feat: remove ca and ca-str in hy1/hy2/tuic outbound, using fingerprint instead

2025-12-19 08:20:05 +08:00 · 2025-09-19 18:03:05 +08:00 · 2025-09-19 18:03:05 +08:00 · 6786705212
commit 6786705212
parent 00638f30a7
5 changed files with 13 additions and 57 deletions
--- a/adapter/outbound/hysteria.go
+++ b/adapter/outbound/hysteria.go
@ -126,8 +126,6 @@ type HysteriaOption struct {
 	SkipCertVerify      bool       `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint         string     `proxy:"fingerprint,omitempty"`
 	ALPN                []string   `proxy:"alpn,omitempty"`
-	CustomCA            string     `proxy:"ca,omitempty"`
-	CustomCAString      string     `proxy:"ca-str,omitempty"`
 	ReceiveWindowConn   int        `proxy:"recv-window-conn,omitempty"`
 	ReceiveWindow       int        `proxy:"recv-window,omitempty"`
 	DisableMTUDiscovery bool       `proxy:"disable-mtu-discovery,omitempty"`
@ -166,9 +164,7 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
 			InsecureSkipVerify: option.SkipCertVerify,
 			MinVersion:         tls.VersionTLS13,
 		},
-		Fingerprint:    option.Fingerprint,
-		CustomCA:       option.CustomCA,
-		CustomCAString: option.CustomCAString,
+		Fingerprint: option.Fingerprint,
 	})
 	if err != nil {
 		return nil, err
--- a/adapter/outbound/hysteria2.go
+++ b/adapter/outbound/hysteria2.go
@ -56,8 +56,6 @@ type Hysteria2Option struct {
 	SkipCertVerify bool       `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint    string     `proxy:"fingerprint,omitempty"`
 	ALPN           []string   `proxy:"alpn,omitempty"`
-	CustomCA       string     `proxy:"ca,omitempty"`
-	CustomCAString string     `proxy:"ca-str,omitempty"`
 	CWND           int        `proxy:"cwnd,omitempty"`
 	UdpMTU         int        `proxy:"udp-mtu,omitempty"`

@ -147,9 +145,7 @@ func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) {
 			InsecureSkipVerify: option.SkipCertVerify,
 			MinVersion:         tls.VersionTLS13,
 		},
-		Fingerprint:    option.Fingerprint,
-		CustomCA:       option.CustomCA,
-		CustomCAString: option.CustomCAString,
+		Fingerprint: option.Fingerprint,
 	})
 	if err != nil {
 		return nil, err
--- a/adapter/outbound/tuic.go
+++ b/adapter/outbound/tuic.go
@ -55,8 +55,6 @@ type TuicOption struct {
 	CWND                 int        `proxy:"cwnd,omitempty"`
 	SkipCertVerify       bool       `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint          string     `proxy:"fingerprint,omitempty"`
-	CustomCA             string     `proxy:"ca,omitempty"`
-	CustomCAString       string     `proxy:"ca-str,omitempty"`
 	ReceiveWindowConn    int        `proxy:"recv-window-conn,omitempty"`
 	ReceiveWindow        int        `proxy:"recv-window,omitempty"`
 	DisableMTUDiscovery  bool       `proxy:"disable-mtu-discovery,omitempty"`
@ -171,9 +169,7 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 			InsecureSkipVerify: option.SkipCertVerify,
 			MinVersion:         tls.VersionTLS13,
 		},
-		Fingerprint:    option.Fingerprint,
-		CustomCA:       option.CustomCA,
-		CustomCAString: option.CustomCAString,
+		Fingerprint: option.Fingerprint,
 	})
 	if err != nil {
 		return nil, err
--- a/component/ca/config.go
+++ b/component/ca/config.go
@ -11,7 +11,6 @@ import (
 	"sync"

 	"github.com/metacubex/mihomo/common/once"
-	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/ntp"
 )

@ -67,43 +66,19 @@ func ResetCertificate() {
 	initializeCertPool()
 }

-func GetCertPool(customCA string, customCAString string) (*x509.CertPool, error) {
-	var certificate []byte
-	var err error
-	if len(customCA) > 0 {
-		path := C.Path.Resolve(customCA)
-		if !C.Path.IsSafePath(path) {
-			return nil, C.Path.ErrNotSafePath(path)
-		}
-		certificate, err = os.ReadFile(path)
-		if err != nil {
-			return nil, fmt.Errorf("load ca error: %w", err)
-		}
-	} else if customCAString != "" {
-		certificate = []byte(customCAString)
-	}
-	if len(certificate) > 0 {
-		certPool := x509.NewCertPool()
-		if !certPool.AppendCertsFromPEM(certificate) {
-			return nil, fmt.Errorf("failed to parse certificate:\n\n %s", certificate)
-		}
-		return certPool, nil
-	} else {
-		mutex.Lock()
-		defer mutex.Unlock()
-		if globalCertPool == nil {
-			initializeCertPool()
-		}
-		return globalCertPool, nil
+func GetCertPool() *x509.CertPool {
+	mutex.Lock()
+	defer mutex.Unlock()
+	if globalCertPool == nil {
+		initializeCertPool()
 	}
+	return globalCertPool
 }

 type Option struct {
-	TLSConfig      *tls.Config
-	Fingerprint    string
-	CustomCA       string
-	CustomCAString string
-	ZeroTrust      bool
+	TLSConfig   *tls.Config
+	Fingerprint string
+	ZeroTrust   bool
 }

 func GetTLSConfig(opt Option) (tlsConfig *tls.Config, err error) {
@ -116,10 +91,7 @@ func GetTLSConfig(opt Option) (tlsConfig *tls.Config, err error) {
 	if opt.ZeroTrust {
 		tlsConfig.RootCAs = zeroTrustCertPool()
 	} else {
-		tlsConfig.RootCAs, err = GetCertPool(opt.CustomCA, opt.CustomCAString)
-		if err != nil {
-			return nil, err
-		}
+		tlsConfig.RootCAs = GetCertPool()
 	}

 	if len(opt.Fingerprint) > 0 {
--- a/docs/config.yaml
+++ b/docs/config.yaml
@ -789,8 +789,6 @@ proxies: # socks5
    # skip-cert-verify: false
    # recv-window-conn: 12582912
    # recv-window: 52428800
-    # ca: "./my.ca"
-    # ca-str: "xyz"
    # disable-mtu-discovery: false
    # fingerprint: xxxx # 配置指纹将实现 SSL Pining 效果, 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
    # fast-open: true # 支持 TCP 快速打开，默认为 false
@ -817,8 +815,6 @@ proxies: # socks5
    # fingerprint: xxxx # 配置指纹将实现 SSL Pining 效果, 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
    # alpn:
    #   - h3
-    # ca: "./my.ca"
-    # ca-str: "xyz"
    ###quic-go特殊配置项，不要随意修改除非你知道你在干什么###
    # initial-stream-receive-window： 8388608
    # max-stream-receive-window： 8388608