支持私有自签证书

2025-08-07 21:28:50 +08:00 · 2024-04-22 14:40:03 +08:00
parent 26483533a9
commit 5e804a3483
5 changed files with 29 additions and 14 deletions
--- a/server/admin/server.go
+++ b/server/admin/server.go
@@ -111,12 +111,6 @@ func StartAdmin() {
 		selectedCipherSuites = append(selectedCipherSuites, s.ID)
 	}

-	if tlscert, _, err := dbdata.ParseCert(); err != nil {
-		base.Fatal("证书加载失败", err)
-	} else {
-		dbdata.LoadCertificate(tlscert)
-	}
-
 	// 设置tls信息
 	tlsConfig := &tls.Config{
 		NextProtos:   []string{"http/1.1"},
--- a/server/handler/link_auth.go
+++ b/server/handler/link_auth.go
@@ -17,7 +17,10 @@ import (
 	"github.com/bjdgyc/anylink/sessdata"
 )

-var profileHash = ""
+var (
+	profileHash = ""
+	certHash    = ""
+)

 func LinkAuth(w http.ResponseWriter, r *http.Request) {
 	// TODO 调试信息输出
@@ -138,7 +141,7 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 	other := &dbdata.SettingOther{}
 	_ = dbdata.SettingGet(other)
 	rd := RequestData{SessionId: sess.Sid, SessionToken: sess.Sid + "@" + sess.Token,
-		Banner: other.Banner, ProfileName: base.Cfg.ProfileName, ProfileHash: profileHash}
+		Banner: other.Banner, ProfileName: base.Cfg.ProfileName, ProfileHash: profileHash, CertHash: certHash}
 	w.WriteHeader(http.StatusOK)
 	tplRequest(tpl_complete, w, rd)
 	base.Info("login", cr.Auth.Username, userAgent)
@@ -178,6 +181,7 @@ type RequestData struct {
 	Banner       string
 	ProfileName  string
 	ProfileHash  string
+	CertHash     string
 }

 var auth_request = `<?xml version="1.0" encoding="UTF-8"?>
@@ -223,7 +227,7 @@ var auth_complete = `<?xml version="1.0" encoding="UTF-8"?>
    </capabilities>
    <config client="vpn" type="private">
        <vpn-base-config>
-            <server-cert-hash>240B97A685B2BFA66AD699B90AAC49EA66495D69</server-cert-hash>
+            <server-cert-hash>{{.CertHash}}</server-cert-hash>
        </vpn-base-config>
        <opaque is-for="vpn-client"></opaque>
        <vpn-profile-manifest>
--- a/server/handler/server.go
+++ b/server/handler/server.go
@@ -1,13 +1,16 @@
 package handler

 import (
+	"crypto/sha1"
 	"crypto/tls"
+	"encoding/hex"
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"net/http/httputil"
 	"os"
+	"strings"
 	"time"

 	"github.com/bjdgyc/anylink/base"
@@ -36,6 +39,19 @@ func startTls() {
 	//	certs[0], err = tls.LoadX509KeyPair(certFile, keyFile)
 	// }

+	tlscert, _, err := dbdata.ParseCert()
+	if err != nil {
+		base.Fatal("证书加载失败", err)
+	}
+	dbdata.LoadCertificate(tlscert)
+
+	// 计算证书hash值
+	s1 := sha1.New()
+	s1.Write(tlscert.Certificate[0])
+	h2s := hex.EncodeToString(s1.Sum(nil))
+	certHash = strings.ToUpper(h2s)
+	base.Info("certHash", certHash)
+
 	// 修复 CVE-2016-2183
 	// https://segmentfault.com/a/1190000038486901
 	// nmap -sV --script ssl-enum-ciphers -p 443 www.example.com