mirrors/Xray-core
0
Fork 0
mirror of https://github.com/XTLS/Xray-core.git synced 2025-06-13 03:49:35 +03:00
Code Issues Releases Activity

Verify peer cert function for better man in the middle prevention (#746)

Browse Source 
* verify peer cert function for better man in the middle prevention

* publish cert chain hash generation algorithm

* added calculation of certificate hash as separate command and tlsping, use base64 to represent fingerprint to align with jsonPb

* apply coding style

* added test case for pinned certificates

* refactored cert pin

* pinned cert test

* added json loading of the PinnedPeerCertificateChainSha256

* removed tool to prepare for v5

* Add server cert pinning for Xtls

Change command "xray tls certChainHash" to xray style

Co-authored-by: Shelikhoo <xiaokangwang@outlook.com>
This commit is contained in:
yuhan6665
2021-10-22 00:04:06 -04:00
committed by 世界
parent 6a60332700
commit acb81ebe3d
13 changed files with 447 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
transport/internet/xtls/config.go
View File

@ -1,7 +1,9 @@
package xtls
import (
"crypto/hmac"
"crypto/x509"
"encoding/base64"
"strings"
"sync"
"time"
@ -13,6 +15,7 @@ import (
"github.com/xtls/xray-core/common/platform/filesystem"
"github.com/xtls/xray-core/common/protocol/tls/cert"
"github.com/xtls/xray-core/transport/internet"
"github.com/xtls/xray-core/transport/internet/tls"
)
var globalSessionCache = xtls.NewLRUClientSessionCache(128)
@ -244,6 +247,19 @@ func (c *Config) parseServerName() string {
return c.ServerName
}
func (c *Config) verifyPeerCert(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
if c.PinnedPeerCertificateChainSha256 != nil {
hashValue := tls.GenerateCertChainHash(rawCerts)
for _, v := range c.PinnedPeerCertificateChainSha256 {
if hmac.Equal(hashValue, v) {
return nil
}
}
return newError("peer cert is unrecognized: ", base64.StdEncoding.EncodeToString(hashValue))
}
return nil
}
// GetXTLSConfig converts this Config into xtls.Config.
func (c *Config) GetXTLSConfig(opts ...Option) *xtls.Config {
root, err := c.getCertPool()
@ -267,6 +283,7 @@ func (c *Config) GetXTLSConfig(opts ...Option) *xtls.Config {
InsecureSkipVerify: c.AllowInsecure,
NextProtos: c.NextProtocol,
SessionTicketsDisabled: !c.EnableSessionResumption,
VerifyPeerCertificate: c.verifyPeerCert,
}
for _, opt := range opts {