.com/Dreamacro/clash/common/net" + "github.com/Dreamacro/clash/component/ca" "github.com/Dreamacro/clash/component/dialer" "github.com/Dreamacro/clash/component/proxydialer" - tlsC "github.com/Dreamacro/clash/component/tls" C "github.com/Dreamacro/clash/constant" ) @@ -157,19 +157,13 @@ func NewHttp(option HttpOption) (*Http, error) { if option.SNI != "" { sni = option.SNI } - if len(option.Fingerprint) == 0 { - tlsConfig = tlsC.GetGlobalTLSConfig(&tls.Config{ - InsecureSkipVerify: option.SkipCertVerify, - ServerName: sni, - }) - } else { - var err error - if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(&tls.Config{ - InsecureSkipVerify: option.SkipCertVerify, - ServerName: sni, - }, option.Fingerprint); err != nil { - return nil, err - } + var err error + tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(&tls.Config{ + InsecureSkipVerify: option.SkipCertVerify, + ServerName: sni, + }, option.Fingerprint) + if err != nil { + return nil, err } } diff --git a/adapter/outbound/hysteria.go b/adapter/outbound/hysteria.go index 7cd4ea76..8a9d6258 100644 --- a/adapter/outbound/hysteria.go +++ b/adapter/outbound/hysteria.go @@ -2,15 +2,11 @@ package outbound import ( "context" - "crypto/sha256" "crypto/tls" "encoding/base64" - "encoding/hex" - "encoding/pem" "fmt" "net" "net/netip" - "os" "strconv" "time" @@ -18,9 +14,9 @@ import ( "github.com/metacubex/quic-go/congestion" M "github.com/sagernet/sing/common/metadata" + "github.com/Dreamacro/clash/component/ca" "github.com/Dreamacro/clash/component/dialer" "github.com/Dreamacro/clash/component/proxydialer" - tlsC "github.com/Dreamacro/clash/component/tls" C "github.com/Dreamacro/clash/constant" "github.com/Dreamacro/clash/log" hyCongestion "github.com/Dreamacro/clash/transport/hysteria/congestion" @@ -150,37 +146,10 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) { MinVersion: tls.VersionTLS13, } - var bs []byte var err error - if len(option.CustomCA) > 0 { - bs, err = os.ReadFile(option.CustomCA) - if err != nil { - return nil, fmt.Errorf("hysteria %s load ca error: %w", addr, err) - } - } else if option.CustomCAString != "" { - bs = []byte(option.CustomCAString) - } - - if len(bs) > 0 { - block, _ := pem.Decode(bs) - if block == nil { - return nil, fmt.Errorf("CA cert is not PEM") - } - - fpBytes := sha256.Sum256(block.Bytes) - if len(option.Fingerprint) == 0 { - option.Fingerprint = hex.EncodeToString(fpBytes[:]) - } - } - - if len(option.Fingerprint) != 0 { - var err error - tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint) - if err != nil { - return nil, err - } - } else { - tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig) + tlsConfig, err = ca.GetTLSConfig(tlsConfig, option.Fingerprint, option.CustomCA, option.CustomCAString) + if err != nil { + return nil, err } if len(option.ALPN) > 0 { diff --git a/adapter/outbound/hysteria2.go b/adapter/outbound/hysteria2.go index 46e052e6..e7ad91df 100644 --- a/adapter/outbound/hysteria2.go +++ b/adapter/outbound/hysteria2.go @@ -2,21 +2,17 @@ package outbound import ( "context" - "crypto/sha256" "crypto/tls" - "encoding/hex" - "encoding/pem" "errors" "fmt" "net" - "os" "runtime" "strconv" CN "github.com/Dreamacro/clash/common/net" + "github.com/Dreamacro/clash/component/ca" "github.com/Dreamacro/clash/component/dialer" "github.com/Dreamacro/clash/component/proxydialer" - tlsC "github.com/Dreamacro/clash/component/tls" C "github.com/Dreamacro/clash/constant" tuicCommon "github.com/Dreamacro/clash/transport/tuic/common" @@ -143,37 +139,10 @@ func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) { MinVersion: tls.VersionTLS13, } - var bs []byte var err error - if len(option.CustomCA) > 0 { - bs, err = os.ReadFile(option.CustomCA) - if err != nil { - return nil, fmt.Errorf("hysteria %s load ca error: %w", option.Name, err) - } - } else if option.CustomCAString != "" { - bs = []byte(option.CustomCAString) - } - - if len(bs) > 0 { - block, _ := pem.Decode(bs) - if block == nil { - return nil, fmt.Errorf("CA cert is not PEM") - } - - fpBytes := sha256.Sum256(block.Bytes) - if len(option.Fingerprint) == 0 { - option.Fingerprint = hex.EncodeToString(fpBytes[:]) - } - } - - if len(option.Fingerprint) != 0 { - var err error - tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint) - if err != nil { - return nil, err - } - } else { - tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig) + tlsConfig, err = ca.GetTLSConfig(tlsConfig, option.Fingerprint, option.CustomCA, option.CustomCAString) + if err != nil { + return nil, err } if len(option.ALPN) > 0 { diff --git a/adapter/outbound/socks5.go b/adapter/outbound/socks5.go index 2e9bccd6..d857172e 100644 --- a/adapter/outbound/socks5.go +++ b/adapter/outbound/socks5.go @@ -10,9 +10,9 @@ import ( "strconv" N "github.com/Dreamacro/clash/common/net" + "github.com/Dreamacro/clash/component/ca" "github.com/Dreamacro/clash/component/dialer" "github.com/Dreamacro/clash/component/proxydialer" - tlsC "github.com/Dreamacro/clash/component/tls" C "github.com/Dreamacro/clash/constant" "github.com/Dreamacro/clash/transport/socks5" ) @@ -180,13 +180,10 @@ func NewSocks5(option Socks5Option) (*Socks5, error) { ServerName: option.Server, } - if len(option.Fingerprint) == 0 { - tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig) - } else { - var err error - if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint); err != nil { - return nil, err - } + var err error + tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint) + if err != nil { + return nil, err } } diff --git a/adapter/outbound/trojan.go b/adapter/outbound/trojan.go index 6339b476..337f2a38 100644 --- a/adapter/outbound/trojan.go +++ b/adapter/outbound/trojan.go @@ -9,6 +9,7 @@ import ( "strconv" N "github.com/Dreamacro/clash/common/net" + "github.com/Dreamacro/clash/component/ca" "github.com/Dreamacro/clash/component/dialer" "github.com/Dreamacro/clash/component/proxydialer" tlsC "github.com/Dreamacro/clash/component/tls" @@ -280,13 +281,10 @@ func NewTrojan(option TrojanOption) (*Trojan, error) { ServerName: tOption.ServerName, } - if len(option.Fingerprint) == 0 { - tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig) - } else { - var err error - if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint); err != nil { - return nil, err - } + var err error + tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint) + if err != nil { + return nil, err } t.transport = gun.NewHTTP2Client(dialFn, tlsConfig, tOption.ClientFingerprint, t.realityConfig) diff --git a/adapter/outbound/tuic.go b/adapter/outbound/tuic.go index b1032e8c..93e49dc7 100644 --- a/adapter/outbound/tuic.go +++ b/adapter/outbound/tuic.go @@ -2,22 +2,18 @@ package outbound import ( "context" - "crypto/sha256" "crypto/tls" - "encoding/hex" - "encoding/pem" "errors" "fmt" "math" "net" - "os" "strconv" "time" + "github.com/Dreamacro/clash/component/ca" "github.com/Dreamacro/clash/component/dialer" "github.com/Dreamacro/clash/component/proxydialer" "github.com/Dreamacro/clash/component/resolver" - tlsC "github.com/Dreamacro/clash/component/tls" C "github.com/Dreamacro/clash/constant" "github.com/Dreamacro/clash/transport/tuic" @@ -162,37 +158,10 @@ func NewTuic(option TuicOption) (*Tuic, error) { tlsConfig.ServerName = option.SNI } - var bs []byte var err error - if len(option.CustomCA) > 0 { - bs, err = os.ReadFile(option.CustomCA) - if err != nil { - return nil, fmt.Errorf("tuic %s load ca error: %w", addr, err) - } - } else if option.CustomCAString != "" { - bs = []byte(option.CustomCAString) - } - - if len(bs) > 0 { - block, _ := pem.Decode(bs) - if