mirror of
https://github.com/Snawoot/opera-proxy.git
synced 2026-04-26 15:30:40 +00:00
remove outdated certchain workaround
This commit is contained in:
Vladislav Yarmak
parent
d40fcbd30e
commit
a9074c0c92
3 changed files with 13 additions and 57 deletions
|
|
@ -99,7 +99,6 @@ eu3.sec-tunnel.com,77.111.244.22,443
|
|||
| bind-address | String | proxy listen address (default "127.0.0.1:18080") |
|
||||
| bootstrap-dns | String | Comma-separated list of DNS/DoH/DoT resolvers for initial discovery of SurfEasy API address. Supported schemes are: `dns://`, `https://`, `tls://`, `tcp://`. Examples: `https://1.1.1.1/dns-query`, `tls://9.9.9.9:853` (default `https://1.1.1.3/dns-query,https://8.8.8.8/dns-query,https://dns.google/dns-query,https://security.cloudflare-dns.com/dns-query,https://fidelity.vm-0.com/q,https://wikimedia-dns.org/dns-query,https://dns.adguard-dns.com/dns-query,https://dns.quad9.net/dns-query,https://doh.cleanbrowsing.org/doh/adult-filter/`) |
|
||||
| cafile | String | use custom CA certificate bundle file |
|
||||
| certchain-workaround | Boolean | add bundled cross-signed intermediate cert to certchain to make it check out on old systems (default true) |
|
||||
| config | String | read configuration from file with space-separated keys and values |
|
||||
| country | String | desired proxy location (default "EU") |
|
||||
| dp-export | - | export configuration for dumbproxy |
|
||||
|
|
|
|||
|
|
@ -7,7 +7,6 @@ import (
|
|||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"encoding/base64"
|
||||
"encoding/pem"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
|
|
@ -22,35 +21,8 @@ const (
|
|||
PROXY_CONNECT_METHOD = "CONNECT"
|
||||
PROXY_HOST_HEADER = "Host"
|
||||
PROXY_AUTHORIZATION_HEADER = "Proxy-Authorization"
|
||||
MISSING_CHAIN_CERT = `-----BEGIN CERTIFICATE-----
|
||||
MIID0zCCArugAwIBAgIQVmcdBOpPmUxvEIFHWdJ1lDANBgkqhkiG9w0BAQwFADB7
|
||||
MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
|
||||
VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
|
||||
AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
|
||||
MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
|
||||
MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
|
||||
ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgRUNDIENlcnRpZmljYXRpb24gQXV0
|
||||
aG9yaXR5MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEGqxUWqn5aCPnetUkb1PGWthL
|
||||
q8bVttHmc3Gu3ZzWDGH926CJA7gFFOxXzu5dP+Ihs8731Ip54KODfi2X0GHE8Znc
|
||||
JZFjq38wo7Rw4sehM5zzvy5cU7Ffs30yf4o043l5o4HyMIHvMB8GA1UdIwQYMBaA
|
||||
FKARCiM+lvEH7OKvKe+CpX/QMKS0MB0GA1UdDgQWBBQ64QmG1M8ZwpZ2dEl23OA1
|
||||
xmNjmjAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zARBgNVHSAECjAI
|
||||
MAYGBFUdIAAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5j
|
||||
b20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNAYIKwYBBQUHAQEEKDAmMCQG
|
||||
CCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wDQYJKoZIhvcNAQEM
|
||||
BQADggEBABns652JLCALBIAdGN5CmXKZFjK9Dpx1WywV4ilAbe7/ctvbq5AfjJXy
|
||||
ij0IckKJUAfiORVsAYfZFhr1wHUrxeZWEQff2Ji8fJ8ZOd+LygBkc7xGEJuTI42+
|
||||
FsMuCIKchjN0djsoTI0DQoWz4rIjQtUfenVqGtF8qmchxDM6OW1TyaLtYiKou+JV
|
||||
bJlsQ2uRl9EMC5MCHdK8aXdJ5htN978UeAOwproLtOGFfy/cQjutdAFI3tZs4RmY
|
||||
CV4Ks2dH/hzg1cEo70qLRDEmBDeNiXQ2Lu+lIg+DdEmSx/cQwgwp+7e9un/jX9Wf
|
||||
8qn0dNW44bOwgeThpWOjzOoEeJBuv/c=
|
||||
-----END CERTIFICATE-----
|
||||
`
|
||||
)
|
||||
|
||||
var missingLinkDER, _ = pem.Decode([]byte(MISSING_CHAIN_CERT))
|
||||
var missingLink, _ = x509.ParseCertificate(missingLinkDER.Bytes)
|
||||
|
||||
type stringCb = func() (string, error)
|
||||
|
||||
type Dialer interface {
