feat: remove ca and ca-str in hy1/hy2/tuic outbound, using fingerprint instead

adapter/outbound/hysteria.go

@@ -126,8 +126,6 @@ type HysteriaOption struct {
 	SkipCertVerify      bool       `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint         string     `proxy:"fingerprint,omitempty"`
 	ALPN                []string   `proxy:"alpn,omitempty"`
-	CustomCA            string     `proxy:"ca,omitempty"`
-	CustomCAString      string     `proxy:"ca-str,omitempty"`
 	ReceiveWindowConn   int        `proxy:"recv-window-conn,omitempty"`
 	ReceiveWindow       int        `proxy:"recv-window,omitempty"`
 	DisableMTUDiscovery bool       `proxy:"disable-mtu-discovery,omitempty"`
@@ -166,9 +164,7 @@ func NewHysteria(option HysteriaOption) (*Hysteria, error) {
 			InsecureSkipVerify: option.SkipCertVerify,
 			MinVersion:         tls.VersionTLS13,
 		},
-		Fingerprint:    option.Fingerprint,
+		Fingerprint: option.Fingerprint,
-		CustomCA:       option.CustomCA,
-		CustomCAString: option.CustomCAString,
 	})
 	if err != nil {
 		return nil, err

adapter/outbound/hysteria2.go

@@ -56,8 +56,6 @@ type Hysteria2Option struct {
 	SkipCertVerify bool       `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint    string     `proxy:"fingerprint,omitempty"`
 	ALPN           []string   `proxy:"alpn,omitempty"`
-	CustomCA       string     `proxy:"ca,omitempty"`
-	CustomCAString string     `proxy:"ca-str,omitempty"`
 	CWND           int        `proxy:"cwnd,omitempty"`
 	UdpMTU         int        `proxy:"udp-mtu,omitempty"`
 
@@ -147,9 +145,7 @@ func NewHysteria2(option Hysteria2Option) (*Hysteria2, error) {
 			InsecureSkipVerify: option.SkipCertVerify,
 			MinVersion:         tls.VersionTLS13,
 		},
-		Fingerprint:    option.Fingerprint,
+		Fingerprint: option.Fingerprint,
-		CustomCA:       option.CustomCA,
-		CustomCAString: option.CustomCAString,
 	})
 	if err != nil {
 		return nil, err

adapter/outbound/tuic.go

@@ -55,8 +55,6 @@ type TuicOption struct {
 	CWND                 int        `proxy:"cwnd,omitempty"`
 	SkipCertVerify       bool       `proxy:"skip-cert-verify,omitempty"`
 	Fingerprint          string     `proxy:"fingerprint,omitempty"`
-	CustomCA             string     `proxy:"ca,omitempty"`
-	CustomCAString       string     `proxy:"ca-str,omitempty"`
 	ReceiveWindowConn    int        `proxy:"recv-window-conn,omitempty"`
 	ReceiveWindow        int        `proxy:"recv-window,omitempty"`
 	DisableMTUDiscovery  bool       `proxy:"disable-mtu-discovery,omitempty"`
@@ -171,9 +169,7 @@ func NewTuic(option TuicOption) (*Tuic, error) {
 			InsecureSkipVerify: option.SkipCertVerify,
 			MinVersion:         tls.VersionTLS13,
 		},
-		Fingerprint:    option.Fingerprint,
+		Fingerprint: option.Fingerprint,
-		CustomCA:       option.CustomCA,
-		CustomCAString: option.CustomCAString,
 	})
 	if err != nil {
 		return nil, err

component/ca/config.go

@@ -11,7 +11,6 @@ import (
 	"sync"
 
 	"github.com/metacubex/mihomo/common/once"
-	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/ntp"
 )
 
@@ -67,43 +66,19 @@ func ResetCertificate() {
 	initializeCertPool()
 }
 
-func GetCertPool(customCA string, customCAString string) (*x509.CertPool, error) {
+func GetCertPool() *x509.CertPool {
-	var certificate []byte
+	mutex.Lock()
-	var err error
+	defer mutex.Unlock()
-	if len(customCA) > 0 {
+	if globalCertPool == nil {
-		path := C.Path.Resolve(customCA)
+		initializeCertPool()
-		if !C.Path.IsSafePath(path) {
-			return nil, C.Path.ErrNotSafePath(path)
-		}
-		certificate, err = os.ReadFile(path)
-		if err != nil {
-			return nil, fmt.Errorf("load ca error: %w", err)
-		}
-	} else if customCAString != "" {
-		certificate = []byte(customCAString)
-	}
-	if len(certificate) > 0 {
-		certPool := x509.NewCertPool()
-		if !certPool.AppendCertsFromPEM(certificate) {
-			return nil, fmt.Errorf("failed to parse certificate:\n\n %s", certificate)
-		}
-		return certPool, nil
-	} else {
-		mutex.Lock()
-		defer mutex.Unlock()
-		if globalCertPool == nil {
-			initializeCertPool()
-		}
-		return globalCertPool, nil
 	}
+	return globalCertPool
 }
 
 type Option struct {
-	TLSConfig      *tls.Config
+	TLSConfig   *tls.Config
-	Fingerprint    string
+	Fingerprint string
-	CustomCA       string
+	ZeroTrust   bool
-	CustomCAString string
-	ZeroTrust      bool
 }
 
 func GetTLSConfig(opt Option) (tlsConfig *tls.Config, err error) {
@@ -116,10 +91,7 @@ func GetTLSConfig(opt Option) (tlsConfig *tls.Config, err error) {
 	if opt.ZeroTrust {
 		tlsConfig.RootCAs = zeroTrustCertPool()
 	} else {
-		tlsConfig.RootCAs, err = GetCertPool(opt.CustomCA, opt.CustomCAString)
+		tlsConfig.RootCAs = GetCertPool()
-		if err != nil {
-			return nil, err
-		}
 	}
 
 	if len(opt.Fingerprint) > 0 {

docs/config.yaml

@@ -789,8 +789,6 @@ proxies: # socks5
     # skip-cert-verify: false
     # recv-window-conn: 12582912
     # recv-window: 52428800
-    # ca: "./my.ca"
-    # ca-str: "xyz"
     # disable-mtu-discovery: false
     # fingerprint: xxxx # 配置指纹将实现 SSL Pining 效果, 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
     # fast-open: true # 支持 TCP 快速打开，默认为 false
@@ -817,8 +815,6 @@ proxies: # socks5
     # fingerprint: xxxx # 配置指纹将实现 SSL Pining 效果, 可使用 openssl x509 -noout -fingerprint -sha256 -inform pem -in yourcert.pem 获取
     # alpn:
     #   - h3
-    # ca: "./my.ca"
-    # ca-str: "xyz"
     ###quic-go特殊配置项，不要随意修改除非你知道你在干什么###
     # initial-stream-receive-window： 8388608
     # max-stream-receive-window： 8388608