10 лет назад · 79bb06fe27
--- a/psiphon/config.go
+++ b/psiphon/config.go
@@ -244,11 +244,11 @@ type Config struct {
 
				 	// parameter is only supported on platforms built with OpenSSL.
			
 
				 	UseIndistinguishableTLS bool
			
 
				 
			
 
				-	// SystemCACertificateDirectory specifies a directory containing OpenSSL-format
			
 
				-	// CA certificate files (OpenSSL 1.0.1+ format). When specified, this enables
			
 
				-	// use of indistinguishable TLS for HTTPS requests that require typical (system
			
 
				-	// CA) server authentication.
			
 
				-	SystemCACertificateDirectory string
			
 
				+	// TrustedCACertificatesFilename specifies a file containing trusted CA certs.
			
 
				+	// The file contents should be compatible with OpenSSL's SSL_CTX_load_verify_locations.
			
 
				+	// When specified, this enables use of indistinguishable TLS for HTTPS requests
			
 
				+	// that require typical (system CA) server authentication.
			
 
				+	TrustedCACertificatesFilename string
			
 
				 }
			
 
				 
			
 
				 // LoadConfig parses and validates a JSON format Psiphon config JSON
			
--- a/psiphon/controller.go
+++ b/psiphon/controller.go
@@ -78,12 +78,12 @@ func NewController(config *Config) (controller *Controller, err error) {
 
				 	// used to exclude these requests and connection from VPN routing.
			
 
				 	untunneledPendingConns := new(Conns)
			
 
				 	untunneledDialConfig := &DialConfig{
			
 
				-		UpstreamProxyUrl:             config.UpstreamProxyUrl,
			
 
				-		PendingConns:                 untunneledPendingConns,
			
 
				-		DeviceBinder:                 config.DeviceBinder,
			
 
				-		DnsServerGetter:              config.DnsServerGetter,
			
 
				-		UseIndistinguishableTLS:      config.UseIndistinguishableTLS,
			
 
				-		SystemCACertificateDirectory: config.SystemCACertificateDirectory,
			
 
				+		UpstreamProxyUrl:              config.UpstreamProxyUrl,
			
 
				+		PendingConns:                  untunneledPendingConns,
			
 
				+		DeviceBinder:                  config.DeviceBinder,
			
 
				+		DnsServerGetter:               config.DnsServerGetter,
			
 
				+		UseIndistinguishableTLS:       config.UseIndistinguishableTLS,
			
 
				+		TrustedCACertificatesFilename: config.TrustedCACertificatesFilename,
			
 
				 	}
			
 
				 
			
 
				 	controller = &Controller{
			
--- a/psiphon/meekConn.go
+++ b/psiphon/meekConn.go
@@ -162,13 +162,13 @@ func DialMeek(
 
				 
			
 
				 		dialer = NewCustomTLSDialer(
			
 
				 			&CustomTLSConfig{
			
 
				-				Dial:                         NewTCPDialer(meekConfig),
			
 
				-				Timeout:                      meekConfig.ConnectTimeout,
			
 
				-				FrontingAddr:                 fmt.Sprintf("%s:%d", frontingAddress, 443),
			
 
				-				SendServerName:               false,
			
 
				-				SkipVerify:                   true,
			
 
				-				UseIndistinguishableTLS:      config.UseIndistinguishableTLS,
			
 
				-				SystemCACertificateDirectory: config.SystemCACertificateDirectory,
			
 
				+				Dial:                          NewTCPDialer(meekConfig),
			
 
				+				Timeout:                       meekConfig.ConnectTimeout,
			
 
				+				FrontingAddr:                  fmt.Sprintf("%s:%d", frontingAddress, 443),
			
 
				+				SendServerName:                false,
			
 
				+				SkipVerify:                    true,
			
 
				+				UseIndistinguishableTLS:       config.UseIndistinguishableTLS,
			
 
				+				TrustedCACertificatesFilename: config.TrustedCACertificatesFilename,
			
 
				 			})
			
 
				 	} else {
			
 
				 		// In the unfronted case, host is both what is dialed and what ends up in the HTTP Host header
			
--- a/psiphon/net.go
+++ b/psiphon/net.go
@@ -72,11 +72,11 @@ type DialConfig struct {
 
				 	// Only applies to TLS connections.
			
 
				 	UseIndistinguishableTLS bool
			
 
				 
			
 
				-	// SystemCACertificateDirectory specifies a directory containing
			
 
				-	// CA certs. Directory contents should be compatible with OpenSSL's
			
 
				-	// SSL_CTX_load_verify_locations
			
 
				+	// TrustedCACertificatesFilename specifies a file containing trusted
			
 
				+	// CA certs. The file contents should be compatible with OpenSSL's
			
 
				+	// SSL_CTX_load_verify_locations.
			
 
				 	// Only applies to UseIndistinguishableTLS connections.
			
 
				-	SystemCACertificateDirectory string
			
 
				+	TrustedCACertificatesFilename string
			
 
				 }
			
 
				 
			
 
				 // DeviceBinder defines the interface to the external BindToDevice provider
			
--- a/psiphon/opensslConn.go
+++ b/psiphon/opensslConn.go
@@ -46,10 +46,10 @@ func newOpenSSLConn(rawConn net.Conn, hostname string, config *CustomTLSConfig)
 
				 			// TODO: verify with VerifyLegacyCertificate
			
 
				 			return nil, errors.New("newOpenSSLConn does not support VerifyLegacyCertificate")
			
 
				 		} else {
			
 
				-			if config.SystemCACertificateDirectory == "" {
			
 
				-				return nil, errors.New("newOpenSSLConn cannot verify without SystemCACertificateDirectory")
			
 
				+			if config.TrustedCACertificatesFilename == "" {
			
 
				+				return nil, errors.New("newOpenSSLConn cannot verify without TrustedCACertificatesFilename")
			
 
				 			}
			
 
				-			err = ctx.LoadVerifyLocations("", config.SystemCACertificateDirectory)
			
 
				+			err = ctx.LoadVerifyLocations(config.TrustedCACertificatesFilename, "")
			
 
				 			if err != nil {
			
 
				 				return nil, ContextError(err)
			
 
				 			}
			
--- a/psiphon/remoteServerList.go
+++ b/psiphon/remoteServerList.go
@@ -54,11 +54,11 @@ func FetchRemoteServerList(config *Config, dialConfig *DialConfig) (err error) {
 
				 	if requestUrl.Scheme == "https" {
			
 
				 		dialer = NewCustomTLSDialer(
			
 
				 			&CustomTLSConfig{
			
 
				-				Dial:                         dialer,
			
 
				-				SendServerName:               true,
			
 
				-				SkipVerify:                   false,
			
 
				-				UseIndistinguishableTLS:      config.UseIndistinguishableTLS,
			
 
				-				SystemCACertificateDirectory: config.SystemCACertificateDirectory,
			
 
				+				Dial:                          dialer,
			
 
				+				SendServerName:                true,
			
 
				+				SkipVerify:                    false,
			
 
				+				UseIndistinguishableTLS:       config.UseIndistinguishableTLS,
			
 
				+				TrustedCACertificatesFilename: config.TrustedCACertificatesFilename,
			
 
				 			})
			
 
				 
			
 
				 		// Change the scheme to "http"; otherwise http.Transport will try to do
			
--- a/psiphon/tlsDialer.go
+++ b/psiphon/tlsDialer.go
@@ -112,11 +112,11 @@ type CustomTLSConfig struct {
 
				 	// Go's TLS has a distinct fingerprint that may be used for blocking.
			
 
				 	UseIndistinguishableTLS bool
			
 
				 
			
 
				-	// SystemCACertificateDirectory specifies a directory containing
			
 
				+	// TrustedCACertificatesFilename specifies a file containing trusted
			
 
				 	// CA certs. Directory contents should be compatible with OpenSSL's
			
 
				 	// SSL_CTX_load_verify_locations
			
 
				 	// Only applies to UseIndistinguishableTLS connections.
			
 
				-	SystemCACertificateDirectory string
			
 
				+	TrustedCACertificatesFilename string
			
 
				 }
			
 
				 
			
 
				 func NewCustomTLSDialer(config *CustomTLSConfig) Dialer {
			
@@ -189,7 +189,7 @@ func CustomTLSDial(network, addr string, config *CustomTLSConfig) (net.Conn, err
 
				 	if config.UseIndistinguishableTLS &&
			
 
				 		(config.SkipVerify ||
			
 
				 			// TODO: config.VerifyLegacyCertificate != nil ||
			
 
				-			config.SystemCACertificateDirectory != "") {
			
 
				+			config.TrustedCACertificatesFilename != "") {
			
 
				 
			
 
				 		conn, err = newOpenSSLConn(rawConn, hostname, config)
			
 
				 		if err != nil {
			
--- a/psiphon/tunnel.go
+++ b/psiphon/tunnel.go
@@ -378,13 +378,13 @@ func dialSsh(
 
				 
			
 
				 	// Create the base transport: meek or direct connection
			
 
				 	dialConfig := &DialConfig{
			
 
				-		UpstreamProxyUrl:             config.UpstreamProxyUrl,
			
 
				-		ConnectTimeout:               TUNNEL_CONNECT_TIMEOUT,
			
 
				-		PendingConns:                 pendingConns,
			
 
				-		DeviceBinder:                 config.DeviceBinder,
			
 
				-		DnsServerGetter:              config.DnsServerGetter,
			
 
				-		UseIndistinguishableTLS:      config.UseIndistinguishableTLS,
			
 
				-		SystemCACertificateDirectory: config.SystemCACertificateDirectory,
			
 
				+		UpstreamProxyUrl:              config.UpstreamProxyUrl,
			
 
				+		ConnectTimeout:                TUNNEL_CONNECT_TIMEOUT,
			
 
				+		PendingConns:                  pendingConns,
			
 
				+		DeviceBinder:                  config.DeviceBinder,
			
 
				+		DnsServerGetter:               config.DnsServerGetter,
			
 
				+		UseIndistinguishableTLS:       config.UseIndistinguishableTLS,
			
 
				+		TrustedCACertificatesFilename: config.TrustedCACertificatesFilename,
			
 
				 	}
			
 
				 	if useMeek {
			
 
				 		conn, err = DialMeek(serverEntry, sessionId, frontingAddress, dialConfig)