Skip to content

Commit 25d7f39

Browse files
DHR60DHR60
authored
Fetch cert allow insecure (#8998)
1 parent 171ed6f commit 25d7f39

14 files changed

Lines changed: 130 additions & 10 deletions

v2rayN/ServiceLib/Manager/CertPemManager.cs

Lines changed: 19 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -203,7 +203,7 @@ public class CertPemManager
203203
/// <summary>
204204
/// Get certificate in PEM format from a server with CA pinning validation
205205
/// </summary>
206-
public async Task<(string?, string?)> GetCertPemAsync(string target, string serverName, int timeout = 4)
206+
public async Task<(string?, string?)> GetCertPemAsync(string target, string serverName, int timeout = 4, bool allowInsecure = false)
207207
{
208208
try
209209
{
@@ -215,12 +215,14 @@ public class CertPemManager
215215
using var client = new TcpClient();
216216
await client.ConnectAsync(domain, port > 0 ? port : 443, cts.Token);
217217

218-
await using var ssl = new SslStream(client.GetStream(), false, ValidateServerCertificate);
218+
var callback = new RemoteCertificateValidationCallback((sender, certificate, chain, sslPolicyErrors) =>
219+
ValidateServerCertificate(sender, certificate, chain, sslPolicyErrors, allowInsecure));
220+
await using var ssl = new SslStream(client.GetStream(), false, callback);
219221

220222
var sslOptions = new SslClientAuthenticationOptions
221223
{
222224
TargetHost = serverName,
223-
RemoteCertificateValidationCallback = ValidateServerCertificate
225+
RemoteCertificateValidationCallback = callback
224226
};
225227

226228
await ssl.AuthenticateAsClientAsync(sslOptions, cts.Token);
@@ -249,7 +251,7 @@ public class CertPemManager
249251
/// <summary>
250252
/// Get certificate chain in PEM format from a server with CA pinning validation
251253
/// </summary>
252-
public async Task<(List<string>, string?)> GetCertChainPemAsync(string target, string serverName, int timeout = 4)
254+
public async Task<(List<string>, string?)> GetCertChainPemAsync(string target, string serverName, int timeout = 4, bool allowInsecure = false)
253255
{
254256
var pemList = new List<string>();
255257
try
@@ -262,12 +264,14 @@ public class CertPemManager
262264
using var client = new TcpClient();
263265
await client.ConnectAsync(domain, port > 0 ? port : 443, cts.Token);
264266

265-
await using var ssl = new SslStream(client.GetStream(), false, ValidateServerCertificate);
267+
var callback = new RemoteCertificateValidationCallback((sender, certificate, chain, sslPolicyErrors) =>
268+
ValidateServerCertificate(sender, certificate, chain, sslPolicyErrors, allowInsecure));
269+
await using var ssl = new SslStream(client.GetStream(), false, callback);
266270

267271
var sslOptions = new SslClientAuthenticationOptions
268272
{
269273
TargetHost = serverName,
270-
RemoteCertificateValidationCallback = ValidateServerCertificate
274+
RemoteCertificateValidationCallback = callback
271275
};
272276

273277
await ssl.AuthenticateAsClientAsync(sslOptions, cts.Token);
@@ -300,16 +304,23 @@ public class CertPemManager
300304
/// Validate server certificate with CA pinning
301305
/// </summary>
302306
private bool ValidateServerCertificate(
303-
object sender,
307+
object _,
304308
X509Certificate? certificate,
305309
X509Chain? chain,
306-
SslPolicyErrors sslPolicyErrors)
310+
SslPolicyErrors sslPolicyErrors,
311+
bool allowInsecure)
307312
{
308313
if (certificate == null)
309314
{
310315
return false;
311316
}
312317

318+
// In insecure mode, accept any certificate so self-signed certs can be fetched.
319+
if (allowInsecure)
320+
{
321+
return true;
322+
}
323+
313324
// Check certificate name mismatch
314325
if (sslPolicyErrors.HasFlag(SslPolicyErrors.RemoteCertificateNameMismatch))
315326
{

v2rayN/ServiceLib/Resx/ResUI.Designer.cs

Lines changed: 18 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

v2rayN/ServiceLib/Resx/ResUI.fa-Ir.resx

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1707,4 +1707,10 @@ The "Get Certificate" action may fail if a self-signed certificate is used or if
17071707
<data name="TransportExtra" xml:space="preserve">
17081708
<value>XHTTP Extra</value>
17091709
</data>
1710+
<data name="TbAllowInsecureCertFetch" xml:space="preserve">
1711+
<value>Allow insecure cert fetch (self-signed)</value>
1712+
</data>
1713+
<data name="TbAllowInsecureCertFetchTips" xml:space="preserve">
1714+
<value>Only for fetching self-signed certificates. This may expose you to MITM risks.</value>
1715+
</data>
17101716
</root>

v2rayN/ServiceLib/Resx/ResUI.fr.resx

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1710,4 +1710,10 @@ The "Get Certificate" action may fail if a self-signed certificate is used or if
17101710
<data name="TransportExtra" xml:space="preserve">
17111711
<value>XHTTP Extra</value>
17121712
</data>
1713+
<data name="TbAllowInsecureCertFetch" xml:space="preserve">
1714+
<value>Allow insecure cert fetch (self-signed)</value>
1715+
</data>
1716+
<data name="TbAllowInsecureCertFetchTips" xml:space="preserve">
1717+
<value>Only for fetching self-signed certificates. This may expose you to MITM risks.</value>
1718+
</data>
17131719
</root>

v2rayN/ServiceLib/Resx/ResUI.hu.resx

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1707,4 +1707,10 @@ The "Get Certificate" action may fail if a self-signed certificate is used or if
17071707
<data name="TransportExtra" xml:space="preserve">
17081708
<value>XHTTP Extra</value>
17091709
</data>
1710+
<data name="TbAllowInsecureCertFetch" xml:space="preserve">
1711+
<value>Allow insecure cert fetch (self-signed)</value>
1712+
</data>
1713+
<data name="TbAllowInsecureCertFetchTips" xml:space="preserve">
1714+
<value>Only for fetching self-signed certificates. This may expose you to MITM risks.</value>
1715+
</data>
17101716
</root>

v2rayN/ServiceLib/Resx/ResUI.resx

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1713,4 +1713,10 @@ The "Get Certificate" action may fail if a self-signed certificate is used or if
17131713
<data name="TransportExtra" xml:space="preserve">
17141714
<value>XHTTP Extra</value>
17151715
</data>
1716+
<data name="TbAllowInsecureCertFetch" xml:space="preserve">
1717+
<value>Allow insecure cert fetch (self-signed)</value>
1718+
</data>
1719+
<data name="TbAllowInsecureCertFetchTips" xml:space="preserve">
1720+
<value>Only for fetching self-signed certificates. This may expose you to MITM risks.</value>
1721+
</data>
17161722
</root>

v2rayN/ServiceLib/Resx/ResUI.ru.resx

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1707,4 +1707,10 @@
17071707
<data name="TransportExtra" xml:space="preserve">
17081708
<value>XHTTP Extra</value>
17091709
</data>
1710+
<data name="TbAllowInsecureCertFetch" xml:space="preserve">
1711+
<value>Allow insecure cert fetch (self-signed)</value>
1712+
</data>
1713+
<data name="TbAllowInsecureCertFetchTips" xml:space="preserve">
1714+
<value>Only for fetching self-signed certificates. This may expose you to MITM risks.</value>
1715+
</data>
17101716
</root>

v2rayN/ServiceLib/Resx/ResUI.zh-Hans.resx

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1710,4 +1710,10 @@
17101710
<data name="TransportExtra" xml:space="preserve">
17111711
<value>XHTTP Extra</value>
17121712
</data>
1713+
<data name="TbAllowInsecureCertFetch" xml:space="preserve">
1714+
<value>允许不安全获取证书(自签名)</value>
1715+
</data>
1716+
<data name="TbAllowInsecureCertFetchTips" xml:space="preserve">
1717+
<value>仅用于抓取自签证书,存在中间人风险。</value>
1718+
</data>
17131719
</root>

v2rayN/ServiceLib/Resx/ResUI.zh-Hant.resx

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1704,4 +1704,10 @@
17041704
<data name="TransportExtra" xml:space="preserve">
17051705
<value>XHTTP Extra</value>
17061706
</data>
1707+
<data name="TbAllowInsecureCertFetch" xml:space="preserve">
1708+
<value>允許不安全獲取證書(自簽名)</value>
1709+
</data>
1710+
<data name="TbAllowInsecureCertFetchTips" xml:space="preserve">
1711+
<value>僅用於抓取自簽證書,存在中間人風險。</value>
1712+
</data>
17071713
</root>

v2rayN/ServiceLib/ViewModels/AddServerViewModel.cs

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,9 @@ public class AddServerViewModel : MyReactiveObject
1717
[Reactive]
1818
public string CertSha { get; set; }
1919

20+
[Reactive]
21+
public bool AllowInsecureCertFetch { get; set; }
22+
2023
[Reactive]
2124
public string SalamanderPass { get; set; }
2225

@@ -468,7 +471,7 @@ private async Task FetchCert()
468471
domain += $":{SelectedSource.Port}";
469472
}
470473

471-
(Cert, var certError) = await CertPemManager.Instance.GetCertPemAsync(domain, serverName);
474+
(Cert, var certError) = await CertPemManager.Instance.GetCertPemAsync(domain, serverName, allowInsecure: AllowInsecureCertFetch);
472475
UpdateCertTip(certError);
473476
}
474477

@@ -493,7 +496,7 @@ private async Task FetchCertChain()
493496
domain += $":{SelectedSource.Port}";
494497
}
495498

496-
var (certs, certError) = await CertPemManager.Instance.GetCertChainPemAsync(domain, serverName);
499+
var (certs, certError) = await CertPemManager.Instance.GetCertChainPemAsync(domain, serverName, allowInsecure: AllowInsecureCertFetch);
497500
Cert = CertPemManager.ConcatenatePemChain(certs);
498501
UpdateCertTip(certError);
499502
}

0 commit comments

Comments
 (0)