mirror of
https://github.com/XTLS/Xray-core.git
synced 2026-07-11 06:08:39 +00:00
TLS client: Pinning CA must have serverName (or higher-priority verifyPeerCertByName or outbound's address) for pinnedPeerCertSha256 (#6472)
Fixes https://github.com/XTLS/Xray-core/security/advisories/GHSA-5wf9-h793-w73c
This commit is contained in:
@@ -136,10 +136,7 @@ func getGrpcClient(ctx context.Context, dest net.Destination, streamSettings *in
|
||||
}
|
||||
|
||||
if tlsConfig != nil {
|
||||
config := tlsConfig.GetTLSConfig()
|
||||
if config.ServerName == "" && address.Family().IsDomain() {
|
||||
config.ServerName = address.Domain()
|
||||
}
|
||||
config := tlsConfig.GetTLSConfig(tls.WithDestination(dest))
|
||||
if fingerprint := tls.GetFingerprint(tlsConfig.Fingerprint); fingerprint != nil {
|
||||
return tls.UClient(c, config, fingerprint), nil
|
||||
} else { // Fallback to normal gRPC TLS
|
||||
|
||||
@@ -345,7 +345,7 @@ func Dial(ctx context.Context, dest net.Destination, streamSettings *internet.Me
|
||||
c = &client{
|
||||
dest: dest,
|
||||
config: streamSettings.ProtocolSettings.(*Config),
|
||||
tlsConfig: tlsConfig.GetTLSConfig(),
|
||||
tlsConfig: tlsConfig.GetTLSConfig(tls.WithDestination(dest)),
|
||||
socketConfig: streamSettings.SocketSettings,
|
||||
udpmaskManager: streamSettings.UdpmaskManager,
|
||||
quicParams: streamSettings.QuicParams,
|
||||
|
||||
@@ -331,6 +331,9 @@ func (r *RandCarrier) verifyPeerCert(rawCerts [][]byte, verifiedChains [][]*x509
|
||||
}
|
||||
|
||||
if verifyResult == foundCA { // if found CA, we need to verify here
|
||||
if len(r.Config.ServerName) == 0 {
|
||||
return errors.New("Pinning CA needs a valid ServerName")
|
||||
}
|
||||
opts := x509.VerifyOptions{
|
||||
Roots: CAs,
|
||||
CurrentTime: time.Now(),
|
||||
|
||||
Reference in New Issue
Block a user