Commands: Print leaf cert's SHA256 in tls ping (#5628)

And https://github.com/XTLS/Xray-core/pull/5628#issuecomment-3828445442 --------- Co-authored-by: RPRX <63339210+RPRX@users.noreply.github.com>
2026-05-08 14:13:22 +00:00 · 2026-01-31 21:11:36 +08:00
parent 2c92339f95
commit afcfdbca70
2 changed files with 6 additions and 19 deletions
--- a/infra/conf/transport_internet.go
+++ b/infra/conf/transport_internet.go
@@ -639,10 +639,14 @@ func (c *TLSConfig) Build() (proto.Message, error) {
 			if v == "" {
 				continue
 			}
-			hashValue, err := hex.DecodeString(v)
+			// remove colons for OpenSSL format
+			hashValue, err := hex.DecodeString(strings.ReplaceAll(v, ":", ""))
 			if err != nil {
 				return nil, err
 			}
+			if len(hashValue) != 32 {
+				return nil, errors.New("incorrect pinnedPeerCertSha256 length: ", v)
+			}
 			config.PinnedPeerCertSha256 = append(config.PinnedPeerCertSha256, hashValue)
 		}
 	}
--- a/main/commands/all/tls/ping.go
+++ b/main/commands/all/tls/ping.go
@@ -75,8 +75,6 @@ func executePing(cmd *base.Command, args []string) {
 			NextProtos:         []string{"h2", "http/1.1"},
 			MaxVersion:         gotls.VersionTLS13,
 			MinVersion:         gotls.VersionTLS12,
-			// Do not release tool before v5's refactor
-			// VerifyPeerCertificate: showCert(),
 		})
 		err = tlsConn.Handshake()
 		if err != nil {
@@ -101,8 +99,6 @@ func executePing(cmd *base.Command, args []string) {
 			NextProtos: []string{"h2", "http/1.1"},
 			MaxVersion: gotls.VersionTLS13,
 			MinVersion: gotls.VersionTLS12,
-			// Do not release tool before v5's refactor
-			// VerifyPeerCertificate: showCert(),
 		})
 		err = tlsConn.Handshake()
 		if err != nil {
@@ -133,6 +129,7 @@ func printCertificates(certs []*x509.Certificate) {
 		fmt.Println("Cert's signature algorithm: ", leaf.SignatureAlgorithm.String())
 		fmt.Println("Cert's publicKey algorithm: ", leaf.PublicKeyAlgorithm.String())
 		fmt.Println("Cert's allowed domains: ", leaf.DNSNames)
+		fmt.Println("Cert's leaf SHA256: ", hex.EncodeToString(GenerateCertHash(leaf)))
 	}
 }

@@ -153,17 +150,3 @@ func printTLSConnDetail(tlsConn *gotls.Conn) {
 		fmt.Println("TLS Post-Quantum key exchange:  false (RSA Exchange)")
 	}
 }
-
-func showCert() func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
-	return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
-		var hash []byte
-		for _, asn1Data := range rawCerts {
-			cert, _ := x509.ParseCertificate(asn1Data)
-			if cert.IsCA {
-				hash = GenerateCertHash(cert)
-			}
-		}
-		fmt.Println("Certificate Leaf Hash: ", hex.EncodeToString(hash))
-		return nil
-	}
-}