chore: add custom ca trust

2024-11-14 21:31:16 +08:00 · 2023-02-25 22:01:20 +08:00 · 2023-02-25 22:01:20 +08:00 · f565edd76d
commit f565edd76d
parent a3b8c9c233
4 changed files with 28 additions and 42 deletions
--- a/component/tls/config.go
+++ b/component/tls/config.go
@ -11,31 +11,30 @@ import (
 	"strings"
 	"sync"

-	CN "github.com/Dreamacro/clash/common/net"
-
 	xtls "github.com/xtls/go"
 )

-var tlsCertificates = make([]tls.Certificate, 0)
+var trustCert,_ = x509.SystemCertPool()

 var mutex sync.RWMutex
 var errNotMacth error = errors.New("certificate fingerprints do not match")

-func AddCertificate(privateKey, certificate string) error {
+func AddCertificate(certificate string) error {
 	mutex.Lock()
 	defer mutex.Unlock()
-	if cert, err := CN.ParseCert(certificate, privateKey); err != nil {
-		return err
-	} else {
-		tlsCertificates = append(tlsCertificates, cert)
+	if certificate == "" {
+		return fmt.Errorf("certificate is empty")
+	}
+	if ok := trustCert.AppendCertsFromPEM([]byte(certificate)); !ok {
+		return fmt.Errorf("add certificate failed")
 	}
 	return nil
 }

-func GetCertificates() []tls.Certificate {
-	mutex.RLock()
-	defer mutex.RUnlock()
-	return tlsCertificates
+func ResetCertificate(){
+	mutex.Lock()
+	defer mutex.Unlock()
+	trustCert,_=x509.SystemCertPool()
 }

 func verifyFingerprint(fingerprint *[32]byte) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
@ -87,10 +86,10 @@ func GetSpecifiedFingerprintTLSConfig(tlsConfig *tls.Config, fingerprint string)
 func GetGlobalTLSConfig(tlsConfig *tls.Config) *tls.Config {
 	if tlsConfig == nil {
 		return &tls.Config{
-			Certificates: tlsCertificates,
+			RootCAs: trustCert,
 		}
 	}
-	tlsConfig.Certificates = append(tlsConfig.Certificates, tlsCertificates...)
+	tlsConfig.RootCAs = trustCert
 	return tlsConfig
 }

@ -107,29 +106,12 @@ func GetSpecifiedFingerprintXTLSConfig(tlsConfig *xtls.Config, fingerprint strin
 }

 func GetGlobalXTLSConfig(tlsConfig *xtls.Config) *xtls.Config {
-	xtlsCerts := make([]xtls.Certificate, len(tlsCertificates))
-	for _, cert := range tlsCertificates {
-		tlsSsaList := make([]xtls.SignatureScheme, len(cert.SupportedSignatureAlgorithms))
-		for _, ssa := range cert.SupportedSignatureAlgorithms {
-			tlsSsa := xtls.SignatureScheme(ssa)
-			tlsSsaList = append(tlsSsaList, tlsSsa)
-		}
-		xtlsCert := xtls.Certificate{
-			Certificate:                  cert.Certificate,
-			PrivateKey:                   cert.PrivateKey,
-			OCSPStaple:                   cert.OCSPStaple,
-			SignedCertificateTimestamps:  cert.SignedCertificateTimestamps,
-			Leaf:                         cert.Leaf,
-			SupportedSignatureAlgorithms: tlsSsaList,
-		}
-		xtlsCerts = append(xtlsCerts, xtlsCert)
-	}
 	if tlsConfig == nil {
 		return &xtls.Config{
-			Certificates: xtlsCerts,
+			RootCAs: trustCert,
 		}
 	}

-	tlsConfig.Certificates = xtlsCerts
+	tlsConfig.RootCAs = trustCert
 	return tlsConfig
 }
--- a/config/config.go
+++ b/config/config.go
@ -120,13 +120,9 @@ type Profile struct {
 }

 type TLS struct {
-	RawCert         `yaml:",inline"`
-	CustomTrustCert []RawCert `yaml:"custom-certifactes"`
-}
-
-type RawCert struct {
-	Certificate string `yaml:"certificate"`
-	PrivateKey  string `yaml:"private-key"`
+	Certificate     string   `yaml:"certificate"`
+	PrivateKey      string   `yaml:"private-key"`
+	CustomTrustCert []string `yaml:"custom-certifactes"`
 }

 // IPTables config
@ -447,6 +443,7 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 	}
 	config.General = general

+	dialer.DefaultInterface.Store(config.General.Interface)
 	proxies, providers, err := parseProxies(rawCfg)
 	if err != nil {
 		return nil, err
--- a/docs/config.yaml
+++ b/docs/config.yaml
@ -30,6 +30,11 @@ ipv6: true # 开启 IPv6 总开关，关闭阻断所有 IPv6 链接和屏蔽 DNS
 tls:
  certificate: string # 证书 PEM 格式，或者 证书的路径
  private-key: string # 证书对应的私钥 PEM 格式，或者私钥路径
+  custom-certifactes:
+    - |
+      -----BEGIN CERTIFICATE-----
+      format/pem...
+      -----END CERTIFICATE-----

 external-controller: 0.0.0.0:9093 # RESTful API 监听地址
 external-controller-tls: 0.0.0.0:9443 # RESTful API HTTPS 监听地址，需要配置 tls 部分配置文件
--- a/hub/executor/executor.go
+++ b/hub/executor/executor.go
@ -169,9 +169,11 @@ func updateExperimental(c *config.Config) {
 }

 func preUpdateExperimental(c *config.Config) {
-	CTLS.AddCertificate(c.TLS.PrivateKey, c.TLS.Certificate)
+	CTLS.ResetCertificate()
 	for _, c := range c.TLS.CustomTrustCert {
-		CTLS.AddCertificate(c.PrivateKey, c.Certificate)
+		if err := CTLS.AddCertificate(c); err != nil {
+			log.Warnln("%s\nadd error: %s", c, err.Error())
+		}
 	}
 }