mirror of
https://github.com/XTLS/Xray-core.git
synced 2026-07-13 15:18:51 +00:00
TLS client: Pinning CA must have serverName (or higher-priority verifyPeerCertByName or outbound's address) for pinnedPeerCertSha256 (#6472)
Fixes https://github.com/XTLS/Xray-core/security/advisories/GHSA-5wf9-h793-w73c
This commit is contained in:
@@ -136,10 +136,7 @@ func getGrpcClient(ctx context.Context, dest net.Destination, streamSettings *in
|
|||||||
}
|
}
|
||||||
|
|
||||||
if tlsConfig != nil {
|
if tlsConfig != nil {
|
||||||
config := tlsConfig.GetTLSConfig()
|
config := tlsConfig.GetTLSConfig(tls.WithDestination(dest))
|
||||||
if config.ServerName == "" && address.Family().IsDomain() {
|
|
||||||
config.ServerName = address.Domain()
|
|
||||||
}
|
|
||||||
if fingerprint := tls.GetFingerprint(tlsConfig.Fingerprint); fingerprint != nil {
|
if fingerprint := tls.GetFingerprint(tlsConfig.Fingerprint); fingerprint != nil {
|
||||||
return tls.UClient(c, config, fingerprint), nil
|
return tls.UClient(c, config, fingerprint), nil
|
||||||
} else { // Fallback to normal gRPC TLS
|
} else { // Fallback to normal gRPC TLS
|
||||||
|
|||||||
@@ -345,7 +345,7 @@ func Dial(ctx context.Context, dest net.Destination, streamSettings *internet.Me
|
|||||||
c = &client{
|
c = &client{
|
||||||
dest: dest,
|
dest: dest,
|
||||||
config: streamSettings.ProtocolSettings.(*Config),
|
config: streamSettings.ProtocolSettings.(*Config),
|
||||||
tlsConfig: tlsConfig.GetTLSConfig(),
|
tlsConfig: tlsConfig.GetTLSConfig(tls.WithDestination(dest)),
|
||||||
socketConfig: streamSettings.SocketSettings,
|
socketConfig: streamSettings.SocketSettings,
|
||||||
udpmaskManager: streamSettings.UdpmaskManager,
|
udpmaskManager: streamSettings.UdpmaskManager,
|
||||||
quicParams: streamSettings.QuicParams,
|
quicParams: streamSettings.QuicParams,
|
||||||
|
|||||||
@@ -331,6 +331,9 @@ func (r *RandCarrier) verifyPeerCert(rawCerts [][]byte, verifiedChains [][]*x509
|
|||||||
}
|
}
|
||||||
|
|
||||||
if verifyResult == foundCA { // if found CA, we need to verify here
|
if verifyResult == foundCA { // if found CA, we need to verify here
|
||||||
|
if len(r.Config.ServerName) == 0 {
|
||||||
|
return errors.New("Pinning CA needs a valid ServerName")
|
||||||
|
}
|
||||||
opts := x509.VerifyOptions{
|
opts := x509.VerifyOptions{
|
||||||
Roots: CAs,
|
Roots: CAs,
|
||||||
CurrentTime: time.Now(),
|
CurrentTime: time.Now(),
|
||||||
|
|||||||
Reference in New Issue
Block a user