mirror of
https://github.com/Alexey71/opera-proxy.git
synced 2026-05-15 07:01:00 +00:00
remove outdated certchain workaround
This commit is contained in:
Vladislav Yarmak
@@ -99,7 +99,6 @@ eu3.sec-tunnel.com,77.111.244.22,443
|
|||||||
| bind-address | String | proxy listen address (default "127.0.0.1:18080") |
|
| bind-address | String | proxy listen address (default "127.0.0.1:18080") |
|
||||||
| bootstrap-dns | String | Comma-separated list of DNS/DoH/DoT resolvers for initial discovery of SurfEasy API address. Supported schemes are: `dns://`, `https://`, `tls://`, `tcp://`. Examples: `https://1.1.1.1/dns-query`, `tls://9.9.9.9:853` (default `https://1.1.1.3/dns-query,https://8.8.8.8/dns-query,https://dns.google/dns-query,https://security.cloudflare-dns.com/dns-query,https://fidelity.vm-0.com/q,https://wikimedia-dns.org/dns-query,https://dns.adguard-dns.com/dns-query,https://dns.quad9.net/dns-query,https://doh.cleanbrowsing.org/doh/adult-filter/`) |
|
| bootstrap-dns | String | Comma-separated list of DNS/DoH/DoT resolvers for initial discovery of SurfEasy API address. Supported schemes are: `dns://`, `https://`, `tls://`, `tcp://`. Examples: `https://1.1.1.1/dns-query`, `tls://9.9.9.9:853` (default `https://1.1.1.3/dns-query,https://8.8.8.8/dns-query,https://dns.google/dns-query,https://security.cloudflare-dns.com/dns-query,https://fidelity.vm-0.com/q,https://wikimedia-dns.org/dns-query,https://dns.adguard-dns.com/dns-query,https://dns.quad9.net/dns-query,https://doh.cleanbrowsing.org/doh/adult-filter/`) |
|
||||||
| cafile | String | use custom CA certificate bundle file |
|
| cafile | String | use custom CA certificate bundle file |
|
||||||
| certchain-workaround | Boolean | add bundled cross-signed intermediate cert to certchain to make it check out on old systems (default true) |
|
|
||||||
| config | String | read configuration from file with space-separated keys and values |
|
| config | String | read configuration from file with space-separated keys and values |
|
||||||
| country | String | desired proxy location (default "EU") |
|
| country | String | desired proxy location (default "EU") |
|
||||||
| dp-export | - | export configuration for dumbproxy |
|
| dp-export | - | export configuration for dumbproxy |
|
||||||
|
|||||||
+1
-40
@@ -7,7 +7,6 @@ import (
|
|||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
"encoding/pem"
|
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
@@ -22,35 +21,8 @@ const (
|
|||||||
PROXY_CONNECT_METHOD = "CONNECT"
|
PROXY_CONNECT_METHOD = "CONNECT"
|
||||||
PROXY_HOST_HEADER = "Host"
|
PROXY_HOST_HEADER = "Host"
|
||||||
PROXY_AUTHORIZATION_HEADER = "Proxy-Authorization"
|
PROXY_AUTHORIZATION_HEADER = "Proxy-Authorization"
|
||||||
MISSING_CHAIN_CERT = `-----BEGIN CERTIFICATE-----
|
|
||||||
MIID0zCCArugAwIBAgIQVmcdBOpPmUxvEIFHWdJ1lDANBgkqhkiG9w0BAQwFADB7
|
|
||||||
MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
|
|
||||||
VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
|
|
||||||
AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
|
|
||||||
MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
|
|
||||||
MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
|
|
||||||
ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgRUNDIENlcnRpZmljYXRpb24gQXV0
|
|
||||||
aG9yaXR5MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEGqxUWqn5aCPnetUkb1PGWthL
|
|
||||||
q8bVttHmc3Gu3ZzWDGH926CJA7gFFOxXzu5dP+Ihs8731Ip54KODfi2X0GHE8Znc
|
|
||||||
JZFjq38wo7Rw4sehM5zzvy5cU7Ffs30yf4o043l5o4HyMIHvMB8GA1UdIwQYMBaA
|
|
||||||
FKARCiM+lvEH7OKvKe+CpX/QMKS0MB0GA1UdDgQWBBQ64QmG1M8ZwpZ2dEl23OA1
|
|
||||||
xmNjmjAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zARBgNVHSAECjAI
|
|
||||||
MAYGBFUdIAAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5j
|
|
||||||
b20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNAYIKwYBBQUHAQEEKDAmMCQG
|
|
||||||
CCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wDQYJKoZIhvcNAQEM
|
|
||||||
BQADggEBABns652JLCALBIAdGN5CmXKZFjK9Dpx1WywV4ilAbe7/ctvbq5AfjJXy
|
|
||||||
ij0IckKJUAfiORVsAYfZFhr1wHUrxeZWEQff2Ji8fJ8ZOd+LygBkc7xGEJuTI42+
|
|
||||||
FsMuCIKchjN0djsoTI0DQoWz4rIjQtUfenVqGtF8qmchxDM6OW1TyaLtYiKou+JV
|
|
||||||
bJlsQ2uRl9EMC5MCHdK8aXdJ5htN978UeAOwproLtOGFfy/cQjutdAFI3tZs4RmY
|
|
||||||
CV4Ks2dH/hzg1cEo70qLRDEmBDeNiXQ2Lu+lIg+DdEmSx/cQwgwp+7e9un/jX9Wf
|
|
||||||
8qn0dNW44bOwgeThpWOjzOoEeJBuv/c=
|
|
||||||
-----END CERTIFICATE-----
|
|
||||||
`
|
|
||||||
)
|
)
|
||||||
|
|
||||||
var missingLinkDER, _ = pem.Decode([]byte(MISSING_CHAIN_CERT))
|
|
||||||
var missingLink, _ = x509.ParseCertificate(missingLinkDER.Bytes)
|
|
||||||
|
|
||||||
type stringCb = func() (string, error)
|
type stringCb = func() (string, error)
|
||||||
|
|
||||||
type Dialer interface {
|
type Dialer interface {
|
||||||
@@ -68,18 +40,16 @@ type ProxyDialer struct {
|
|||||||
fakeSNI stringCb
|
fakeSNI stringCb
|
||||||
auth stringCb
|
auth stringCb
|
||||||
next ContextDialer
|
next ContextDialer
|
||||||
intermediateWorkaround bool
|
|
||||||
caPool *x509.CertPool
|
caPool *x509.CertPool
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewProxyDialer(address, tlsServerName, fakeSNI, auth stringCb, intermediateWorkaround bool, caPool *x509.CertPool, nextDialer ContextDialer) *ProxyDialer {
|
func NewProxyDialer(address, tlsServerName, fakeSNI, auth stringCb, caPool *x509.CertPool, nextDialer ContextDialer) *ProxyDialer {
|
||||||
return &ProxyDialer{
|
return &ProxyDialer{
|
||||||
address: address,
|
address: address,
|
||||||
tlsServerName: tlsServerName,
|
tlsServerName: tlsServerName,
|
||||||
fakeSNI: fakeSNI,
|
fakeSNI: fakeSNI,
|
||||||
auth: auth,
|
auth: auth,
|
||||||
next: nextDialer,
|
next: nextDialer,
|
||||||
intermediateWorkaround: intermediateWorkaround,
|
|
||||||
caPool: caPool,
|
caPool: caPool,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -116,7 +86,6 @@ func ProxyDialerFromURL(u *url.URL, next ContextDialer) (*ProxyDialer, error) {
|
|||||||
WrapStringToCb(tlsServerName),
|
WrapStringToCb(tlsServerName),
|
||||||
WrapStringToCb(tlsServerName),
|
WrapStringToCb(tlsServerName),
|
||||||
auth,
|
auth,
|
||||||
false,
|
|
||||||
nil,
|
nil,
|
||||||
next), nil
|
next), nil
|
||||||
}
|
}
|
||||||
@@ -158,16 +127,8 @@ func (d *ProxyDialer) DialContext(ctx context.Context, network, address string)
|
|||||||
Intermediates: x509.NewCertPool(),
|
Intermediates: x509.NewCertPool(),
|
||||||
