mirrors/Xray-core
0
Fork 0
mirror of https://github.com/XTLS/Xray-core.git synced 2025-06-12 11:29:36 +03:00
Code Issues Releases Activity

Add: reject unknown SNI

Browse Source 
Co-Authored-By: 玖柒Max <60207794+jiuqi9997@users.noreply.github.com>
This commit is contained in:
hmol233
2021-05-09 23:47:21 +08:00
parent 1e3d739a5b
commit 53b99efe78
7 changed files with 63 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
transport/internet/tls/config.go
View File

@ -211,7 +211,7 @@ func getGetCertificateFunc(c *tls.Config, ca []*Certificate) func(hello *tls.Cli
}
}
func getNewGetCertficateFunc(certs []*tls.Certificate) func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
func getNewGetCertificateFunc(certs []*tls.Certificate, rejectUnknownSNI bool) func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
return func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
if len(certs) == 0 {
return nil, newError("empty certs")
@ -234,6 +234,9 @@ func getNewGetCertficateFunc(certs []*tls.Certificate) func(hello *tls.ClientHel
}
}
}
if rejectUnknownSNI {
return nil, newError("reject unknown sni")
}
return certs[0], nil
}
}
@ -275,7 +278,7 @@ func (c *Config) GetTLSConfig(opts ...Option) *tls.Config {
if len(caCerts) > 0 {
config.GetCertificate = getGetCertificateFunc(config, caCerts)
} else {
config.GetCertificate = getNewGetCertficateFunc(c.BuildCertificates())
config.GetCertificate = getNewGetCertificateFunc(c.BuildCertificates(), c.RejectUnknownSni)
}
if sn := c.parseServerName(); len(sn) > 0 {