MITM: Allow using local received SNI in the outgoing serverName & verifyPeerCertInNames

https://github.com/XTLS/Xray-core/issues/4348#issuecomment-2637370175 Local received SNI was sent by browser/app. In freedom RAW's `tlsSettings`, set `"serverName": "fromMitm"` to forward it to the real website. In freedom RAW's `tlsSettings`, set `"verifyPeerCertInNames": ["fromMitm"]` to use all possible names to verify the certificate.
2025-04-30 17:38:41 +00:00 · 2025-02-06 07:37:30 +00:00 · 2025-02-06 07:37:30 +00:00 · c6a31f457c
commit c6a31f457c
parent 9b7841178a
8 changed files with 150 additions and 85 deletions
--- a/proxy/dokodemo/dokodemo.go
+++ b/proxy/dokodemo/dokodemo.go
@ -64,10 +64,6 @@ func (d *DokodemoDoor) policy() policy.Session {
 	return p
 }

-type hasHandshakeAddressContext interface {
-	HandshakeAddressContext(ctx context.Context) net.Address
-}
-
 // Process implements proxy.Inbound.
 func (d *DokodemoDoor) Process(ctx context.Context, network net.Network, conn stat.Connection, dispatcher routing.Dispatcher) error {
 	errors.LogDebug(ctx, "processing connection from: ", conn.RemoteAddr())
@ -87,14 +83,14 @@ func (d *DokodemoDoor) Process(ctx context.Context, network net.Network, conn st
 				destinationOverridden = true
 			}
 		}
-		if handshake, ok := conn.(hasHandshakeAddressContext); ok && !destinationOverridden {
-			addr := handshake.HandshakeAddressContext(ctx)
-			if addr != nil {
-				dest.Address = addr
-				if conn.(*tls.Conn).ConnectionState().NegotiatedProtocol == "http/1.1" {
-					ctx = session.ContextWithMitmAlpn11(ctx, true)
-				}
+		if tlsConn, ok := conn.(tls.Interface); ok && !destinationOverridden {
+			if serverName := tlsConn.HandshakeContextServerName(ctx); serverName != "" {
+				dest.Address = net.DomainAddress(serverName)
 				destinationOverridden = true
+				ctx = session.ContextWithMitmServerName(ctx, serverName)
+			}
+			if tlsConn.NegotiatedProtocol() == "http/1.1" {
+				ctx = session.ContextWithMitmAlpn11(ctx, true)
 			}
 		}
 	}