block == nil { - return nil, fmt.Errorf("CA cert is not PEM") - } - - fpBytes := sha256.Sum256(block.Bytes) - if len(option.Fingerprint) == 0 { - option.Fingerprint = hex.EncodeToString(fpBytes[:]) - } - } - - if len(option.Fingerprint) != 0 { - var err error - tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint) - if err != nil { - return nil, err - } - } else { - tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig) + tlsConfig, err = ca.GetTLSConfig(tlsConfig, option.Fingerprint, option.CustomCA, option.CustomCAString) + if err != nil { + return nil, err } if option.ALPN != nil { // structure's Decode will ensure value not nil when input has value even it was set an empty array diff --git a/adapter/outbound/vless.go b/adapter/outbound/vless.go index 81408e5f..037f3367 100644 --- a/adapter/outbound/vless.go +++ b/adapter/outbound/vless.go @@ -15,6 +15,7 @@ import ( "github.com/Dreamacro/clash/common/convert" N "github.com/Dreamacro/clash/common/net" "github.com/Dreamacro/clash/common/utils" + "github.com/Dreamacro/clash/component/ca" "github.com/Dreamacro/clash/component/dialer" "github.com/Dreamacro/clash/component/proxydialer" "github.com/Dreamacro/clash/component/resolver" @@ -110,13 +111,9 @@ func (v *Vless) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M NextProtos: []string{"http/1.1"}, } - if len(v.option.Fingerprint) == 0 { - wsOpts.TLSConfig = tlsC.GetGlobalTLSConfig(tlsConfig) - } else { - wsOpts.TLSConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, v.option.Fingerprint) - if err != nil { - return nil, err - } + wsOpts.TLSConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, v.option.Fingerprint) + if err != nil { + return nil, err } if v.option.ServerName != "" { @@ -592,7 +589,7 @@ func NewVless(option VlessOption) (*Vless, error) { } var tlsConfig *tls.Config if option.TLS { - tlsConfig = tlsC.GetGlobalTLSConfig(&tls.Config{ + tlsConfig = ca.GetGlobalTLSConfig(&tls.Config{ InsecureSkipVerify: v.option.SkipCertVerify, ServerName: v.option.ServerName, }) diff --git a/adapter/outbound/vmess.go b/adapter/outbound/vmess.go index 3e7694d1..db654580 100644 --- a/adapter/outbound/vmess.go +++ b/adapter/outbound/vmess.go @@ -13,6 +13,7 @@ import ( N "github.com/Dreamacro/clash/common/net" "github.com/Dreamacro/clash/common/utils" + "github.com/Dreamacro/clash/component/ca" "github.com/Dreamacro/clash/component/dialer" "github.com/Dreamacro/clash/component/proxydialer" "github.com/Dreamacro/clash/component/resolver" @@ -127,12 +128,9 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M NextProtos: []string{"http/1.1"}, } - if len(v.option.Fingerprint) == 0 { - wsOpts.TLSConfig = tlsC.GetGlobalTLSConfig(tlsConfig) - } else { - if wsOpts.TLSConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, v.option.Fingerprint); err != nil { - return nil, err - } + wsOpts.TLSConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, v.option.Fingerprint) + if err != nil { + return nil, err } if v.option.ServerName != "" { @@ -483,7 +481,7 @@ func NewVmess(option VmessOption) (*Vmess, error) { } var tlsConfig *tls.Config if option.TLS { - tlsConfig = tlsC.GetGlobalTLSConfig(&tls.Config{ + tlsConfig = ca.GetGlobalTLSConfig(&tls.Config{ InsecureSkipVerify: v.option.SkipCertVerify, ServerName: v.option.ServerName, }) diff --git a/component/tls/config.go b/component/ca/config.go similarity index 63% rename from component/tls/config.go rename to component/ca/config.go index d7382f7c..03fb007c 100644 --- a/component/tls/config.go +++ b/component/ca/config.go @@ -1,4 +1,4 @@ -package tls +package ca import ( "bytes" @@ -8,12 +8,13 @@ import ( "encoding/hex" "errors" "fmt" + "os" "strings" "sync" ) var trustCerts []*x509.Certificate -var certPool *x509.CertPool +var globalCertPool *x509.CertPool var mutex sync.RWMutex var errNotMatch = errors.New("certificate fingerprints do not match") @@ -33,12 +34,12 @@ func AddCertificate(certificate string) error { func initializeCertPool() { var err error - certPool, err = x509.SystemCertPool() + globalCertPool, err = x509.SystemCertPool() if err != nil { - certPool = x509.NewCertPool() + globalCertPool = x509.NewCertPool() } for _, cert := range trustCerts { - certPool.AddCert(cert) + globalCertPool.AddCert(cert) } } @@ -53,15 +54,15 @@ func getCertPool() *x509.CertPool { if len(trustCerts) == 0 { return nil } - if certPool == nil { + if globalCertPool == nil { mutex.Lock() defer mutex.Unlock() - if certPool != nil { - return certPool + if globalCertPool != nil { + return globalCertPool } initializeCertPool() } - return certPool + return globalCertPool } func verifyFingerprint(fingerprint *[32]byte) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { @@ -94,29 +95,49 @@ func convertFingerprint(fingerprint string) (*[32]byte, error) { return (*[32]byte)(fpByte), nil } -func GetDefaultTLSConfig() *tls.Config { - return GetGlobalTLSConfig(nil) +// GetTLSConfig specified fingerprint, customCA and customCAString +func GetTLSConfig(tlsConfig *tls.Config, fingerprint string, customCA string, customCAString string) (*tls.Config, error) { + if tlsConfig == nil { + tlsConfig = &tls.Config{} + } + var certificate []byte + var err error + if len(customCA) > 0 { + certificate, err = os.ReadFile(customCA) + if err != nil { + return nil, fmt.Errorf("load ca error: %w", err) + } + } else if customCAString != "" { + certificate = []byte(customCAString) + } + if len(certificate) > 0 { + certPool := x509.NewCertPool() + if !certPool.AppendCertsFromPEM(certificate) { + return nil, fmt.Errorf("failed to parse certificate:\n\n %s", certificate) + } + tlsConfig.RootCAs = certPool + } else { + tlsConfig.RootCAs = getCertPool() + } + if len(fingerprint) > 0 { + var fingerprintBytes *[32]byte + fingerprintBytes, err = convertFingerprint(fingerprint) + if err != nil { + return nil, err + } + tlsConfig = GetGlobalTLSConfig(tlsConfig) + tlsConfig.VerifyPeerCertificate = verifyFingerprint(fingerprintBytes) + tlsConfig.InsecureSkipVerify = true + } + return tlsConfig, nil } // GetSpecifiedFingerprintTLSConfig specified fingerprint func GetSpecifiedFingerprintTLSConfig(tlsConfig *tls.Config, fingerprint string) (*tls.Config, error) { - if fingerprintBytes, err := convertFingerprint(fingerprint); err != nil { - return nil, err - } else { - tlsConfig = GetGlobalTLSConfig(tlsConfig) - tlsConfig.VerifyPeerCertificate = verifyFingerprint(fingerprintBytes) - tlsConfig.InsecureSkipVerify = true - return tlsConfig, nil - } + return GetTLSConfig(tlsConfig, fingerprint, "", "") } func GetGlobalTLSConfig(tlsConfig *tls.Config) *tls.Config { - certPool := getCertPool() - if tlsConfig == nil { - return &tls.Config{ - RootCAs: certPool, - } - } - tlsConfig.RootCAs = certPool + tlsConfig, _ = GetTLSConfig(tlsConfig, "", "", "") return tlsConfig } diff --git a/component/http/http.go b/component/http/http.go index c5172fcb..8e682e94 100644 --- a/component/http/http.go +++ b/component/http/http.go @@ -2,6 +2,7 @@ package http import ( "context" + "crypto/tls" "io" "net" "net/http" @@ -9,7 +10,7 @@ import ( "strings" "time" - "github.com/Dreamacro/clash/component/tls" + "github.com/Dreamacro/clash/component/ca" C "github.com/Dreamacro/clash/constant" "github.com/Dreamacro/clash/listener/inner" ) @@ -58,7 +59,7 @@ func HttpRequest(ctx context.Context, url, method string, header map[string][]st return d.DialContext(ctx, network, address) } }, - TLSClientConfig: tls.GetDefaultTLSConfig(), + TLSClientConfig: ca.GetGlobalTLSConfig(&tls.Config{}), } client := http.Client{Transport: transport} diff --git a/dns/client.go b/dns/client.go index ba83412b..56f55668 