chore: add custom ca trust
This commit is contained in:
parent
a3b8c9c233
commit
f565edd76d
4 changed files with 28 additions and 42 deletions
|
@ -11,31 +11,30 @@ import (
|
||||||
"strings"
|
"strings"
|
||||||
"sync"
|
"sync"
|
||||||
|
|
||||||
CN "github.com/Dreamacro/clash/common/net"
|
|
||||||
|
|
||||||
xtls "github.com/xtls/go"
|
xtls "github.com/xtls/go"
|
||||||
)
|
)
|
||||||
|
|
||||||
var tlsCertificates = make([]tls.Certificate, 0)
|
var trustCert,_ = x509.SystemCertPool()
|
||||||
|
|
||||||
var mutex sync.RWMutex
|
var mutex sync.RWMutex
|
||||||
var errNotMacth error = errors.New("certificate fingerprints do not match")
|
var errNotMacth error = errors.New("certificate fingerprints do not match")
|
||||||
|
|
||||||
func AddCertificate(privateKey, certificate string) error {
|
func AddCertificate(certificate string) error {
|
||||||
mutex.Lock()
|
mutex.Lock()
|
||||||
defer mutex.Unlock()
|
defer mutex.Unlock()
|
||||||
if cert, err := CN.ParseCert(certificate, privateKey); err != nil {
|
if certificate == "" {
|
||||||
return err
|
return fmt.Errorf("certificate is empty")
|
||||||
} else {
|
}
|
||||||
tlsCertificates = append(tlsCertificates, cert)
|
if ok := trustCert.AppendCertsFromPEM([]byte(certificate)); !ok {
|
||||||
|
return fmt.Errorf("add certificate failed")
|
||||||
}
|
}
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func GetCertificates() []tls.Certificate {
|
func ResetCertificate(){
|
||||||
mutex.RLock()
|
mutex.Lock()
|
||||||
defer mutex.RUnlock()
|
defer mutex.Unlock()
|
||||||
return tlsCertificates
|
trustCert,_=x509.SystemCertPool()
|
||||||
}
|
}
|
||||||
|
|
||||||
func verifyFingerprint(fingerprint *[32]byte) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
|
func verifyFingerprint(fingerprint *[32]byte) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
|
||||||
|
@ -87,10 +86,10 @@ func GetSpecifiedFingerprintTLSConfig(tlsConfig *tls.Config, fingerprint string)
|
||||||
func GetGlobalTLSConfig(tlsConfig *tls.Config) *tls.Config {
|
func GetGlobalTLSConfig(tlsConfig *tls.Config) *tls.Config {
|
||||||
if tlsConfig == nil {
|
if tlsConfig == nil {
|
||||||
return &tls.Config{
|
return &tls.Config{
|
||||||
Certificates: tlsCertificates,
|
RootCAs: trustCert,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
tlsConfig.Certificates = append(tlsConfig.Certificates, tlsCertificates...)
