修改证书设置

2023-04-21 11:39:51 +08:00 · 2023-04-21 11:39:51 +08:00 · 6ee80d32ea
parent cc5aff08ad
commit 6ee80d32ea
4 changed files with 33 additions and 10 deletions
--- a/server/admin/server.go
+++ b/server/admin/server.go
@ -100,9 +100,9 @@ func StartAdmin() {
 	for _, s := range cipherSuites {
 		selectedCipherSuites = append(selectedCipherSuites, s.ID)
 	}
+
 	if tlscert, _, err := dbdata.ParseCert(); err != nil {
-		base.Error(err)
-		return
+		base.Fatal("证书加载失败", err)
 	} else {
 		dbdata.LoadCertificate(tlscert)
 	}
--- a/server/base/log.go
+++ b/server/base/log.go
@ -10,7 +10,8 @@ import (
 )

 const (
-	_Debug = iota
+	_Trace = iota
+	_Debug
 	_Info
 	_Warn
 	_Error
@ -89,6 +90,7 @@ func GetBaseLog() *log.Logger {

 func logLevel2Int(l string) int {
 	levels = map[int]string{
+		_Trace: "Trace",
 		_Debug: "Debug",
 		_Info:  "Info",
 		_Warn:  "Warn",
@ -109,6 +111,14 @@ func output(l int, s ...interface{}) {
 	_ = baseLog.Output(3, lvl+fmt.Sprintln(s...))
 }

+func Trace(v ...interface{}) {
+	l := _Trace
+	if baseLevel > l {
+		return
+	}
+	output(l, v...)
+}
+
 func Debug(v ...interface{}) {
 	l := _Debug
 	if baseLevel > l {
--- a/server/dbdata/cert.go
+++ b/server/dbdata/cert.go
@ -275,8 +275,10 @@ func ParseCert() (*tls.Certificate, *time.Time, error) {
 	_, errCert := os.Stat(base.Cfg.CertFile)
 	_, errKey := os.Stat(base.Cfg.CertKey)
 	if os.IsNotExist(errCert) || os.IsNotExist(errKey) {
-		PrivateCert()
-
+		err := PrivateCert()
+		if err != nil {
+			return nil, nil, err
+		}
 	}
 	cert, err := tls.LoadX509KeyPair(base.Cfg.CertFile, base.Cfg.CertKey)
 	if err != nil || errors.Is(err, os.ErrNotExist) {
@ -353,6 +355,11 @@ func GetCertificateBySNI(commonName string) (*tls.Certificate, error) {
 			return cert, nil
 		}
 	}
+	// 默认证书 兼容不支持 SNI 的客户端
+	if cert, ok := nameToCertificate["default"]; ok {
+		return cert, nil
+	}
+
 	return getTempCertificate()
 }

@ -362,6 +369,9 @@ func LoadCertificate(cert *tls.Certificate) {

 // Copy from tls.Config BuildNameToCertificate()
 func buildNameToCertificate(cert *tls.Certificate) {
+	// 设置默认证书
+	nameToCertificate["default"] = cert
+
 	x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
 	if err != nil {
 		return
--- a/server/handler/server.go
+++ b/server/handler/server.go
@ -50,6 +50,7 @@ func startTls() {
 		MinVersion:   tls.VersionTLS12,
 		CipherSuites: selectedCipherSuites,
 		GetCertificate: func(chi *tls.ClientHelloInfo) (*tls.Certificate, error) {
+			base.Trace("GetCertificate", chi.ServerName)
 			return dbdata.GetCertificateBySNI(chi.ServerName)
 		},
 		// InsecureSkipVerify: true,
@ -59,6 +60,8 @@ func startTls() {
 		Handler:      initRoute(),
 		TLSConfig:    tlsConfig,
 		ErrorLog:     base.GetBaseLog(),
+		ReadTimeout:  60 * time.Second,
+		WriteTimeout: 60 * time.Second,
 	}

 	ln, err = net.Listen("tcp", addr)
@ -70,7 +73,7 @@ func startTls() {
 	if base.Cfg.ProxyProtocol {
 		ln = &proxyproto.Listener{
 			Listener:          ln,
-			ReadHeaderTimeout: 40 * time.Second,
+			ReadHeaderTimeout: 30 * time.Second,
 		}
 	}