Xray-core/transport/internet/xtls/config.proto
yuhan6665 acb81ebe3d
Verify peer cert function for better man in the middle prevention (#746)
* verify peer cert function for better man in the middle prevention

* publish cert chain hash generation algorithm

* added calculation of certificate hash as separate command and tlsping, use base64 to represent fingerprint to align with jsonPb

* apply coding style

* added test case for pinned certificates

* refactored cert pin

* pinned cert test

* added json loading of the PinnedPeerCertificateChainSha256

* removed tool to prepare for v5

* Add server cert pinning for Xtls

Change command "xray tls certChainHash" to xray style

Co-authored-by: Shelikhoo <xiaokangwang@outlook.com>
2021-10-22 12:38:40 +08:00

77 lines
1.8 KiB
Protocol Buffer

syntax = "proto3";
package xray.transport.internet.xtls;
option csharp_namespace = "Xray.Transport.Internet.Xtls";
option go_package = "github.com/xtls/xray-core/transport/internet/xtls";
option java_package = "com.xray.transport.internet.xtls";
option java_multiple_files = true;
message Certificate {
// TLS certificate in x509 format.
bytes certificate = 1;
// TLS key in x509 format.
bytes key = 2;
enum Usage {
ENCIPHERMENT = 0;
AUTHORITY_VERIFY = 1;
AUTHORITY_ISSUE = 2;
}
Usage usage = 3;
uint64 ocsp_stapling = 4;
// TLS certificate path
string certificate_path = 5;
// TLS Key path
string key_path = 6;
// If true, one-Time Loading
bool One_time_loading = 7;
}
message Config {
// Whether or not to allow self-signed certificates.
bool allow_insecure = 1;
// List of certificates to be served on server.
repeated Certificate certificate = 2;
// Override server name.
string server_name = 3;
// Lists of string as ALPN values.
repeated string next_protocol = 4;
// Whether or not to enable session (ticket) resumption.
bool enable_session_resumption = 5;
// If true, root certificates on the system will not be loaded for
// verification.
bool disable_system_root = 6;
// The minimum TLS version.
string min_version = 7;
// The maximum TLS version.
string max_version = 8;
// Specify cipher suites, except for TLS 1.3.
string cipher_suites = 9;
// Whether the server selects its most preferred ciphersuite.
bool prefer_server_cipher_suites = 10;
bool reject_unknown_sni = 12;
/* @Document A pinned certificate chain sha256 hash.
@Document If the server's hash does not match this value, the connection will be aborted.
@Document This value replace allow_insecure.
@Critical
*/
repeated bytes pinned_peer_certificate_chain_sha256 = 13;
}