From afcfdbca701804ac503a2b2d31c6b6cf5fe40389 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E9=A3=8E=E6=89=87=E6=BB=91=E7=BF=94=E7=BF=BC?= Date: Sat, 31 Jan 2026 21:11:36 +0800 Subject: [PATCH] Commands: Print leaf cert's SHA256 in `tls ping` (#5628) And https://github.com/XTLS/Xray-core/pull/5628#issuecomment-3828445442 --------- Co-authored-by: RPRX <63339210+RPRX@users.noreply.github.com> --- infra/conf/transport_internet.go | 6 +++++- main/commands/all/tls/ping.go | 19 +------------------ 2 files changed, 6 insertions(+), 19 deletions(-) diff --git a/infra/conf/transport_internet.go b/infra/conf/transport_internet.go index a451a310..4e9a0bcd 100644 --- a/infra/conf/transport_internet.go +++ b/infra/conf/transport_internet.go @@ -639,10 +639,14 @@ func (c *TLSConfig) Build() (proto.Message, error) { if v == "" { continue } - hashValue, err := hex.DecodeString(v) + // remove colons for OpenSSL format + hashValue, err := hex.DecodeString(strings.ReplaceAll(v, ":", "")) if err != nil { return nil, err } + if len(hashValue) != 32 { + return nil, errors.New("incorrect pinnedPeerCertSha256 length: ", v) + } config.PinnedPeerCertSha256 = append(config.PinnedPeerCertSha256, hashValue) } } diff --git a/main/commands/all/tls/ping.go b/main/commands/all/tls/ping.go index 6417b74c..e340fb07 100644 --- a/main/commands/all/tls/ping.go +++ b/main/commands/all/tls/ping.go @@ -75,8 +75,6 @@ func executePing(cmd *base.Command, args []string) { NextProtos: []string{"h2", "http/1.1"}, MaxVersion: gotls.VersionTLS13, MinVersion: gotls.VersionTLS12, - // Do not release tool before v5's refactor - // VerifyPeerCertificate: showCert(), }) err = tlsConn.Handshake() if err != nil { @@ -101,8 +99,6 @@ func executePing(cmd *base.Command, args []string) { NextProtos: []string{"h2", "http/1.1"}, MaxVersion: gotls.VersionTLS13, MinVersion: gotls.VersionTLS12, - // Do not release tool before v5's refactor - // VerifyPeerCertificate: showCert(), }) err = tlsConn.Handshake() if err != nil { @@ -133,6 +129,7 @@ func printCertificates(certs []*x509.Certificate) { fmt.Println("Cert's signature algorithm: ", leaf.SignatureAlgorithm.String()) fmt.Println("Cert's publicKey algorithm: ", leaf.PublicKeyAlgorithm.String()) fmt.Println("Cert's allowed domains: ", leaf.DNSNames) + fmt.Println("Cert's leaf SHA256: ", hex.EncodeToString(GenerateCertHash(leaf))) } } @@ -153,17 +150,3 @@ func printTLSConnDetail(tlsConn *gotls.Conn) { fmt.Println("TLS Post-Quantum key exchange: false (RSA Exchange)") } } - -func showCert() func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { - return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { - var hash []byte - for _, asn1Data := range rawCerts { - cert, _ := x509.ParseCertificate(asn1Data) - if cert.IsCA { - hash = GenerateCertHash(cert) - } - } - fmt.Println("Certificate Leaf Hash: ", hex.EncodeToString(hash)) - return nil - } -}