dan9i10/xray-core
1
0
Fork 0
mirror of https://github.com/XTLS/Xray-core.git synced 2026-05-08 14:13:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

TLS config: allowInsecure->pinnedPeerCertSha256; verifyPeerCertInNames->verifyPeerCertByName

Browse Source 
And use `,` as the separator instead of `~`/array

https://github.com/XTLS/Xray-core/pull/5567#issuecomment-3766081805
https://t.me/projectXtls/1464
https://t.me/projectXtls/1465
https://t.me/projectXtls/1466
https://github.com/XTLS/Xray-core/pull/5625#issuecomment-3824855736
This commit is contained in:
RPRX
2026-01-30 22:15:46 +00:00
parent 9c46a2d55a
commit 2c92339f95
13 changed files with 177 additions and 226 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
testing/scenarios/tls_test.go
View File

@@ -36,6 +36,8 @@ func TestSimpleTLSConnection(t *testing.T) {
common.Must(err)
defer tcpServer.Close()
ct, ctHash := cert.MustGenerate(nil, cert.CommonName("localhost"))
userID := protocol.NewID(uuid.New())
serverPort := tcp.PickPort()
serverConfig := &core.Config{
@@ -48,7 +50,7 @@ func TestSimpleTLSConnection(t *testing.T) {
SecurityType: serial.GetMessageType(&tls.Config{}),
SecuritySettings: []*serial.TypedMessage{
serial.ToTypedMessage(&tls.Config{
Certificate: []*tls.Certificate{tls.ParseCertificate(cert.MustGenerate(nil))},
Certificate: []*tls.Certificate{tls.ParseCertificate(ct)},
}),
},
},
@@ -104,7 +106,7 @@ func TestSimpleTLSConnection(t *testing.T) {
SecurityType: serial.GetMessageType(&tls.Config{}),
SecuritySettings: []*serial.TypedMessage{
serial.ToTypedMessage(&tls.Config{
AllowInsecure: true,
PinnedPeerCertSha256: [][]byte{ctHash[:]},
}),
},
},
@@ -247,6 +249,8 @@ func TestTLSOverKCP(t *testing.T) {
common.Must(err)
defer tcpServer.Close()
ct, ctHash := cert.MustGenerate(nil, cert.CommonName("localhost"))
userID := protocol.NewID(uuid.New())
serverPort := udp.PickPort()
serverConfig := &core.Config{
@@ -260,7 +264,7 @@ func TestTLSOverKCP(t *testing.T) {
SecurityType: serial.GetMessageType(&tls.Config{}),
SecuritySettings: []*serial.TypedMessage{
serial.ToTypedMessage(&tls.Config{
Certificate: []*tls.Certificate{tls.ParseCertificate(cert.MustGenerate(nil))},
Certificate: []*tls.Certificate{tls.ParseCertificate(ct)},
}),
},
},
@@ -317,7 +321,7 @@ func TestTLSOverKCP(t *testing.T) {
SecurityType: serial.GetMessageType(&tls.Config{}),
SecuritySettings: []*serial.TypedMessage{
serial.ToTypedMessage(&tls.Config{
AllowInsecure: true,
PinnedPeerCertSha256: [][]byte{ctHash[:]},
}),
},
},
@@ -343,6 +347,8 @@ func TestTLSOverWebSocket(t *testing.T) {
common.Must(err)
defer tcpServer.Close()
ct, ctHash := cert.MustGenerate(nil, cert.CommonName("localhost"))
userID := protocol.NewID(uuid.New())
serverPort := tcp.PickPort()
serverConfig := &core.Config{
@@ -356,7 +362,7 @@ func TestTLSOverWebSocket(t *testing.T) {
SecurityType: serial.GetMessageType(&tls.Config{}),
SecuritySettings: []*serial.TypedMessage{
serial.ToTypedMessage(&tls.Config{
Certificate: []*tls.Certificate{tls.ParseCertificate(cert.MustGenerate(nil))},
Certificate: []*tls.Certificate{tls.ParseCertificate(ct)},
}),
},
},
@@ -419,7 +425,7 @@ func TestTLSOverWebSocket(t *testing.T) {
SecurityType: serial.GetMessageType(&tls.Config{}),
SecuritySettings: []*serial.TypedMessage{
serial.ToTypedMessage(&tls.Config{
AllowInsecure: true,
PinnedPeerCertSha256: [][]byte{ctHash[:]},
}),
},
},
@@ -449,6 +455,8 @@ func TestGRPC(t *testing.T) {
common.Must(err)
defer tcpServer.Close()
ct, ctHash := cert.MustGenerate(nil, cert.CommonName("localhost"))
userID := protocol.NewID(uuid.New())
serverPort := tcp.PickPort()
serverConfig := &core.Config{
@@ -468,7 +476,7 @@ func TestGRPC(t *testing.T) {
SecurityType: serial.GetMessageType(&tls.Config{}),
SecuritySettings: []*serial.TypedMessage{
