mirror of
https://github.com/v2fly/v2ray-core.git
synced 2024-12-22 10:08:15 -05:00
only try issuing new certificate when user provide custom CA
This commit is contained in:
parent
048f0ee56e
commit
abee8bddf3
@ -58,6 +58,15 @@ func issueCertificate(rawCA *Certificate, domain string) (*tls.Certificate, erro
|
||||
return &cert, err
|
||||
}
|
||||
|
||||
func (c *Config) hasCustomCA() bool {
|
||||
for _, certificate := range c.Certificate {
|
||||
if certificate.Usage == Certificate_AUTHORITY_ISSUE {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
func (c *Config) GetTLSConfig(opts ...Option) *tls.Config {
|
||||
config := &tls.Config{
|
||||
ClientSessionCache: globalSessionCache,
|
||||
@ -74,53 +83,56 @@ func (c *Config) GetTLSConfig(opts ...Option) *tls.Config {
|
||||
config.InsecureSkipVerify = c.AllowInsecure
|
||||
config.Certificates = c.BuildCertificates()
|
||||
config.BuildNameToCertificate()
|
||||
config.GetCertificate = func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||
domain := hello.ServerName
|
||||
certExpired := false
|
||||
if certificate, found := config.NameToCertificate[domain]; found {
|
||||
if !isCertificateExpired(certificate) {
|
||||
return certificate, nil
|
||||
if c.hasCustomCA() {
|
||||
config.GetCertificate = func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
|
||||
domain := hello.ServerName
|
||||
certExpired := false
|
||||
if certificate, found := config.NameToCertificate[domain]; found {
|
||||
if !isCertificateExpired(certificate) {
|
||||
return certificate, nil
|
||||
}
|
||||
certExpired = true
|
||||
}
|
||||
certExpired = true
|
||||
}
|
||||
|
||||
if certExpired {
|
||||
newCerts := make([]tls.Certificate, 0, len(config.Certificates))
|
||||
if certExpired {
|
||||
newCerts := make([]tls.Certificate, 0, len(config.Certificates))
|
||||
|
||||
for _, certificate := range config.Certificates {
|
||||
if !isCertificateExpired(&certificate) {
|
||||
newCerts = append(newCerts, certificate)
|
||||
for _, certificate := range config.Certificates {
|
||||
if !isCertificateExpired(&certificate) {
|
||||
newCerts = append(newCerts, certificate)
|
||||
}
|
||||
}
|
||||
|
||||
config.Certificates = newCerts
|
||||
}
|
||||
|
||||
var issuedCertificate *tls.Certificate
|
||||
|
||||
// Create a new certificate from existing CA if possible
|
||||
for _, rawCert := range c.Certificate {
|
||||
if rawCert.Usage == Certificate_AUTHORITY_ISSUE {
|
||||
newCert, err := issueCertificate(rawCert, domain)
|
||||
if err != nil {
|
||||
newError("failed to issue new certificate for ", domain).Base(err).WriteToLog()
|
||||
continue
|
||||
}
|
||||
|
||||
config.Certificates = append(config.Certificates, *newCert)
|
||||
issuedCertificate = &config.Certificates[len(config.Certificates)-1]
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
config.Certificates = newCerts
|
||||
}
|
||||
|
||||
var issuedCertificate *tls.Certificate
|
||||
|
||||
// Create a new certificate from existing CA if possible
|
||||
for _, rawCert := range c.Certificate {
|
||||
if rawCert.Usage == Certificate_AUTHORITY_ISSUE {
|
||||
newCert, err := issueCertificate(rawCert, domain)
|
||||
if err != nil {
|
||||
newError("failed to issue new certificate for ", domain).Base(err).WriteToLog()
|
||||
continue
|
||||
}
|
||||
|
||||
config.Certificates = append(config.Certificates, *newCert)
|
||||
issuedCertificate = &config.Certificates[len(config.Certificates)-1]
|
||||
break
|
||||
if issuedCertificate == nil {
|
||||
return nil, newError("failed to create a new certificate for ", domain)
|
||||
}
|
||||
|
||||
config.BuildNameToCertificate()
|
||||
|
||||
return issuedCertificate, nil
|
||||
}
|
||||
|
||||
if issuedCertificate == nil {
|
||||
return nil, newError("failed to create a new certificate for ", domain)
|
||||
}
|
||||
|
||||
config.BuildNameToCertificate()
|
||||
|
||||
return issuedCertificate, nil
|
||||
}
|
||||
|
||||
if len(c.ServerName) > 0 {
|
||||
config.ServerName = c.ServerName
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user