diff --git a/transport/internet/tls/config.go b/transport/internet/tls/config.go index 2f685b85c..9fc6d3196 100644 --- a/transport/internet/tls/config.go +++ b/transport/internet/tls/config.go @@ -3,6 +3,7 @@ package tls import ( "context" "crypto/tls" + "crypto/x509" "time" "v2ray.com/core/common/net" @@ -41,8 +42,14 @@ func (c *Config) BuildCertificates() []tls.Certificate { } func isCertificateExpired(c *tls.Certificate) bool { + if c.Leaf == nil && len(c.Certificate) > 0 { + if pc, err := x509.ParseCertificate(c.Certificate[0]); err == nil { + c.Leaf = pc + } + } + // If leaf is not there, the certificate is probably not used yet. We trust user to provide a valid certificate. - return c.Leaf != nil && c.Leaf.NotAfter.After(time.Now().Add(-time.Minute)) + return c.Leaf != nil && c.Leaf.NotAfter.Before(time.Now().Add(-time.Minute)) } func issueCertificate(rawCA *Certificate, domain string) (*tls.Certificate, error) { diff --git a/transport/internet/tls/config_test.go b/transport/internet/tls/config_test.go index e7fa2fa85..87c055687 100644 --- a/transport/internet/tls/config_test.go +++ b/transport/internet/tls/config_test.go @@ -33,3 +33,32 @@ func TestCertificateIssuing(t *testing.T) { assert(err, IsNil) assert(x509Cert.NotAfter.After(time.Now()), IsTrue) } + +func TestExpiredCertificate(t *testing.T) { + assert := With(t) + + caCert := cert.MustGenerate(nil, cert.Authority(true), cert.KeyUsage(x509.KeyUsageCertSign)) + expiredCert := cert.MustGenerate(caCert, cert.NotAfter(time.Now().Add(time.Minute*-2)), cert.CommonName("www.v2ray.com"), cert.DNSNames("www.v2ray.com")) + + certificate := ParseCertificate(caCert) + certificate.Usage = Certificate_AUTHORITY_ISSUE + + certificate2 := ParseCertificate(expiredCert) + + c := &Config{ + Certificate: []*Certificate{ + certificate, + certificate2, + }, + } + + tlsConfig := c.GetTLSConfig() + v2rayCert, err := tlsConfig.GetCertificate(&gotls.ClientHelloInfo{ + ServerName: "www.v2ray.com", + }) + assert(err, IsNil) + + x509Cert, err := x509.ParseCertificate(v2rayCert.Certificate[0]) + assert(err, IsNil) + assert(x509Cert.NotAfter.After(time.Now()), IsTrue) +}