MITM: Allow using local received SNI in the outgoing serverName & verifyPeerCertInNames

https://github.com/XTLS/Xray-core/issues/4348#issuecomment-2637370175 Local received SNI was sent by browser/app. In freedom RAW's `tlsSettings`, set `"serverName": "fromMitm"` to forward it to the real website. In freedom RAW's `tlsSettings`, set `"verifyPeerCertInNames": ["fromMitm"]` to use all possible names to verify the certificate.
2025-04-30 01:08:33 +00:00 · 2025-02-06 07:37:30 +00:00 · 2025-02-06 07:37:30 +00:00 · c6a31f457c
commit c6a31f457c
parent 9b7841178a
8 changed files with 150 additions and 85 deletions
--- a/transport/internet/tls/tls.go
+++ b/transport/internet/tls/tls.go
@ -16,6 +16,7 @@ type Interface interface {
 	net.Conn
 	HandshakeContext(ctx context.Context) error
 	VerifyHostname(host string) error
+	HandshakeContextServerName(ctx context.Context) string
 	NegotiatedProtocol() string
 }

@ -43,15 +44,11 @@ func (c *Conn) WriteMultiBuffer(mb buf.MultiBuffer) error {
 	return err
 }

-func (c *Conn) HandshakeAddressContext(ctx context.Context) net.Address {
+func (c *Conn) HandshakeContextServerName(ctx context.Context) string {
 	if err := c.HandshakeContext(ctx); err != nil {
-		return nil
+		return ""
 	}
-	state := c.ConnectionState()
-	if state.ServerName == "" {
-		return nil
-	}
-	return net.ParseAddress(state.ServerName)
+	return c.ConnectionState().ServerName
 }

 func (c *Conn) NegotiatedProtocol() string {
@ -85,15 +82,11 @@ func (c *UConn) Close() error {
 	return c.Conn.Close()
 }

-func (c *UConn) HandshakeAddressContext(ctx context.Context) net.Address {
+func (c *UConn) HandshakeContextServerName(ctx context.Context) string {
 	if err := c.HandshakeContext(ctx); err != nil {
-		return nil
+		return ""
 	}
-	state := c.ConnectionState()
-	if state.ServerName == "" {
-		return nil
-	}
-	return net.ParseAddress(state.ServerName)
+	return c.ConnectionState().ServerName
 }

 // WebsocketHandshake basically calls UConn.Handshake inside it but it will only send
@ -134,17 +127,13 @@ func UClient(c net.Conn, config *tls.Config, fingerprint *utls.ClientHelloID) ne
 }

 func copyConfig(c *tls.Config) *utls.Config {
-	serverNameToVerify := ""
-	if r, ok := c.Rand.(*RandCarrier); ok {
-		serverNameToVerify = r.ServerNameToVerify
-	}
 	return &utls.Config{
-		RootCAs:                    c.RootCAs,
-		ServerName:                 c.ServerName,
-		InsecureSkipVerify:         c.InsecureSkipVerify,
-		VerifyPeerCertificate:      c.VerifyPeerCertificate,
-		KeyLogWriter:               c.KeyLogWriter,
-		InsecureServerNameToVerify: serverNameToVerify,
+		Rand:                  c.Rand,
+		RootCAs:               c.RootCAs,
+		ServerName:            c.ServerName,
+		InsecureSkipVerify:    c.InsecureSkipVerify,
+		VerifyPeerCertificate: c.VerifyPeerCertificate,
+		KeyLogWriter:          c.KeyLogWriter,
 	}
 }