|
||||
|
|
@ -63,24 +35,22 @@ type ContextDialer interface {
|
|||
}
|
||||
|
||||
type ProxyDialer struct {
|
||||
address stringCb
|
||||
tlsServerName stringCb
|
||||
fakeSNI stringCb
|
||||
auth stringCb
|
||||
next ContextDialer
|
||||
intermediateWorkaround bool
|
||||
caPool *x509.CertPool
|
||||
address stringCb
|
||||
tlsServerName stringCb
|
||||
fakeSNI stringCb
|
||||
auth stringCb
|
||||
next ContextDialer
|
||||
caPool *x509.CertPool
|
||||
}
|
||||
|
||||
func NewProxyDialer(address, tlsServerName, fakeSNI, auth stringCb, intermediateWorkaround bool, caPool *x509.CertPool, nextDialer ContextDialer) *ProxyDialer {
|
||||
func NewProxyDialer(address, tlsServerName, fakeSNI, auth stringCb, caPool *x509.CertPool, nextDialer ContextDialer) *ProxyDialer {
|
||||
return &ProxyDialer{
|
||||
address: address,
|
||||
tlsServerName: tlsServerName,
|
||||
fakeSNI: fakeSNI,
|
||||
auth: auth,
|
||||
next: nextDialer,
|
||||
intermediateWorkaround: intermediateWorkaround,
|
||||
caPool: caPool,
|
||||
address: address,
|
||||
tlsServerName: tlsServerName,
|
||||
fakeSNI: fakeSNI,
|
||||
auth: auth,
|
||||
next: nextDialer,
|
||||
caPool: caPool,
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -116,7 +86,6 @@ func ProxyDialerFromURL(u *url.URL, next ContextDialer) (*ProxyDialer, error) {
|
|||
WrapStringToCb(tlsServerName),
|
||||
WrapStringToCb(tlsServerName),
|
||||
auth,
|
||||
false,
|
||||
nil,
|
||||
next), nil
|
||||
}
|
||||
|
|
@ -158,16 +127,8 @@ func (d *ProxyDialer) DialContext(ctx context.Context, network, address string)
|
|||
Intermediates: x509.NewCertPool(),
|
||||
Roots: d.caPool,
|
||||
}
|
||||
waRequired := false
|
||||
for _, cert := range cs.PeerCertificates[1:] {
|
||||
opts.Intermediates.AddCert(cert)
|
||||
if d.intermediateWorkaround && !waRequired &&
|
||||
bytes.Compare(cert.AuthorityKeyId, missingLink.SubjectKeyId) == 0 {
|
||||
waRequired = true
|
||||
}
|
||||
}
|
||||
if waRequired {
|
||||
opts.Intermediates.AddCert(missingLink)
|
||||
}
|
||||
_, err := cs.PeerCertificates[0].Verify(opts)
|
||||
return err
|
||||
|
|
|
|||
4
main.go
4
main.go
|
|
@ -122,7 +122,6 @@ type CLIArgs struct {
|
|||
refreshRetry time.Duration
|
||||
initRetries int
|
||||
initRetryInterval time.Duration
|
||||
certChainWorkaround bool
|
||||
caFile string
|
||||
fakeSNI string
|
||||
overrideProxyAddress string
|
||||
|
|
@ -177,8 +176,6 @@ func parse_args() *CLIArgs {
|
|||
flag.DurationVar(&args.refreshRetry, "refresh-retry", 5*time.Second, "login refresh retry interval")
|
||||
flag.IntVar(&args.initRetries, "init-retries", 0, "number of attempts for initialization steps, zero for unlimited retry")
|
||||
flag.DurationVar(&args.initRetryInterval, "init-retry-interval", 5*time.Second, "delay between initialization retries")
|
||||
flag.BoolVar(&args.certChainWorkaround, "certchain-workaround", true,
|
||||
"add bundled cross-signed intermediate cert to certchain to make it check out on old systems")
|
||||
flag.StringVar(&args.caFile, "cafile", "", "use custom CA certificate bundle file")
|
||||
flag.StringVar(&args.fakeSNI, "fake-SNI", "", "domain name to use as SNI in communications with servers")
|
||||
flag.StringVar(&args.overrideProxyAddress, "override-proxy-address", "", "use fixed proxy address instead of server address returned by SurfEasy API")
|
||||
|
|
@ -387,7 +384,6 @@ func run() int {
|
|||
func() (string, error) {
|
||||
return dialer.BasicAuthHeader(seclient.GetProxyCredentials()), nil
|
||||
},
|
||||
args.certChainWorkaround,
|
||||
caPool,
|
||||
d)
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue