diff --git a/README.md b/README.md index 88cb0f8..25c510e 100644 --- a/README.md +++ b/README.md @@ -99,7 +99,6 @@ eu3.sec-tunnel.com,77.111.244.22,443 | bind-address | String | proxy listen address (default "127.0.0.1:18080") | | bootstrap-dns | String | Comma-separated list of DNS/DoH/DoT resolvers for initial discovery of SurfEasy API address. Supported schemes are: `dns://`, `https://`, `tls://`, `tcp://`. Examples: `https://1.1.1.1/dns-query`, `tls://9.9.9.9:853` (default `https://1.1.1.3/dns-query,https://8.8.8.8/dns-query,https://dns.google/dns-query,https://security.cloudflare-dns.com/dns-query,https://fidelity.vm-0.com/q,https://wikimedia-dns.org/dns-query,https://dns.adguard-dns.com/dns-query,https://dns.quad9.net/dns-query,https://doh.cleanbrowsing.org/doh/adult-filter/`) | | cafile | String | use custom CA certificate bundle file | -| certchain-workaround | Boolean | add bundled cross-signed intermediate cert to certchain to make it check out on old systems (default true) | | config | String | read configuration from file with space-separated keys and values | | country | String | desired proxy location (default "EU") | | dp-export | - | export configuration for dumbproxy | diff --git a/dialer/upstream.go b/dialer/upstream.go index aba7226..56eed3c 100644 --- a/dialer/upstream.go +++ b/dialer/upstream.go @@ -7,7 +7,6 @@ import ( "crypto/tls" "crypto/x509" "encoding/base64" - "encoding/pem" "errors" "fmt" "io" @@ -22,35 +21,8 @@ const ( PROXY_CONNECT_METHOD = "CONNECT" PROXY_HOST_HEADER = "Host" PROXY_AUTHORIZATION_HEADER = "Proxy-Authorization" - MISSING_CHAIN_CERT = `-----BEGIN CERTIFICATE----- -MIID0zCCArugAwIBAgIQVmcdBOpPmUxvEIFHWdJ1lDANBgkqhkiG9w0BAQwFADB7 -MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD -VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE -AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4 -MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5 -MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO -ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgRUNDIENlcnRpZmljYXRpb24gQXV0 -aG9yaXR5MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEGqxUWqn5aCPnetUkb1PGWthL -q8bVttHmc3Gu3ZzWDGH926CJA7gFFOxXzu5dP+Ihs8731Ip54KODfi2X0GHE8Znc -JZFjq38wo7Rw4sehM5zzvy5cU7Ffs30yf4o043l5o4HyMIHvMB8GA1UdIwQYMBaA -FKARCiM+lvEH7OKvKe+CpX/QMKS0MB0GA1UdDgQWBBQ64QmG1M8ZwpZ2dEl23OA1 -xmNjmjAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zARBgNVHSAECjAI -MAYGBFUdIAAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5j -b20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNAYIKwYBBQUHAQEEKDAmMCQG -CCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wDQYJKoZIhvcNAQEM -BQADggEBABns652JLCALBIAdGN5CmXKZFjK9Dpx1WywV4ilAbe7/ctvbq5AfjJXy -ij0IckKJUAfiORVsAYfZFhr1wHUrxeZWEQff2Ji8fJ8ZOd+LygBkc7xGEJuTI42+ -FsMuCIKchjN0djsoTI0DQoWz4rIjQtUfenVqGtF8qmchxDM6OW1TyaLtYiKou+JV -bJlsQ2uRl9EMC5MCHdK8aXdJ5htN978UeAOwproLtOGFfy/cQjutdAFI3tZs4RmY -CV4Ks2dH/hzg1cEo70qLRDEmBDeNiXQ2Lu+lIg+DdEmSx/cQwgwp+7e9un/jX9Wf -8qn0dNW44bOwgeThpWOjzOoEeJBuv/c= ------END CERTIFICATE----- -` ) -var missingLinkDER, _ = pem.Decode([]byte(MISSING_CHAIN_CERT)) -var missingLink, _ = x509.ParseCertificate(missingLinkDER.Bytes) - type stringCb = func() (string, error) type Dialer interface { @@ -63,24 +35,22 @@ type ContextDialer interface { } type ProxyDialer struct { - address stringCb - tlsServerName stringCb - fakeSNI stringCb - auth stringCb - next ContextDialer - intermediateWorkaround bool - caPool *x509.CertPool + address stringCb + tlsServerName stringCb + fakeSNI stringCb + auth stringCb + next ContextDialer + caPool *x509.CertPool } -func NewProxyDialer(address, tlsServerName, fakeSNI, auth stringCb, intermediateWorkaround bool, caPool *x509.CertPool, nextDialer ContextDialer) *ProxyDialer { +func NewProxyDialer(address, tlsServerName, fakeSNI, auth stringCb, caPool *x509.CertPool, nextDialer ContextDialer) *ProxyDialer { return &ProxyDialer{ - address: address, - tlsServerName: tlsServerName, - fakeSNI: fakeSNI, - auth: auth, - next: nextDialer, - intermediateWorkaround: intermediateWorkaround, - caPool: caPool, + address: address, + tlsServerName: tlsServerName, + fakeSNI: fakeSNI, + auth: auth, + next: nextDialer, + caPool: caPool, } } @@ -116,7 +86,6 @@ func ProxyDialerFromURL(u *url.URL, next ContextDialer) (*ProxyDialer, error) { WrapStringToCb(tlsServerName), WrapStringToCb(tlsServerName), auth, - false, nil, next), nil } @@ -158,16 +127,8 @@ func (d *ProxyDialer) DialContext(ctx context.Context, network, address string) Intermediates: x509.NewCertPool(), Roots: d.caPool, } - waRequired := false for _, cert := range cs.PeerCertificates[1:] { opts.Intermediates.AddCert(cert) - if d.intermediateWorkaround && !waRequired && - bytes.Compare(cert.AuthorityKeyId, missingLink.SubjectKeyId) == 0 { - waRequired = true - } - } - if waRequired { - opts.Intermediates.AddCert(missingLink) } _, err := cs.PeerCertificates[0].Verify(opts) return err diff --git a/main.go b/main.go index cbd1c53..aa8cf20 100644 --- a/main.go +++ b/main.go @@ -122,7 +122,6 @@ type CLIArgs struct { refreshRetry time.Duration initRetries int initRetryInterval time.Duration - certChainWorkaround bool caFile string fakeSNI string overrideProxyAddress string @@ -177,8 +176,6 @@ func parse_args() *CLIArgs { flag.DurationVar(&args.refreshRetry, "refresh-retry", 5*time.Second, "login refresh retry interval") flag.IntVar(&args.initRetries, "init-retries", 0, "number of attempts for initialization steps, zero for unlimited retry") flag.DurationVar(&args.initRetryInterval, "init-retry-interval", 5*time.Second, "delay between initialization retries") - flag.BoolVar(&args.certChainWorkaround, "certchain-workaround", true, - "add bundled cross-signed intermediate cert to certchain to make it check out on old systems") flag.StringVar(&args.caFile, "cafile", "", "use custom CA certificate bundle file") flag.StringVar(&args.fakeSNI, "fake-SNI", "", "domain name to use as SNI in communications with servers") flag.StringVar(&args.overrideProxyAddress, "override-proxy-address", "", "use fixed proxy address instead of server address returned by SurfEasy API") @@ -387,7 +384,6 @@ func run() int { func() (string, error) { return dialer.BasicAuthHeader(seclient.GetProxyCredentials()), nil }, - args.certChainWorkaround, caPool, d) }