100644 --- a/dns/client.go +++ b/dns/client.go @@ -9,9 +9,9 @@ import ( "strings" "github.com/Dreamacro/clash/common/atomic" + "github.com/Dreamacro/clash/component/ca" "github.com/Dreamacro/clash/component/dialer" "github.com/Dreamacro/clash/component/resolver" - tlsC "github.com/Dreamacro/clash/component/tls" C "github.com/Dreamacro/clash/constant" D "github.com/miekg/dns" @@ -99,7 +99,7 @@ func (c *client) ExchangeContext(ctx context.Context, m *D.Msg) (*D.Msg, error) ch := make(chan result, 1) go func() { if strings.HasSuffix(c.Client.Net, "tls") { - conn = tls.Client(conn, tlsC.GetGlobalTLSConfig(c.Client.TLSConfig)) + conn = tls.Client(conn, ca.GetGlobalTLSConfig(c.Client.TLSConfig)) } msg, _, err := c.Client.ExchangeWithConn(m, &D.Conn{ diff --git a/dns/doh.go b/dns/doh.go index 49e502fd..0d84fc4f 100644 --- a/dns/doh.go +++ b/dns/doh.go @@ -15,7 +15,7 @@ import ( "sync" "time" - tlsC "github.com/Dreamacro/clash/component/tls" + "github.com/Dreamacro/clash/component/ca" C "github.com/Dreamacro/clash/constant" "github.com/Dreamacro/clash/log" "github.com/metacubex/quic-go" @@ -382,7 +382,7 @@ func (doh *dnsOverHTTPS) createClient(ctx context.Context) (*http.Client, error) // HTTP3 is enabled in the upstream options). If this attempt is successful, // it returns an HTTP3 transport, otherwise it returns the H1/H2 transport. func (doh *dnsOverHTTPS) createTransport(ctx context.Context) (t http.RoundTripper, err error) { - tlsConfig := tlsC.GetGlobalTLSConfig( + tlsConfig := ca.GetGlobalTLSConfig( &tls.Config{ InsecureSkipVerify: false, MinVersion: tls.VersionTLS12, diff --git a/dns/doq.go b/dns/doq.go index f0016d79..afa8259a 100644 --- a/dns/doq.go +++ b/dns/doq.go @@ -12,7 +12,7 @@ import ( "sync" "time" - tlsC "github.com/Dreamacro/clash/component/tls" + "github.com/Dreamacro/clash/component/ca" C "github.com/Dreamacro/clash/constant" "github.com/Dreamacro/clash/log" "github.com/metacubex/quic-go" @@ -330,7 +330,7 @@ func (doq *dnsOverQUIC) openConnection(ctx context.Context) (conn quic.Connectio return nil, err } - tlsConfig := tlsC.GetGlobalTLSConfig( + tlsConfig := ca.GetGlobalTLSConfig( &tls.Config{ ServerName: host, InsecureSkipVerify: false, diff --git a/hub/executor/executor.go b/hub/executor/executor.go index b840ba48..88cdfd6c 100644 --- a/hub/executor/executor.go +++ b/hub/executor/executor.go @@ -16,6 +16,7 @@ import ( "github.com/Dreamacro/clash/adapter/inbound" "github.com/Dreamacro/clash/adapter/outboundgroup" "github.com/Dreamacro/clash/component/auth" + "github.com/Dreamacro/clash/component/ca" "github.com/Dreamacro/clash/component/dialer" G "github.com/Dreamacro/clash/component/geodata" "github.com/Dreamacro/clash/component/iface" @@ -23,7 +24,6 @@ import ( "github.com/Dreamacro/clash/component/profile/cachefile" "github.com/Dreamacro/clash/component/resolver" SNI "github.com/Dreamacro/clash/component/sniffer" - CTLS "github.com/Dreamacro/clash/component/tls" "github.com/Dreamacro/clash/component/trie" "github.com/Dreamacro/clash/config" C "github.com/Dreamacro/clash/constant" @@ -83,9 +83,9 @@ func ApplyConfig(cfg *config.Config, force bool) { tunnel.OnSuspend() - CTLS.ResetCertificate() + ca.ResetCertificate() for _, c := range cfg.TLS.CustomTrustCert { - if err := CTLS.AddCertificate(c); err != nil { + if err := ca.AddCertificate(c); err != nil { log.Warnln("%s\nadd error: %s", c, err.Error()) } } diff --git a/transport/sing-shadowtls/shadowtls.go b/transport/sing-shadowtls/shadowtls.go index 0e1e95c0..6d731ae6 100644 --- a/transport/sing-shadowtls/shadowtls.go +++ b/transport/sing-shadowtls/shadowtls.go @@ -5,6 +5,7 @@ import ( "crypto/tls" "net" + "github.com/Dreamacro/clash/component/ca" tlsC "github.com/Dreamacro/clash/component/tls" "github.com/Dreamacro/clash/log" @@ -39,12 +40,9 @@ func