TLS client: Pinning CA must have serverName (or higher-priority verifyPeerCertByName or outbound's address) for pinnedPeerCertSha256 (#6472)

Fixes https://github.com/XTLS/Xray-core/security/advisories/GHSA-5wf9-h793-w73c
This commit is contained in:
风扇滑翔翼
2026-07-11 05:03:35 +08:00
committed by GitHub
parent 0bafca9486
commit 64fada32b5
3 changed files with 5 additions and 5 deletions
+1 -4
View File
@@ -136,10 +136,7 @@ func getGrpcClient(ctx context.Context, dest net.Destination, streamSettings *in
}
if tlsConfig != nil {
config := tlsConfig.GetTLSConfig()
if config.ServerName == "" && address.Family().IsDomain() {
config.ServerName = address.Domain()
}
config := tlsConfig.GetTLSConfig(tls.WithDestination(dest))
if fingerprint := tls.GetFingerprint(tlsConfig.Fingerprint); fingerprint != nil {
return tls.UClient(c, config, fingerprint), nil
} else { // Fallback to normal gRPC TLS
+1 -1
View File
@@ -345,7 +345,7 @@ func Dial(ctx context.Context, dest net.Destination, streamSettings *internet.Me
c = &client{
dest: dest,
config: streamSettings.ProtocolSettings.(*Config),
tlsConfig: tlsConfig.GetTLSConfig(),
tlsConfig: tlsConfig.GetTLSConfig(tls.WithDestination(dest)),
socketConfig: streamSettings.SocketSettings,
udpmaskManager: streamSettings.UdpmaskManager,
quicParams: streamSettings.QuicParams,
+3
View File
@@ -331,6 +331,9 @@ func (r *RandCarrier) verifyPeerCert(rawCerts [][]byte, verifiedChains [][]*x509
}
if verifyResult == foundCA { // if found CA, we need to verify here
if len(r.Config.ServerName) == 0 {
return errors.New("Pinning CA needs a valid ServerName")
}
opts := x509.VerifyOptions{
Roots: CAs,
CurrentTime: time.Now(),