mirror of
https://github.com/XTLS/Xray-core.git
synced 2025-02-12 03:44:11 +00:00
c6a31f457c
https://github.com/XTLS/Xray-core/issues/4348#issuecomment-2637370175 Local received SNI was sent by browser/app. In freedom RAW's `tlsSettings`, set `"serverName": "fromMitm"` to forward it to the real website. In freedom RAW's `tlsSettings`, set `"verifyPeerCertInNames": ["fromMitm"]` to use all possible names to verify the certificate.
95 lines
2.5 KiB
Protocol Buffer
95 lines
2.5 KiB
Protocol Buffer
syntax = "proto3";
|
|
|
|
package xray.transport.internet.tls;
|
|
option csharp_namespace = "Xray.Transport.Internet.Tls";
|
|
option go_package = "github.com/xtls/xray-core/transport/internet/tls";
|
|
option java_package = "com.xray.transport.internet.tls";
|
|
option java_multiple_files = true;
|
|
|
|
message Certificate {
|
|
// TLS certificate in x509 format.
|
|
bytes certificate = 1;
|
|
|
|
// TLS key in x509 format.
|
|
bytes key = 2;
|
|
|
|
enum Usage {
|
|
ENCIPHERMENT = 0;
|
|
AUTHORITY_VERIFY = 1;
|
|
AUTHORITY_ISSUE = 2;
|
|
}
|
|
|
|
Usage usage = 3;
|
|
|
|
uint64 ocsp_stapling = 4;
|
|
|
|
// TLS certificate path
|
|
string certificate_path = 5;
|
|
|
|
// TLS Key path
|
|
string key_path = 6;
|
|
|
|
// If true, one-Time Loading
|
|
bool One_time_loading = 7;
|
|
|
|
bool build_chain = 8;
|
|
}
|
|
|
|
message Config {
|
|
// Whether or not to allow self-signed certificates.
|
|
bool allow_insecure = 1;
|
|
|
|
// List of certificates to be served on server.
|
|
repeated Certificate certificate = 2;
|
|
|
|
// Override server name.
|
|
string server_name = 3;
|
|
|
|
// Lists of string as ALPN values.
|
|
repeated string next_protocol = 4;
|
|
|
|
// Whether or not to enable session (ticket) resumption.
|
|
bool enable_session_resumption = 5;
|
|
|
|
// If true, root certificates on the system will not be loaded for
|
|
// verification.
|
|
bool disable_system_root = 6;
|
|
|
|
// The minimum TLS version.
|
|
string min_version = 7;
|
|
|
|
// The maximum TLS version.
|
|
string max_version = 8;
|
|
|
|
// Specify cipher suites, except for TLS 1.3.
|
|
string cipher_suites = 9;
|
|
|
|
// TLS Client Hello fingerprint (uTLS).
|
|
string fingerprint = 11;
|
|
|
|
bool reject_unknown_sni = 12;
|
|
|
|
/* @Document Some certificate chain sha256 hashes.
|
|
@Document After normal validation or allow_insecure, if the server's cert chain hash does not match any of these values, the connection will be aborted.
|
|
@Critical
|
|
*/
|
|
repeated bytes pinned_peer_certificate_chain_sha256 = 13;
|
|
|
|
/* @Document Some certificate public key sha256 hashes.
|
|
@Document After normal validation (required), if the verified cert's public key hash does not match any of these values, the connection will be aborted.
|
|
@Critical
|
|
*/
|
|
repeated bytes pinned_peer_certificate_public_key_sha256 = 14;
|
|
|
|
string master_key_log = 15;
|
|
|
|
// Lists of string as CurvePreferences values.
|
|
repeated string curve_preferences = 16;
|
|
|
|
/* @Document Replaces server_name to verify the peer cert.
|
|
@Document After allow_insecure (automatically), if the server's cert can't be verified by any of these names, pinned_peer_certificate_chain_sha256 will be tried.
|
|
@Critical
|
|
*/
|
|
repeated string verify_peer_cert_in_names = 17;
|
|
}
|