mirror of
https://github.com/XTLS/Xray-core.git
synced 2024-11-16 20:13:01 +00:00
acb81ebe3d
* verify peer cert function for better man in the middle prevention * publish cert chain hash generation algorithm * added calculation of certificate hash as separate command and tlsping, use base64 to represent fingerprint to align with jsonPb * apply coding style * added test case for pinned certificates * refactored cert pin * pinned cert test * added json loading of the PinnedPeerCertificateChainSha256 * removed tool to prepare for v5 * Add server cert pinning for Xtls Change command "xray tls certChainHash" to xray style Co-authored-by: Shelikhoo <xiaokangwang@outlook.com>
80 lines
1.9 KiB
Protocol Buffer
80 lines
1.9 KiB
Protocol Buffer
syntax = "proto3";
|
|
|
|
package xray.transport.internet.tls;
|
|
option csharp_namespace = "Xray.Transport.Internet.Tls";
|
|
option go_package = "github.com/xtls/xray-core/transport/internet/tls";
|
|
option java_package = "com.xray.transport.internet.tls";
|
|
option java_multiple_files = true;
|
|
|
|
message Certificate {
|
|
// TLS certificate in x509 format.
|
|
bytes certificate = 1;
|
|
|
|
// TLS key in x509 format.
|
|
bytes key = 2;
|
|
|
|
enum Usage {
|
|
ENCIPHERMENT = 0;
|
|
AUTHORITY_VERIFY = 1;
|
|
AUTHORITY_ISSUE = 2;
|
|
}
|
|
|
|
Usage usage = 3;
|
|
|
|
uint64 ocsp_stapling = 4;
|
|
|
|
// TLS certificate path
|
|
string certificate_path = 5;
|
|
|
|
// TLS Key path
|
|
string key_path = 6;
|
|
|
|
// If true, one-Time Loading
|
|
bool One_time_loading = 7;
|
|
}
|
|
|
|
message Config {
|
|
// Whether or not to allow self-signed certificates.
|
|
bool allow_insecure = 1;
|
|
|
|
// List of certificates to be served on server.
|
|
repeated Certificate certificate = 2;
|
|
|
|
// Override server name.
|
|
string server_name = 3;
|
|
|
|
// Lists of string as ALPN values.
|
|
repeated string next_protocol = 4;
|
|
|
|
// Whether or not to enable session (ticket) resumption.
|
|
bool enable_session_resumption = 5;
|
|
|
|
// If true, root certificates on the system will not be loaded for
|
|
// verification.
|
|
bool disable_system_root = 6;
|
|
|
|
// The minimum TLS version.
|
|
string min_version = 7;
|
|
|
|
// The maximum TLS version.
|
|
string max_version = 8;
|
|
|
|
// Specify cipher suites, except for TLS 1.3.
|
|
string cipher_suites = 9;
|
|
|
|
// Whether the server selects its most preferred ciphersuite.
|
|
bool prefer_server_cipher_suites = 10;
|
|
|
|
// TLS Client Hello fingerprint (uTLS).
|
|
string fingerprint = 11;
|
|
|
|
bool reject_unknown_sni = 12;
|
|
|
|
/* @Document A pinned certificate chain sha256 hash.
|
|
@Document If the server's hash does not match this value, the connection will be aborted.
|
|
@Document This value replace allow_insecure.
|
|
@Critical
|
|
*/
|
|
repeated bytes pinned_peer_certificate_chain_sha256 = 13;
|
|
}
|