Roots: d.caPool,
|
Roots: d.caPool,
|
||||||
}
|
}
|
||||||
waRequired := false
|
|
||||||
for _, cert := range cs.PeerCertificates[1:] {
|
for _, cert := range cs.PeerCertificates[1:] {
|
||||||
opts.Intermediates.AddCert(cert)
|
opts.Intermediates.AddCert(cert)
|
||||||
if d.intermediateWorkaround && !waRequired &&
|
|
||||||
bytes.Compare(cert.AuthorityKeyId, missingLink.SubjectKeyId) == 0 {
|
|
||||||
waRequired = true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if waRequired {
|
|
||||||
opts.Intermediates.AddCert(missingLink)
|
|
||||||
}
|
}
|
||||||
_, err := cs.PeerCertificates[0].Verify(opts)
|
_, err := cs.PeerCertificates[0].Verify(opts)
|
||||||
return err
|
return err
|
||||||
|
|||||||
@@ -122,7 +122,6 @@ type CLIArgs struct {
|
|||||||
refreshRetry time.Duration
|
refreshRetry time.Duration
|
||||||
initRetries int
|
initRetries int
|
||||||
initRetryInterval time.Duration
|
initRetryInterval time.Duration
|
||||||
certChainWorkaround bool
|
|
||||||
caFile string
|
caFile string
|
||||||
fakeSNI string
|
fakeSNI string
|
||||||
overrideProxyAddress string
|
overrideProxyAddress string
|
||||||
@@ -177,8 +176,6 @@ func parse_args() *CLIArgs {
|
|||||||
flag.DurationVar(&args.refreshRetry, "refresh-retry", 5*time.Second, "login refresh retry interval")
|
flag.DurationVar(&args.refreshRetry, "refresh-retry", 5*time.Second, "login refresh retry interval")
|
||||||
flag.IntVar(&args.initRetries, "init-retries", 0, "number of attempts for initialization steps, zero for unlimited retry")
|
flag.IntVar(&args.initRetries, "init-retries", 0, "number of attempts for initialization steps, zero for unlimited retry")
|
||||||
flag.DurationVar(&args.initRetryInterval, "init-retry-interval", 5*time.Second, "delay between initialization retries")
|
flag.DurationVar(&args.initRetryInterval, "init-retry-interval", 5*time.Second, "delay between initialization retries")
|
||||||
flag.BoolVar(&args.certChainWorkaround, "certchain-workaround", true,
|
|
||||||
"add bundled cross-signed intermediate cert to certchain to make it check out on old systems")
|
|
||||||
flag.StringVar(&args.caFile, "cafile", "", "use custom CA certificate bundle file")
|
flag.StringVar(&args.caFile, "cafile", "", "use custom CA certificate bundle file")
|
||||||
flag.StringVar(&args.fakeSNI, "fake-SNI", "", "domain name to use as SNI in communications with servers")
|
flag.StringVar(&args.fakeSNI, "fake-SNI", "", "domain name to use as SNI in communications with servers")
|
||||||
flag.StringVar(&args.overrideProxyAddress, "override-proxy-address", "", "use fixed proxy address instead of server address returned by SurfEasy API")
|
flag.StringVar(&args.overrideProxyAddress, "override-proxy-address", "", "use fixed proxy address instead of server address returned by SurfEasy API")
|
||||||
@@ -387,7 +384,6 @@ func run() int {
|
|||||||
func() (string, error) {
|
func() (string, error) {
|
||||||
return dialer.BasicAuthHeader(seclient.GetProxyCredentials()), nil
|
return dialer.BasicAuthHeader(seclient.GetProxyCredentials()), nil
|
||||||
},
|
},
|
||||||
args.certChainWorkaround,
|
|
||||||
caPool,
|
caPool,
|
||||||
d)
|
d)
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user