serial.ToTypedMessage(&tls.Config{
Certificate: []*tls.Certificate{tls.ParseCertificate(cert.MustGenerate(nil))},
Certificate: []*tls.Certificate{tls.ParseCertificate(ct)},
}),
},
},
@@ -531,7 +539,7 @@ func TestGRPC(t *testing.T) {
SecurityType: serial.GetMessageType(&tls.Config{}),
SecuritySettings: []*serial.TypedMessage{
serial.ToTypedMessage(&tls.Config{
AllowInsecure: true,
PinnedPeerCertSha256: [][]byte{ctHash[:]},
}),
},
},
@@ -561,6 +569,8 @@ func TestGRPCMultiMode(t *testing.T) {
common.Must(err)
defer tcpServer.Close()
ct, ctHash := cert.MustGenerate(nil, cert.CommonName("localhost"))
userID := protocol.NewID(uuid.New())
serverPort := tcp.PickPort()
serverConfig := &core.Config{
@@ -580,7 +590,7 @@ func TestGRPCMultiMode(t *testing.T) {
SecurityType: serial.GetMessageType(&tls.Config{}),
SecuritySettings: []*serial.TypedMessage{
serial.ToTypedMessage(&tls.Config{
Certificate: []*tls.Certificate{tls.ParseCertificate(cert.MustGenerate(nil))},
Certificate: []*tls.Certificate{tls.ParseCertificate(ct)},
}),
},
},
@@ -643,7 +653,7 @@ func TestGRPCMultiMode(t *testing.T) {
SecurityType: serial.GetMessageType(&tls.Config{}),
SecuritySettings: []*serial.TypedMessage{
serial.ToTypedMessage(&tls.Config{
AllowInsecure: true,
PinnedPeerCertSha256: [][]byte{ctHash[:]},
}),
},
},
@@ -672,7 +682,7 @@ func TestSimpleTLSConnectionPinned(t *testing.T) {
dest, err := tcpServer.Start()
common.Must(err)
defer tcpServer.Close()
certificateDer := cert.MustGenerate(nil)
certificateDer, _ := cert.MustGenerate(nil)
certificate := tls.ParseCertificate(certificateDer)
certHash := tls.GenerateCertHash(certificateDer.Certificate)
userID := protocol.NewID(uuid.New())
@@ -743,7 +753,6 @@ func TestSimpleTLSConnectionPinned(t *testing.T) {
SecurityType: serial.GetMessageType(&tls.Config{}),
SecuritySettings: []*serial.TypedMessage{
serial.ToTypedMessage(&tls.Config{
AllowInsecure: true,
PinnedPeerCertSha256: [][]byte{certHash},
}),
},
@@ -769,7 +778,7 @@ func TestSimpleTLSConnectionPinnedWrongCert(t *testing.T) {
dest, err := tcpServer.Start()
common.Must(err)
defer tcpServer.Close()
certificateDer := cert.MustGenerate(nil)
certificateDer, _ := cert.MustGenerate(nil)
certificate := tls.ParseCertificate(certificateDer)
certHash := tls.GenerateCertHash(certificateDer.Certificate)
certHash[1] += 1
@@ -841,7 +850,6 @@ func TestSimpleTLSConnectionPinnedWrongCert(t *testing.T) {
SecurityType: serial.GetMessageType(&tls.Config{}),
SecuritySettings: []*serial.TypedMessage{
serial.ToTypedMessage(&tls.Config{
AllowInsecure: true,
PinnedPeerCertSha256: [][]byte{certHash},
}),
},
@@ -867,7 +875,7 @@ func TestUTLSConnectionPinned(t *testing.T) {
dest, err := tcpServer.Start()
common.Must(err)
defer tcpServer.Close()
certificateDer := cert.MustGenerate(nil)
certificateDer, _ := cert.MustGenerate(nil)
certificate := tls.ParseCertificate(certificateDer)
certHash := tls.GenerateCertHash(certificateDer.Certificate)
userID := protocol.NewID(uuid.New())
@@ -939,7 +947,6 @@ func TestUTLSConnectionPinned(t *testing.T) {
SecuritySettings: []*serial.TypedMessage{
serial.ToTypedMessage(&tls.Config{
Fingerprint: "random",
AllowInsecure: true,
PinnedPeerCertSha256: [][]byte{certHash},
}),
},
@@ -965,7 +972,7 @@ func TestUTLSConnectionPinnedWrongCert(t *testing.T) {
dest, err := tcpServer.Start()
common.Must(err)
defer tcpServer.Close()
certificateDer := cert.MustGenerate(nil)
certificateDer, _ := cert.MustGenerate(nil)
certificate := tls.ParseCertificate(certificateDer)
certHash := tls.GenerateCertHash(certificateDer.Certificate)
certHash[1] += 1
@@ -1038,7 +1045,6 @@ func TestUTLSConnectionPinnedWrongCert(t *testing.T) {
SecuritySettings: []*serial.TypedMessage{
serial.ToTypedMessage(&tls.Config{
Fingerprint: "random",
AllowInsecure: true,
PinnedPeerCertSha256: [][]byte{certHash},
}),
},