NewShadowTLS(ctx context.Context, conn net.Conn, option *ShadowTLSOption) ( } var err error - if len(option.Fingerprint) == 0 { - tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig) - } else { - if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint); err != nil { - return nil, err - } + tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint) + if err != nil { + return nil, err } tlsHandshake := shadowtls.DefaultTLSHandshakeFunc(option.Password, tlsConfig) diff --git a/transport/trojan/trojan.go b/transport/trojan/trojan.go index 710905ad..6dfcfe11 100644 --- a/transport/trojan/trojan.go +++ b/transport/trojan/trojan.go @@ -14,6 +14,7 @@ import ( N "github.com/Dreamacro/clash/common/net" "github.com/Dreamacro/clash/common/pool" + "github.com/Dreamacro/clash/component/ca" tlsC "github.com/Dreamacro/clash/component/tls" C "github.com/Dreamacro/clash/constant" "github.com/Dreamacro/clash/transport/socks5" @@ -77,13 +78,10 @@ func (t *Trojan) StreamConn(ctx context.Context, conn net.Conn) (net.Conn, error ServerName: t.option.ServerName, } - if len(t.option.Fingerprint) == 0 { - tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig) - } else { - var err error - if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, t.option.Fingerprint); err != nil { - return nil, err - } + var err error + tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, t.option.Fingerprint) + if err != nil { + return nil, err } if len(t.option.ClientFingerprint) != 0 { @@ -112,7 +110,7 @@ func (t *Trojan) StreamConn(ctx context.Context, conn net.Conn) (net.Conn, error ctx, cancel := context.WithTimeout(context.Background(), C.DefaultTLSTimeout) defer cancel() - err := tlsConn.HandshakeContext(ctx) + err = tlsConn.HandshakeContext(ctx) return tlsConn, err } diff --git a/transport/v2ray-plugin/websocket.go b/transport/v2ray-plugin/websocket.go index 25483670..066a3e2a 100644 --- a/transport/v2ray-plugin/websocket.go +++ b/transport/v2ray-plugin/websocket.go @@ -6,7 +6,7 @@ import ( "net" "net/http" - tlsC "github.com/Dreamacro/clash/component/tls" + "github.com/Dreamacro/clash/component/ca" "github.com/Dreamacro/clash/transport/vmess" ) @@ -43,13 +43,10 @@ func NewV2rayObfs(ctx context.Context, conn net.Conn, option *Option) (net.Conn, InsecureSkipVerify: option.SkipCertVerify, NextProtos: []string{"http/1.1"}, } - if len(option.Fingerprint) == 0 { - config.TLSConfig = tlsC.GetGlobalTLSConfig(tlsConfig) - } else { - var err error - if config.TLSConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint); err != nil { - return nil, err - } + var err error + config.TLSConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint) + if err != nil { + return nil, err } if host := config.Headers.Get("Host"); host != "" { diff --git a/transport/vmess/tls.go b/transport/vmess/tls.go index 54813029..8bcb6513 100644 --- a/transport/vmess/tls.go +++ b/transport/vmess/tls.go @@ -6,6 +6,7 @@ import ( "errors" "net" + "github.com/Dreamacro/clash/component/ca" tlsC "github.com/Dreamacro/clash/component/tls" ) @@ -25,13 +26,10 @@ func StreamTLSConn(ctx context.Context, conn net.Conn, cfg *TLSConfig) (net.Conn NextProtos: cfg.NextProtos, } - if len(cfg.FingerPrint) == 0 { - tlsConfig = tlsC.GetGlobalTLSConfig(tlsConfig) - } else { - var err error - if tlsConfig, err = tlsC.GetSpecifiedFingerprintTLSConfig(tlsConfig, cfg.FingerPrint); err != nil { - return nil, err - } + var err error + tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, cfg.FingerPrint) + if err != nil { + return nil, err } if len(cfg.ClientFingerprint) != 0 { @@ -51,7 +49,7 @@ func StreamTLSConn(ctx context.Context, conn net.Conn, cfg *TLSConfig) (net.Conn tlsConn := tls.Client(conn, tlsConfig) - err := tlsConn.HandshakeContext(ctx) + err = tlsConn.HandshakeContext(ctx) return tlsConn, err }