mirrors/Xray-core
1
0
Fork 0
mirror of https://github.com/XTLS/Xray-core.git synced 2025-04-30 01:08:33 +00:00
Code Issues Projects Releases Packages Wiki Activity

MITM: Allow using local received SNI in the outgoing serverName & verifyPeerCertInNames

Browse source 
https://github.com/XTLS/Xray-core/issues/4348#issuecomment-2637370175

Local received SNI was sent by browser/app.

In freedom RAW's `tlsSettings`, set `"serverName": "fromMitm"` to forward it to the real website.

In freedom RAW's `tlsSettings`, set `"verifyPeerCertInNames": ["fromMitm"]` to use all possible names to verify the certificate.
This commit is contained in:
RPRX 2025-02-06 07:37:30 +00:00 committed by GitHub
parent 9b7841178a
commit c6a31f457c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 150 additions and 85 deletions
Download patch file Download diff file Expand all files Collapse all files

34
transport/internet/tcp/dialer.go
View file

@ -14,6 +14,10 @@ import (
"github.com/xtls/xray-core/transport/internet/tls"
)
func IsFromMitm(str string) bool {
return strings.ToLower(str) == "frommitm"
}
// Dial dials a new TCP connection to the given destination.
func Dial(ctx context.Context, dest net.Destination, streamSettings *internet.MemoryStreamConfig) (stat.Connection, error) {
errors.LogInfo(ctx, "dialing TCP to ", dest)
@ -23,11 +27,28 @@ func Dial(ctx context.Context, dest net.Destination, streamSettings *internet.Me
}
if config := tls.ConfigFromStreamSettings(streamSettings); config != nil {
mitmServerName := session.MitmServerNameFromContext(ctx)
mitmAlpn11 := session.MitmAlpn11FromContext(ctx)
tlsConfig := config.GetTLSConfig(tls.WithDestination(dest))
if IsFromMitm(tlsConfig.ServerName) {
tlsConfig.ServerName = mitmServerName
}
if r, ok := tlsConfig.Rand.(*tls.RandCarrier); ok && len(r.VerifyPeerCertInNames) > 0 && IsFromMitm(r.VerifyPeerCertInNames[0]) {
r.VerifyPeerCertInNames = r.VerifyPeerCertInNames[1:]
after := mitmServerName
for {
if len(after) > 0 {
r.VerifyPeerCertInNames = append(r.VerifyPeerCertInNames, after)
}
_, after, _ = strings.Cut(after, ".")
if !strings.Contains(after, ".") {
break
}
}
}
if fingerprint := tls.GetFingerprint(config.Fingerprint); fingerprint != nil {
conn = tls.UClient(conn, tlsConfig, fingerprint)
if len(tlsConfig.NextProtos) == 1 && (tlsConfig.NextProtos[0] == "http/1.1" ||
(strings.ToLower(tlsConfig.NextProtos[0]) == "frommitm" && session.MitmAlpn11FromContext(ctx))) {
if len(tlsConfig.NextProtos) == 1 && (tlsConfig.NextProtos[0] == "http/1.1" || (IsFromMitm(tlsConfig.NextProtos[0]) && mitmAlpn11)) {
if err := conn.(*tls.UConn).WebsocketHandshakeContext(ctx); err != nil {
return nil, err
}
@ -37,14 +58,17 @@ func Dial(ctx context.Context, dest net.Destination, streamSettings *internet.Me
}
}
} else {
if len(tlsConfig.NextProtos) == 1 && strings.ToLower(tlsConfig.NextProtos[0]) == "frommitm" {
if session.MitmAlpn11FromContext(ctx) {
tlsConfig.NextProtos = []string{"http/1.1"} // new slice
if len(tlsConfig.NextProtos) == 1 && IsFromMitm(tlsConfig.NextProtos[0]) {
if mitmAlpn11 {
tlsConfig.NextProtos[0] = "http/1.1"
} else {
tlsConfig.NextProtos = nil
}
}
conn = tls.Client(conn, tlsConfig)
if err := conn.(*tls.Conn).HandshakeContext(ctx); err != nil {
return nil, err
}
}
} else if config := reality.ConfigFromStreamSettings(streamSettings); config != nil {
if conn, err = reality.UClient(conn, config, ctx, dest); err != nil {