From 57e14e5b62d3a59da1f8c047c1e14e681f323ac2 Mon Sep 17 00:00:00 2001 From: wwqgtxx Date: Sat, 13 Sep 2025 14:07:49 +0800 Subject: [PATCH] chore: cleanup internal ca using --- adapter/adapter.go | 8 +++- adapter/outbound/http.go | 11 +++-- adapter/outbound/hysteria.go | 2 +- adapter/outbound/hysteria2.go | 2 +- adapter/outbound/socks5.go | 13 +++--- adapter/outbound/trojan.go | 35 ++++++++------- adapter/outbound/tuic.go | 2 +- adapter/outbound/vless.go | 28 +++++++----- adapter/outbound/vmess.go | 26 ++++++----- component/ca/config.go | 65 +++++++++++++++------------ component/http/http.go | 47 ++++++++++++++----- component/resource/vehicle.go | 2 +- component/updater/update_core.go | 5 ++- dns/client.go | 7 ++- dns/doh.go | 14 +++--- dns/doq.go | 20 +++++---- listener/inbound/common_test.go | 2 +- transport/gost-plugin/websocket.go | 17 +++---- transport/sing-shadowtls/shadowtls.go | 25 ++++++----- transport/v2ray-plugin/websocket.go | 17 +++---- transport/vmess/tls.go | 16 +++---- 21 files changed, 212 insertions(+), 152 deletions(-) diff --git a/adapter/adapter.go b/adapter/adapter.go index d1f37863..4f127bcf 100644 --- a/adapter/adapter.go +++ b/adapter/adapter.go @@ -2,7 +2,6 @@ package adapter import ( "context" - "crypto/tls" "encoding/json" "fmt" "net" @@ -236,6 +235,11 @@ func (p *Proxy) URLTest(ctx context.Context, url string, expectedStatus utils.In } req = req.WithContext(ctx) + tlsConfig, err := ca.GetTLSConfig(ca.Option{}) + if err != nil { + return + } + transport := &http.Transport{ DialContext: func(context.Context, string, string) (net.Conn, error) { return instance, nil @@ -245,7 +249,7 @@ func (p *Proxy) URLTest(ctx context.Context, url string, expectedStatus utils.In IdleConnTimeout: 90 * time.Second, TLSHandshakeTimeout: 10 * time.Second, ExpectContinueTimeout: 1 * time.Second, - TLSClientConfig: ca.GetGlobalTLSConfig(&tls.Config{}), + TLSClientConfig: tlsConfig, } client := http.Client{ diff --git a/adapter/outbound/http.go b/adapter/outbound/http.go index f02308b9..d7746e47 100644 --- a/adapter/outbound/http.go +++ b/adapter/outbound/http.go @@ -167,10 +167,13 @@ func NewHttp(option HttpOption) (*Http, error) { sni = option.SNI } var err error - tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(&tls.Config{ - InsecureSkipVerify: option.SkipCertVerify, - ServerName: sni, - }, option.Fingerprint) + tlsConfig, err = ca.GetTLSConfig(ca.Option{ + TLSConfig: &tls.Config{ + InsecureSkipVerify: option.SkipCertVerify, + ServerName: sni, + }, + Fingerprint: option.Fingerprint, + }) if err != nil { return nil, err } diff --git a/adapter/outbound/hysteria.go b/adapter/outbound/hysteria.go index 38318459..84058da6 100644 --- a/adapter/outbound/hysteria.go +++ b/adapter/outbound/hysteria.go @@ -167,7 +167,7 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) { } var err error - tlsConfig, err = ca.GetTLSConfig(tlsConfig, option.Fingerprint, option.CustomCA, option.CustomCAString) + tlsConfig, err = ca.GetTLSConfig(ca.Option{TLSConfig: tlsConfig, Fingerprint: option.Fingerprint, CustomCA: option.CustomCA, CustomCAString: option.CustomCAString}) if err != nil { return nil, err } diff --git a/adapter/outbound/hysteria2.go b/adapter/outbound/hysteria2.go index e7b9f0b5..9e476cb4 100644 --- a/adapter/outbound/hysteria2.go +++ b/adapter/outbound/hysteria2.go @@ -148,7 +148,7 @@ func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) { } var err error - tlsConfig, err = ca.GetTLSConfig(tlsConfig, option.Fingerprint, option.CustomCA, option.CustomCAString) + tlsConfig, err = ca.GetTLSConfig(ca.Option{TLSConfig: tlsConfig, Fingerprint: option.Fingerprint, CustomCA: option.CustomCA, CustomCAString: option.CustomCAString}) if err != nil { return nil, err } diff --git a/adapter/outbound/socks5.go b/adapter/outbound/socks5.go index 26c64dce..91e7d083 100644 --- a/adapter/outbound/socks5.go +++ b/adapter/outbound/socks5.go @@ -193,13 +193,14 @@ func (ss *Socks5) clientHandshakeContext(ctx context.Context, c net.Conn, addr s func NewSocks5(option Socks5Option) (*Socks5, error) { var tlsConfig *tls.Config if option.TLS { - tlsConfig = &tls.Config{ - InsecureSkipVerify: option.SkipCertVerify, - ServerName: option.Server, - } - var err error - tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint) + tlsConfig, err = ca.GetTLSConfig(ca.Option{ + TLSConfig: &tls.Config{ + InsecureSkipVerify: option.SkipCertVerify, + ServerName: option.Server, + }, + Fingerprint: option.Fingerprint, + }) if err != nil { return nil, err } diff --git a/adapter/outbound/trojan.go b/adapter/outbound/trojan.go index f33ac5d6..96c417e9 100644 --- a/adapter/outbound/trojan.go +++ b/adapter/outbound/trojan.go @@ -100,14 +100,15 @@ func (t *Trojan) StreamConnContext(ctx context.Context, c net.Conn, metadata *C. } wsOpts.TLS = true - tlsConfig := &tls.Config{ - NextProtos: alpn, - MinVersion: tls.VersionTLS12, - InsecureSkipVerify: t.option.SkipCertVerify, - ServerName: t.option.SNI, - } - - wsOpts.TLSConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, t.option.Fingerprint) + wsOpts.TLSConfig, err = ca.GetTLSConfig(ca.Option{ + TLSConfig: &tls.Config{ + NextProtos: alpn, + MinVersion: tls.VersionTLS12, + InsecureSkipVerify: t.option.SkipCertVerify, + ServerName: t.option.SNI, + }, + Fingerprint: t.option.Fingerprint, + }) if err != nil { return nil, err } @@ -363,15 +364,15 @@ func NewTrojan(option TrojanOption) (*Trojan, error) { return c, nil } - tlsConfig := &tls.Config{ - NextProtos: option.ALPN, - MinVersion: tls.VersionTLS12, - InsecureSkipVerify: option.SkipCertVerify, - ServerName: option.SNI, - } - - var err error - tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint) + tlsConfig, err := ca.GetTLSConfig(ca.Option{ + TLSConfig: &tls.Config{ + NextProtos: option.ALPN, + MinVersion: tls.VersionTLS12, + InsecureSkipVerify: option.SkipCertVerify, + ServerName: option.SNI, + }, + Fingerprint: option.Fingerprint, + }) if err != nil { return nil, err } diff --git a/adapter/outbound/tuic.go b/adapter/outbound/tuic.go index 7a913fbf..8b2c9ac5 100644 --- a/adapter/outbound/tuic.go +++ b/adapter/outbound/tuic.go @@ -171,7 +171,7 @@ func NewTuic(option TuicOption) (*Tuic, error) { } var err error - tlsConfig, err = ca.GetTLSConfig(tlsConfig, option.Fingerprint, option.CustomCA, option.CustomCAString) + tlsConfig, err = ca.GetTLSConfig(ca.Option{TLSConfig: tlsConfig, Fingerprint: option.Fingerprint, CustomCA: option.CustomCA, CustomCAString: option.CustomCAString}) if err != nil { return nil, err } diff --git a/adapter/outbound/vless.go b/adapter/outbound/vless.go index 5ae19bb6..dd5b35db 100644 --- a/adapter/outbound/vless.go +++ b/adapter/outbound/vless.go @@ -95,14 +95,15 @@ func (v *Vless) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M } if v.option.TLS { wsOpts.TLS = true - tlsConfig := &tls.Config{ - MinVersion: tls.VersionTLS12, - ServerName: host, - InsecureSkipVerify: