chore: add custom ca trust
This commit is contained in:
parent
a3b8c9c233
commit
f565edd76d
4 changed files with 28 additions and 42 deletions
|
@ -11,31 +11,30 @@ import (
|
|||
"strings"
|
||||
"sync"
|
||||
|
||||
CN "github.com/Dreamacro/clash/common/net"
|
||||
|
||||
xtls "github.com/xtls/go"
|
||||
)
|
||||
|
||||
var tlsCertificates = make([]tls.Certificate, 0)
|
||||
var trustCert,_ = x509.SystemCertPool()
|
||||
|
||||
var mutex sync.RWMutex
|
||||
var errNotMacth error = errors.New("certificate fingerprints do not match")
|
||||
|
||||
func AddCertificate(privateKey, certificate string) error {
|
||||
func AddCertificate(certificate string) error {
|
||||
mutex.Lock()
|
||||
defer mutex.Unlock()
|
||||
if cert, err := CN.ParseCert(certificate, privateKey); err != nil {
|
||||
return err
|
||||
} else {
|
||||
tlsCertificates = append(tlsCertificates, cert)
|
||||
if certificate == "" {
|
||||
return fmt.Errorf("certificate is empty")
|
||||
}
|
||||
if ok := trustCert.AppendCertsFromPEM([]byte(certificate)); !ok {
|
||||
return fmt.Errorf("add certificate failed")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func GetCertificates() []tls.Certificate {
|
||||
mutex.RLock()
|
||||
defer mutex.RUnlock()
|
||||
return tlsCertificates
|
||||
func ResetCertificate(){
|
||||
mutex.Lock()
|
||||
defer mutex.Unlock()
|
||||
trustCert,_=x509.SystemCertPool()
|
||||
}
|
||||
|
||||
func verifyFingerprint(fingerprint *[32]byte) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
|
||||
|
@ -87,10 +86,10 @@ func GetSpecifiedFingerprintTLSConfig(tlsConfig *tls.Config, fingerprint string)
|
|||
func GetGlobalTLSConfig(tlsConfig *tls.Config) *tls.Config {
|
||||
if tlsConfig == nil {
|
||||
return &tls.Config{
|
||||
Certificates: tlsCertificates,
|
||||
RootCAs: trustCert,
|
||||
}
|
||||
}
|
||||
tlsConfig.Certificates = append(tlsConfig.Certificates, tlsCertificates...)
|
||||
tlsConfig.RootCAs = trustCert
|
||||
return tlsConfig
|
||||
}
|
||||
|
||||
|
@ -107,29 +106,12 @@ func GetSpecifiedFingerprintXTLSConfig(tlsConfig *xtls.Config, fingerprint strin
|
|||
}
|
||||
|
||||
func GetGlobalXTLSConfig(tlsConfig *xtls.Config) *xtls.Config {
|
||||
xtlsCerts := make([]xtls.Certificate, len(tlsCertificates))
|
||||
for _, cert := range tlsCertificates {
|
||||
tlsSsaList := make([]xtls.SignatureScheme, len(cert.SupportedSignatureAlgorithms))
|
||||
for _, ssa := range cert.SupportedSignatureAlgorithms {
|
||||
tlsSsa := xtls.SignatureScheme(ssa)
|
||||
tlsSsaList = append(tlsSsaList, tlsSsa)
|
||||
}
|
||||
xtlsCert := xtls.Certificate{
|
||||
Certificate: cert.Certificate,
|
||||
PrivateKey: cert.PrivateKey,
|
||||
OCSPStaple: cert.OCSPStaple,
|
||||
SignedCertificateTimestamps: cert.SignedCertificateTimestamps,
|
||||
Leaf: cert.Leaf,
|
||||
SupportedSignatureAlgorithms: tlsSsaList,
|
||||
}
|
||||
xtlsCerts = append(xtlsCerts, xtlsCert)
|
||||
}
|
||||
if tlsConfig == nil {
|
||||
return &xtls.Config{
|
||||
Certificates: xtlsCerts,
|
||||
RootCAs: trustCert,
|
||||
}
|
||||
}
|
||||
|
||||
tlsConfig.Certificates = xtlsCerts
|
||||
tlsConfig.RootCAs = trustCert
|
||||
return tlsConfig
|
||||
}
|
||||
|
|
|
@ -120,13 +120,9 @@ type Profile struct {
|
|||
}
|
||||
|
||||
type TLS struct {
|
||||
RawCert `yaml:",inline"`
|
||||
CustomTrustCert []RawCert `yaml:"custom-certifactes"`
|
||||
}
|
||||
|
||||
type RawCert struct {
|
||||
Certificate string `yaml:"certificate"`
|
||||
PrivateKey string `yaml:"private-key"`
|
||||
Certificate string `yaml:"certificate"`
|
||||
PrivateKey string `yaml:"private-key"`
|
||||
CustomTrustCert []string `yaml:"custom-certifactes"`
|
||||
}
|
||||
|
||||
// IPTables config
|
||||
|
@ -447,6 +443,7 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
|
|||
}
|
||||
config.General = general
|
||||
|
||||
dialer.DefaultInterface.Store(config.General.Interface)
|
||||
proxies, providers, err := parseProxies(rawCfg)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
|
@ -30,6 +30,11 @@ ipv6: true # 开启 IPv6 总开关,关闭阻断所有 IPv6 链接和屏蔽 DNS
|
|||
tls:
|
||||
certificate: string # 证书 PEM 格式,或者 证书的路径
|
||||
private-key: string # 证书对应的私钥 PEM 格式,或者私钥路径
|
||||
custom-certifactes:
|
||||
- |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
format/pem...
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
external-controller: 0.0.0.0:9093 # RESTful API 监听地址
|
||||
external-controller-tls: 0.0.0.0:9443 # RESTful API HTTPS 监听地址,需要配置 tls 部分配置文件
|
||||
|
|
|
@ -169,9 +169,11 @@ func updateExperimental(c *config.Config) {
|
|||
}
|
||||
|
||||
func preUpdateExperimental(c *config.Config) {
|
||||
CTLS.AddCertificate(c.TLS.PrivateKey, c.TLS.Certificate)
|
||||
CTLS.ResetCertificate()
|
||||
for _, c := range c.TLS.CustomTrustCert {
|
||||
CTLS.AddCertificate(c.PrivateKey, c.Certificate)
|
||||
if err := CTLS.AddCertificate(c); err != nil {
|
||||
log.Warnln("%s\nadd error: %s", c, err.Error())
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue