Adding support for additional root CAs for DoH TLS Auth (#1281)
This commit is contained in:
parent
68ccd1410f
commit
5db4365540
|
@ -226,6 +226,7 @@ type TLSClientAuthCredsConfig struct {
|
|||
ServerName string `toml:"server_name"`
|
||||
ClientCert string `toml:"client_cert"`
|
||||
ClientKey string `toml:"client_key"`
|
||||
RootCA string `toml:"root_ca"`
|
||||
}
|
||||
|
||||
type DoHClientX509AuthConfig struct {
|
||||
|
@ -506,6 +507,7 @@ func ConfigLoad(proxy *Proxy, flags *ConfigFlags) error {
|
|||
credFiles := DOHClientCreds{
|
||||
clientCert: configClientCred.ClientCert,
|
||||
clientKey: configClientCred.ClientKey,
|
||||
rootCA: configClientCred.RootCA,
|
||||
}
|
||||
creds[configClientCred.ServerName] = credFiles
|
||||
}
|
||||
|
|
|
@ -648,7 +648,7 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys
|
|||
# [doh_client_x509_auth]
|
||||
|
||||
# creds = [
|
||||
# { server_name='myserver', client_cert='client.crt', client_key='client.key' }
|
||||
# { server_name='myserver', client_cert='client.crt', client_key='client.key', root_ca='ca.crt' }
|
||||
# ]
|
||||
|
||||
|
||||
|
|
|
@ -38,6 +38,7 @@ type ServerBugs struct {
|
|||
type DOHClientCreds struct {
|
||||
clientCert string
|
||||
clientKey string
|
||||
rootCA string
|
||||
}
|
||||
|
||||
type ServerInfo struct {
|
||||
|
|
|
@ -5,6 +5,7 @@ import (
|
|||
"context"
|
||||
"crypto/sha512"
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"encoding/base64"
|
||||
"encoding/hex"
|
||||
"errors"
|
||||
|
@ -164,6 +165,15 @@ func (xTransport *XTransport) rebuildTransport() {
|
|||
if err != nil {
|
||||
dlog.Fatalf("Unable to use certificate [%v] (key: [%v]): %v", clientCreds.clientCert, clientCreds.clientKey, err)
|
||||
}
|
||||
if clientCreds.rootCA != "" {
|
||||
caCert, err := ioutil.ReadFile(clientCreds.rootCA)
|
||||
if err != nil {
|
||||
dlog.Fatal(err)
|
||||
}
|
||||
systemCertPool, err := x509.SystemCertPool()
|
||||
systemCertPool.AppendCertsFromPEM(caCert)
|
||||
tlsClientConfig.RootCAs = systemCertPool
|
||||
}
|
||||
tlsClientConfig.Certificates = []tls.Certificate{cert}
|
||||
}
|
||||
if xTransport.tlsDisableSessionTickets || xTransport.tlsCipherSuite != nil {
|
||||
|
|
Loading…
Reference in New Issue