v.option.SkipCertVerify, - NextProtos: []string{"http/1.1"}, - } - - wsOpts.TLSConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, v.option.Fingerprint) + wsOpts.TLSConfig, err = ca.GetTLSConfig(ca.Option{ + TLSConfig: &tls.Config{ + MinVersion: tls.VersionTLS12, + ServerName: host, + InsecureSkipVerify: v.option.SkipCertVerify, + NextProtos: []string{"http/1.1"}, + }, + Fingerprint: v.option.Fingerprint, + }) if err != nil { return nil, err } @@ -498,10 +499,13 @@ func NewVless(option VlessOption) (*Vless, error) { } var tlsConfig *tls.Config if option.TLS { - tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(&tls.Config{ - InsecureSkipVerify: v.option.SkipCertVerify, - ServerName: v.option.ServerName, - }, v.option.Fingerprint) + tlsConfig, err = ca.GetTLSConfig(ca.Option{ + TLSConfig: &tls.Config{ + InsecureSkipVerify: v.option.SkipCertVerify, + ServerName: v.option.ServerName, + }, + Fingerprint: v.option.Fingerprint, + }) if err != nil { return nil, err } diff --git a/adapter/outbound/vmess.go b/adapter/outbound/vmess.go index fbf8c266..58e2b00e 100644 --- a/adapter/outbound/vmess.go +++ b/adapter/outbound/vmess.go @@ -123,13 +123,14 @@ func (v *Vmess) StreamConnContext(ctx context.Context, c net.Conn, metadata *C.M if v.option.TLS { wsOpts.TLS = true - tlsConfig := &tls.Config{ - ServerName: host, - InsecureSkipVerify: v.option.SkipCertVerify, - NextProtos: []string{"http/1.1"}, - } - - wsOpts.TLSConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, v.option.Fingerprint) + wsOpts.TLSConfig, err = ca.GetTLSConfig(ca.Option{ + TLSConfig: &tls.Config{ + ServerName: host, + InsecureSkipVerify: v.option.SkipCertVerify, + NextProtos: []string{"http/1.1"}, + }, + Fingerprint: v.option.Fingerprint, + }) if err != nil { return nil, err } @@ -501,10 +502,13 @@ func NewVmess(option VmessOption) (*Vmess, error) { } var tlsConfig *tls.Config if option.TLS { - tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(&tls.Config{ - InsecureSkipVerify: v.option.SkipCertVerify, - ServerName: v.option.ServerName, - }, v.option.Fingerprint) + tlsConfig, err = ca.GetTLSConfig(ca.Option{ + TLSConfig: &tls.Config{ + InsecureSkipVerify: v.option.SkipCertVerify, + ServerName: v.option.ServerName, + }, + Fingerprint: v.option.Fingerprint, + }) if err != nil { return nil, err } diff --git a/component/ca/config.go b/component/ca/config.go index f4d3ae75..3589b77b 100644 --- a/component/ca/config.go +++ b/component/ca/config.go @@ -10,6 +10,7 @@ import ( "strconv" "sync" + "github.com/metacubex/mihomo/common/once" C "github.com/metacubex/mihomo/constant" ) @@ -65,18 +66,6 @@ func ResetCertificate() { initializeCertPool() } -func getCertPool() *x509.CertPool { - if globalCertPool == nil { - mutex.Lock() - defer mutex.Unlock() - if globalCertPool != nil { - return globalCertPool - } - initializeCertPool() - } - return globalCertPool -} - func GetCertPool(customCA string, customCAString string) (*x509.CertPool, error) { var certificate []byte var err error @@ -99,22 +88,40 @@ func GetCertPool(customCA string, customCAString string) (*x509.CertPool, error) } return certPool, nil } else { - return getCertPool(), nil + mutex.Lock() + defer mutex.Unlock() + if globalCertPool == nil { + initializeCertPool() + } + return globalCertPool, nil } } -// GetTLSConfig specified fingerprint, customCA and customCAString -func GetTLSConfig(tlsConfig *tls.Config, fingerprint string, customCA string, customCAString string) (_ *tls.Config, err error) { +type Option struct { + TLSConfig *tls.Config + Fingerprint string + CustomCA string + CustomCAString string + ZeroTrust bool +} + +func GetTLSConfig(opt Option) (tlsConfig *tls.Config, err error) { + tlsConfig = opt.TLSConfig if tlsConfig == nil { tlsConfig = &tls.Config{} } - tlsConfig.RootCAs, err = GetCertPool(customCA, customCAString) - if err != nil { - return nil, err + + if opt.ZeroTrust { + tlsConfig.RootCAs = zeroTrustCertPool() + } else { + tlsConfig.RootCAs, err = GetCertPool(opt.CustomCA, opt.CustomCAString) + if err != nil { + return nil, err + } } - if len(fingerprint) > 0 { - tlsConfig.VerifyPeerCertificate, err = NewFingerprintVerifier(fingerprint) + if len(opt.Fingerprint) > 0 { + tlsConfig.VerifyPeerCertificate, err = NewFingerprintVerifier(opt.Fingerprint) if err != nil { return nil, err } @@ -123,12 +130,12 @@ func GetTLSConfig(tlsConfig *tls.Config, fingerprint string, customCA string, cu return tlsConfig, nil } -// GetSpecifiedFingerprintTLSConfig specified fingerprint -func GetSpecifiedFingerprintTLSConfig(tlsConfig *tls.Config, fingerprint string) (*tls.Config, error) { - return GetTLSConfig(tlsConfig, fingerprint, "", "") -} - -func GetGlobalTLSConfig(tlsConfig *tls.Config) *tls.Config { - tlsConfig, _ = GetTLSConfig(tlsConfig, "", "", "") - return tlsConfig -} +var zeroTrustCertPool = once.OnceValue(func() *x509.CertPool { + if len(_CaCertificates) != 0 { // always using embed cert first + zeroTrustCertPool := x509.NewCertPool() + if zeroTrustCertPool.AppendCertsFromPEM(_CaCertificates) { + return zeroTrustCertPool + } + } + return nil // fallback to system pool +}) diff --git a/component/http/http.go b/component/http/http.go index a2c44d85..1683c4da 100644 --- a/component/http/http.go +++ b/component/http/http.go @@ -2,7 +2,6 @@ package http import ( "context" - "crypto/tls" "io" "net" "net/http" @@ -28,11 +27,11 @@ func SetUA(UA string) { ua = UA } -func HttpRequest(ctx context.Context, url, method string, header map[string][]string, body io.Reader) (*http.Response, error) { - return HttpRequestWithProxy(ctx, url, method, header, body, "") -} - -func HttpRequestWithProxy(ctx context.Context, url, method string, header map[string][]string, body io.Reader, specialProxy string) (*http.Response, error) { +func HttpRequest(ctx context.Context, url, method string, header map[string][]string, body io.Reader, options ...Option) (*http.Response, error) { + opt := option{} + for _, o := range options { + o(&opt) + } method = strings.ToUpper(method) urlRes, err := URL.Parse(url) if err != nil { @@ -40,6 +39,10 @@ func HttpRequestWithProxy(ctx context.Context, url, method string, header map[st } req, err := http.NewRequest(method, urlRes.String(), body) + if err != nil { + return nil, err + } + for k, v := range header { for _, v := range v { req.Header.Add(k, v) @@ -50,10 +53,6 @@ func HttpRequestWithProxy(ctx context.Context, url, method string, header map[st req.Header.Set("User-Agent", UA()) } - if err != nil { - return nil, err - } - if user := urlRes.User; user != nil { password, _ := user.Password() req.SetBasicAuth(user.Username(), password) @@ -61,6 +60,11 @@ func HttpRequestWithProxy(ctx context.Context, url, method string, header map[st req = req.WithContext(ctx) + tlsConfig, err := ca.GetTLSConfig(opt.caOption) + if err != nil { + return nil, err + } + transport := &http.Transport{ // from http.DefaultTransport DisableKeepAlives: runtime.GOOS == "android", @@ -69,15 +73,34 @@ func HttpRequestWithProxy(ctx context.Context, url, method string, header map[st TLSHandshakeTimeout: 10 * time.Second, ExpectContinueTimeout: 1 * time.Second, DialContext: func(ctx context.Context, network, address string) (net.Conn, error) { - if conn, err := inner.HandleTcp(inner.GetTunnel(), address, specialProxy); err == nil { + if conn, err := inner.HandleTcp(inner.GetTunnel(), address, opt.specialProxy); err == nil { return conn, nil } else { return dialer.DialContext(ctx, network, address) } }, - TLSClientConfig: ca.GetGlobalTLSConfig(&tls.Config{}), + TLSClientConfig: tlsConfig, } client := http.Client{Transport: transport} return client.Do(req) } + +type Option func(opt *option) + +type option struct { + specialProxy string + caOption ca.Option +} + +func WithSpecialProxy(name string) Option { + return func(opt *option) { + opt.specialProxy = name + } +} + +func WithCAOption(caOption ca.Option) Option { + return func(opt *option) { + opt.caOption = caOption + } +} diff --git a/component/resource/vehicle.go b/component/resource/vehicle.go index 00b3170b..67ab19b7 100644 --- a/component/resource/vehicle.go +++ b/component/resource/vehicle.go @@ -135,7 +135,7 @@ func (h *HTTPVehicle) Read(ctx context.Context, oldHash utils.HashType) (buf []b setIfNoneMatch = true } } - resp, err := mihomoHttp.HttpRequestWithProxy(ctx, h.url, http.MethodGet, header, nil, h.proxy) + resp, err := mihomoHttp.HttpRequest(ctx, h.url, http.MethodGet, header, nil, mihomoHttp.WithSpecialProxy(h.proxy)) if err != nil { return } diff --git a/component/updater/update_core.go b/component/updater/update_core.go index 5f7113d0..ffc4fb04 100644 --- a/component/updater/update_core.go +++ b/component/updater/update_core.go @@ -15,6 +15,7 @@ import ( "sync" "time" + "github.com/metacubex/mihomo/component/ca" mihomoHttp "github.com/metacubex/mihomo/component/http" C "github.com/metacubex/mihomo/constant" "github.com/metacubex/mihomo/constant/features" @@ -171,7 +172,7 @@ func (u *CoreUpdater) Update(currentExePath string, channel string, force bool) func (u *CoreUpdater) getLatestVersion(versionURL string) (version string, err error) { ctx, cancel := context.WithTimeout(context.Background(), time.Second*5) defer cancel() - resp, err := mihomoHttp.HttpRequest(ctx, versionURL, http.MethodGet, nil, nil) + resp, err := mihomoHttp.HttpRequest(ctx, versionURL, http.MethodGet, nil, nil, mihomoHttp.WithCAOption(ca.Option{ZeroTrust: true})) if err != nil { return "", err } @@ -194,7 +195,7 @@ func (u *CoreUpdater) getLatestVersion(versionURL string) (version string, err e func (u *CoreUpdater) download(updateDir, packagePath, packageURL string) (err error) { ctx, cancel := context.WithTimeout(context.Background(), time.Second*90) defer cancel() - resp, err := mihomoHttp.HttpRequest(ctx, packageURL, http.MethodGet, nil, nil) + resp, err := mihomoHttp.HttpRequest(ctx, packageURL, http.MethodGet, nil, nil, mihomoHttp.WithCAOption(ca.Option{ZeroTrust: true})) if err != nil { return fmt.Errorf("http request failed: %w", err) } diff --git a/dns/client.go b/dns/client.go index 359cb443..c2373b48 100644 --- a/dns/client.go +++ b/dns/client.go @@ -48,6 +48,11 @@ func (c *client) ExchangeContext(ctx context.Context, m *D.Msg) (*D.Msg, error) network = "tcp" } + tlsConfig, err := ca.GetTLSConfig(ca.Option{TLSConfig: c.Client.TLSConfig}) + if err != nil { + return nil, err + } + addr := net.JoinHostPort(c.host, c.port) conn, err := c.dialer.DialContext(ctx, network, addr) if err != nil { @@ -66,7 +71,7 @@ func (c *client) ExchangeContext(ctx context.Context, m *D.Msg) (*D.Msg, error) ch := make(chan result, 1) go func() { if strings.HasSuffix(c.Client.Net, "tls") { - conn = tls.Client(conn, ca.GetGlobalTLSConfig(c.Client.TLSConfig)) + conn = tls.Client(conn, tlsConfig) } dConn := &D.Conn{ diff --git a/dns/doh.go b/dns/doh.go index a394e812..bae5c648 100644 --- a/dns/doh.go +++ b/dns/doh.go @@ -397,12 +397,14 @@ func (doh *dnsOverHTTPS) createTransport(ctx context.Context) (t http.RoundTripp return transport, nil } - tlsConfig := ca.GetGlobalTLSConfig( - &tls.Config{ - InsecureSkipVerify: doh.skipCertVerify, - MinVersion: tls.VersionTLS12, - SessionTicketsDisabled: false, - }) + tlsConfig, err := ca.GetTLSConfig(ca.Option{TLSConfig: &tls.Config{ + InsecureSkipVerify: doh.skipCertVerify, + MinVersion: tls.VersionTLS12, + SessionTicketsDisabled: false, + }}) + if err != nil { + return nil, err + } var nextProtos []string for _, v := range doh.httpVersions { nextProtos = append(nextProtos, string(v)) diff --git a/dns/doq.go b/dns/doq.go index a611265d..4d6c7147 100644 --- a/dns/doq.go +++ b/dns/doq.go @@ -331,15 +331,17 @@ func (doq *dnsOverQUIC) openConnection(ctx context.Context) (conn *quic.Conn, er return nil, err } - tlsConfig := ca.GetGlobalTLSConfig( - &tls.Config{ - ServerName: host, - InsecureSkipVerify: doq.skipCertVerify, - NextProtos: []string{ - NextProtoDQ, - }, - SessionTicketsDisabled: false, - }) + tlsConfig, err := ca.GetTLSConfig(ca.Option{TLSConfig: &tls.Config{ + ServerName: host, + InsecureSkipVerify: doq.skipCertVerify, + NextProtos: []string{ + NextProtoDQ, + }, + SessionTicketsDisabled: false, + }}) + if err != nil { + return nil, err + } transport := quic.Transport{Conn: udp} transport.SetCreatedConn(true) // auto close conn diff --git a/listener/inbound/common_test.go b/listener/inbound/common_test.go index 79e382fa..aa5f2770 100644 --- a/listener/inbound/common_test.go +++ b/listener/inbound/common_test.go @@ -39,7 +39,7 @@ var userUUID = utils.NewUUIDV4().String() var tlsCertificate, tlsPrivateKey, tlsFingerprint, _ = ca.NewRandomTLSKeyPair(ca.KeyPairTypeP256) var tlsConfigCert, _ = tls.X509KeyPair([]byte(tlsCertificate), []byte(tlsPrivateKey)) var tlsConfig = &tls.Config{Certificates: []tls.Certificate{tlsConfigCert}, NextProtos: []string{"h2", "http/1.1"}} -var tlsClientConfig, _ = ca.GetTLSConfig(nil, tlsFingerprint, "", "") +var tlsClientConfig, _ = ca.GetTLSConfig(ca.Option{Fingerprint: tlsFingerprint}) var realityPrivateKey, realityPublickey string var realityDest = "itunes.apple.com" var realityShortid = "10f897e26c4b9478" diff --git a/transport/gost-plugin/websocket.go b/transport/gost-plugin/websocket.go index daedb532..4ff943dc 100644 --- a/transport/gost-plugin/websocket.go +++ b/transport/gost-plugin/websocket.go @@ -57,15 +57,17 @@ func NewGostWebsocket(ctx context.Context, conn net.Conn, option *Option) (net.C Headers: header, } + var err error if option.TLS { config.TLS = true - tlsConfig := &tls.Config{ - ServerName: option.Host, - InsecureSkipVerify: option.SkipCertVerify, - NextProtos: []string{"http/1.1"}, - } - var err error - config.TLSConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint) + config.TLSConfig, err = ca.GetTLSConfig(ca.Option{ + TLSConfig: &tls.Config{ + ServerName: option.Host, + InsecureSkipVerify: option.SkipCertVerify, + NextProtos: []string{"http/1.1"}, + }, + Fingerprint: option.Fingerprint, + }) if err != nil { return nil, err } @@ -75,7 +77,6 @@ func NewGostWebsocket(ctx context.Context, conn net.Conn, option *Option) (net.C } } - var err error conn, err = vmess.StreamWebsocketConn(ctx, conn, config) if err != nil { return nil, err diff --git a/transport/sing-shadowtls/shadowtls.go b/transport/sing-shadowtls/shadowtls.go index 4f9c3b51..07157670 100644 --- a/transport/sing-shadowtls/shadowtls.go +++ b/transport/sing-shadowtls/shadowtls.go @@ -33,22 +33,23 @@ type ShadowTLSOption struct { } func NewShadowTLS(ctx context.Context, conn net.Conn, option *ShadowTLSOption) (net.Conn, error) { - tlsConfig := &tls.Config{ - NextProtos: option.ALPN, - MinVersion: tls.VersionTLS12, - InsecureSkipVerify: option.SkipCertVerify, - ServerName: option.Host, - } - if option.Version == 1 { - tlsConfig.MaxVersion = tls.VersionTLS12 // ShadowTLS v1 only support TLS 1.2 - } - - var err error - tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint) + tlsConfig, err := ca.GetTLSConfig(ca.Option{ + TLSConfig: &tls.Config{ + NextProtos: option.ALPN, + MinVersion: tls.VersionTLS12, + InsecureSkipVerify: option.SkipCertVerify, + ServerName: option.Host, + }, + Fingerprint: option.Fingerprint, + }) if err != nil { return nil, err } + if option.Version == 1 { + tlsConfig.MaxVersion = tls.VersionTLS12 // ShadowTLS v1 only support TLS 1.2 + } + tlsHandshake := uTLSHandshakeFunc(tlsConfig, option.ClientFingerprint, option.Version) client, err := shadowtls.NewClient(shadowtls.ClientConfig{ Version: option.Version, diff --git a/transport/v2ray-plugin/websocket.go b/transport/v2ray-plugin/websocket.go index 983698c7..250590a6 100644 --- a/transport/v2ray-plugin/websocket.go +++ b/transport/v2ray-plugin/websocket.go @@ -43,15 +43,17 @@ func NewV2rayObfs(ctx context.Context, conn net.Conn, option *Option) (net.Conn, Headers: header, } + var err error if option.TLS { config.TLS = true - tlsConfig := &tls.Config{ - ServerName: option.Host, - InsecureSkipVerify: option.SkipCertVerify, - NextProtos: []string{"http/1.1"}, - } - var err error - config.TLSConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, option.Fingerprint) + config.TLSConfig, err = ca.GetTLSConfig(ca.Option{ + TLSConfig: &tls.Config{ + ServerName: option.Host, + InsecureSkipVerify: option.SkipCertVerify, + NextProtos: []string{"http/1.1"}, + }, + Fingerprint: option.Fingerprint, + }) if err != nil { return nil, err } @@ -61,7 +63,6 @@ func NewV2rayObfs(ctx context.Context, conn net.Conn, option *Option) (net.Conn, } } - var err error conn, err = vmess.StreamWebsocketConn(ctx, conn, config) if err != nil { return nil, err diff --git a/transport/vmess/tls.go b/transport/vmess/tls.go index 3bfcb46a..c9dd50cc 100644 --- a/transport/vmess/tls.go +++ b/transport/vmess/tls.go @@ -26,14 +26,14 @@ type ECHConfig struct { } func StreamTLSConn(ctx context.Context, conn net.Conn, cfg *TLSConfig) (net.Conn, error) { - tlsConfig := &tls.Config{ - ServerName: cfg.Host, - InsecureSkipVerify: cfg.SkipCertVerify, - NextProtos: cfg.NextProtos, - } - - var err error - tlsConfig, err = ca.GetSpecifiedFingerprintTLSConfig(tlsConfig, cfg.FingerPrint) + tlsConfig, err := ca.GetTLSConfig(ca.Option{ + TLSConfig: &tls.Config{ + ServerName: cfg.Host, + InsecureSkipVerify: cfg.SkipCertVerify, + NextProtos: cfg.NextProtos, + }, + Fingerprint: cfg.FingerPrint, + }) if err != nil { return nil, err }