|
tlsConfig.RootCAs = trustCert
|
||||||
return tlsConfig
|
return tlsConfig
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -107,29 +106,12 @@ func GetSpecifiedFingerprintXTLSConfig(tlsConfig *xtls.Config, fingerprint strin
|
||||||
}
|
}
|
||||||
|
|
||||||
func GetGlobalXTLSConfig(tlsConfig *xtls.Config) *xtls.Config {
|
func GetGlobalXTLSConfig(tlsConfig *xtls.Config) *xtls.Config {
|
||||||
xtlsCerts := make([]xtls.Certificate, len(tlsCertificates))
|
|
||||||
for _, cert := range tlsCertificates {
|
|
||||||
tlsSsaList := make([]xtls.SignatureScheme, len(cert.SupportedSignatureAlgorithms))
|
|
||||||
for _, ssa := range cert.SupportedSignatureAlgorithms {
|
|
||||||
tlsSsa := xtls.SignatureScheme(ssa)
|
|
||||||
tlsSsaList = append(tlsSsaList, tlsSsa)
|
|
||||||
}
|
|
||||||
xtlsCert := xtls.Certificate{
|
|
||||||
Certificate: cert.Certificate,
|
|
||||||
PrivateKey: cert.PrivateKey,
|
|
||||||
OCSPStaple: cert.OCSPStaple,
|
|
||||||
SignedCertificateTimestamps: cert.SignedCertificateTimestamps,
|
|
||||||
Leaf: cert.Leaf,
|
|
||||||
SupportedSignatureAlgorithms: tlsSsaList,
|
|
||||||
}
|
|
||||||
xtlsCerts = append(xtlsCerts, xtlsCert)
|
|
||||||
}
|
|
||||||
if tlsConfig == nil {
|
if tlsConfig == nil {
|
||||||
return &xtls.Config{
|
return &xtls.Config{
|
||||||
Certificates: xtlsCerts,
|
RootCAs: trustCert,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
tlsConfig.Certificates = xtlsCerts
|
tlsConfig.RootCAs = trustCert
|
||||||
return tlsConfig
|
return tlsConfig
|
||||||
}
|
}
|
||||||
|
|
|
@ -120,13 +120,9 @@ type Profile struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
type TLS struct {
|
type TLS struct {
|
||||||
RawCert `yaml:",inline"`
|
Certificate string `yaml:"certificate"`
|
||||||
CustomTrustCert []RawCert `yaml:"custom-certifactes"`
|
PrivateKey string `yaml:"private-key"`
|
||||||
}
|
CustomTrustCert []string `yaml:"custom-certifactes"`
|
||||||
|
|
||||||
type RawCert struct {
|
|
||||||
Certificate string `yaml:"certificate"`
|
|
||||||
PrivateKey string `yaml:"private-key"`
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// IPTables config
|
// IPTables config
|
||||||
|
@ -447,6 +443,7 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
|
||||||
}
|
}
|
||||||
config.General = general
|
config.General = general
|
||||||
|
|
||||||
|
dialer.DefaultInterface.Store(config.General.Interface)
|
||||||
proxies, providers, err := parseProxies(rawCfg)
|
proxies, providers, err := parseProxies(rawCfg)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
|
|
@ -30,6 +30,11 @@ ipv6: true # 开启 IPv6 总开关,关闭阻断所有 IPv6 链接和屏蔽 DNS
|
||||||
tls:
|
tls:
|
||||||
certificate: string # 证书 PEM 格式,或者 证书的路径
|
certificate: string # 证书 PEM 格式,或者 证书的路径
|
||||||
private-key: string # 证书对应的私钥 PEM 格式,或者私钥路径
|
private-key: string # 证书对应的私钥 PEM 格式,或者私钥路径
|
||||||
|
custom-certifactes:
|
||||||
|
- |
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
format/pem...
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
|
||||||
external-controller: 0.0.0.0:9093 # RESTful API 监听地址
|
external-controller: 0.0.0.0:9093 # RESTful API 监听地址
|
||||||
external-controller-tls: 0.0.0.0:9443 # RESTful API HTTPS 监听地址,需要配置 tls 部分配置文件
|
external-controller-tls: 0.0.0.0:9443 # RESTful API HTTPS 监听地址,需要配置 tls 部分配置文件
|
||||||
|
|
|
@ -169,9 +169,11 @@ func updateExperimental(c *config.Config) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func preUpdateExperimental(c *config.Config) {
|
func preUpdateExperimental(c *config.Config) {
|
||||||
CTLS.AddCertificate(c.TLS.PrivateKey, c.TLS.Certificate)
|
CTLS.ResetCertificate()
|
||||||
for _, c := range c.TLS.CustomTrustCert {
|
for _, c := range c.TLS.CustomTrustCert {
|
||||||
CTLS.AddCertificate(c.PrivateKey, c.Certificate)
|
if err := CTLS.AddCertificate(c); err != nil {
|
||||||
|
log.Warnln("%s\nadd error: %s", c, err.Error())
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue