tls

package
v1.9.5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 26, 2024 License: MPL-2.0 Imports: 30 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	Certificate_Usage_name = map[int32]string{
		0: "ENCIPHERMENT",
		1: "AUTHORITY_VERIFY",
		2: "AUTHORITY_ISSUE",
	}
	Certificate_Usage_value = map[string]int32{
		"ENCIPHERMENT":     0,
		"AUTHORITY_VERIFY": 1,
		"AUTHORITY_ISSUE":  2,
	}
)

Enum value maps for Certificate_Usage.

View Source
var File_transport_internet_tls_config_proto protoreflect.FileDescriptor
View Source
var ModernFingerprints = map[string]*utls.ClientHelloID{

	"hellofirefox_99":         &utls.HelloFirefox_99,
	"hellofirefox_102":        &utls.HelloFirefox_102,
	"hellofirefox_105":        &utls.HelloFirefox_105,
	"hellochrome_83":          &utls.HelloChrome_83,
	"hellochrome_87":          &utls.HelloChrome_87,
	"hellochrome_96":          &utls.HelloChrome_96,
	"hellochrome_100":         &utls.HelloChrome_100,
	"hellochrome_102":         &utls.HelloChrome_102,
	"hellochrome_106_shuffle": &utls.HelloChrome_106_Shuffle,
	"helloios_13":             &utls.HelloIOS_13,
	"helloios_14":             &utls.HelloIOS_14,
	"helloedge_85":            &utls.HelloEdge_85,
	"helloedge_106":           &utls.HelloEdge_106,
	"hellosafari_16_0":        &utls.HelloSafari_16_0,
	"hello360_11_0":           &utls.Hello360_11_0,
	"helloqq_11_1":            &utls.HelloQQ_11_1,
}
View Source
var OtherFingerprints = map[string]*utls.ClientHelloID{

	"hellogolang":            &utls.HelloGolang,
	"hellorandomized":        &utls.HelloRandomized,
	"hellorandomizedalpn":    &utls.HelloRandomizedALPN,
	"hellorandomizednoalpn":  &utls.HelloRandomizedNoALPN,
	"hellofirefox_auto":      &utls.HelloFirefox_Auto,
	"hellofirefox_55":        &utls.HelloFirefox_55,
	"hellofirefox_56":        &utls.HelloFirefox_56,
	"hellofirefox_63":        &utls.HelloFirefox_63,
	"hellofirefox_65":        &utls.HelloFirefox_65,
	"hellochrome_auto":       &utls.HelloChrome_Auto,
	"hellochrome_58":         &utls.HelloChrome_58,
	"hellochrome_62":         &utls.HelloChrome_62,
	"hellochrome_70":         &utls.HelloChrome_70,
	"hellochrome_72":         &utls.HelloChrome_72,
	"helloios_auto":          &utls.HelloIOS_Auto,
	"helloios_11_1":          &utls.HelloIOS_11_1,
	"helloios_12_1":          &utls.HelloIOS_12_1,
	"helloandroid_11_okhttp": &utls.HelloAndroid_11_OkHttp,
	"helloedge_auto":         &utls.HelloEdge_Auto,
	"hellosafari_auto":       &utls.HelloSafari_Auto,
	"hello360_auto":          &utls.Hello360_Auto,
	"hello360_7_5":           &utls.Hello360_7_5,
	"helloqq_auto":           &utls.HelloQQ_Auto,
}
View Source
var PresetFingerprints = map[string]*utls.ClientHelloID{

	"chrome":     &utls.HelloChrome_Auto,
	"firefox":    &utls.HelloFirefox_Auto,
	"safari":     &utls.HelloSafari_Auto,
	"ios":        &utls.HelloIOS_Auto,
	"android":    &utls.HelloAndroid_11_OkHttp,
	"edge":       &utls.HelloEdge_Auto,
	"360":        &utls.Hello360_Auto,
	"qq":         &utls.HelloQQ_Auto,
	"random":     nil,
	"randomized": nil,
}

Functions

func CalculatePEMCertChainSHA256Hash

func CalculatePEMCertChainSHA256Hash(certContent []byte) string

func Client

func Client(c net.Conn, config *tls.Config) net.Conn

Client initiates a TLS client handshake on the given connection.

func GenerateCertChainHash

func GenerateCertChainHash(rawCerts [][]byte) []byte

func GenerateCertPublicKeyHash

func GenerateCertPublicKeyHash(cert *x509.Certificate) []byte

func GetFingerprint

func GetFingerprint(name string) (fingerprint *utls.ClientHelloID)

func NewGrpcUtls

func NewGrpcUtls(c *gotls.Config, fingerprint *utls.ClientHelloID) credentials.TransportCredentials

NewGrpcUtls uses c to construct a TransportCredentials based on uTLS.

func Server

func Server(c net.Conn, config *tls.Config) net.Conn

Server initiates a TLS server handshake on the given connection.

func UClient

func UClient(c net.Conn, config *tls.Config, fingerprint *utls.ClientHelloID) net.Conn

Types

type Certificate

type Certificate struct {

	// TLS certificate in x509 format.
	Certificate []byte `protobuf:"bytes,1,opt,name=certificate,proto3" json:"certificate,omitempty"`
	// TLS key in x509 format.
	Key          []byte            `protobuf:"bytes,2,opt,name=key,proto3" json:"key,omitempty"`
	Usage        Certificate_Usage `protobuf:"varint,3,opt,name=usage,proto3,enum=xray.transport.internet.tls.Certificate_Usage" json:"usage,omitempty"`
	OcspStapling uint64            `protobuf:"varint,4,opt,name=ocsp_stapling,json=ocspStapling,proto3" json:"ocsp_stapling,omitempty"`
	// TLS certificate path
	CertificatePath string `protobuf:"bytes,5,opt,name=certificate_path,json=certificatePath,proto3" json:"certificate_path,omitempty"`
	// TLS Key path
	KeyPath string `protobuf:"bytes,6,opt,name=key_path,json=keyPath,proto3" json:"key_path,omitempty"`
	// If true, one-Time Loading
	OneTimeLoading bool `protobuf:"varint,7,opt,name=One_time_loading,json=OneTimeLoading,proto3" json:"One_time_loading,omitempty"`
	BuildChain     bool `protobuf:"varint,8,opt,name=build_chain,json=buildChain,proto3" json:"build_chain,omitempty"`
	// contains filtered or unexported fields
}

func ParseCertificate

func ParseCertificate(c *cert.Certificate) *Certificate

ParseCertificate converts a cert.Certificate to Certificate.

func (*Certificate) Descriptor deprecated

func (*Certificate) Descriptor() ([]byte, []int)

Deprecated: Use Certificate.ProtoReflect.Descriptor instead.

func (*Certificate) GetBuildChain

func (x *Certificate) GetBuildChain() bool

func (*Certificate) GetCertificate

func (x *Certificate) GetCertificate() []byte

func (*Certificate) GetCertificatePath

func (x *Certificate) GetCertificatePath() string

func (*Certificate) GetKey

func (x *Certificate) GetKey() []byte

func (*Certificate) GetKeyPath

func (x *Certificate) GetKeyPath() string

func (*Certificate) GetOcspStapling

func (x *Certificate) GetOcspStapling() uint64

func (*Certificate) GetOneTimeLoading

func (x *Certificate) GetOneTimeLoading() bool

func (*Certificate) GetUsage

func (x *Certificate) GetUsage() Certificate_Usage

func (*Certificate) ProtoMessage

func (*Certificate) ProtoMessage()

func (*Certificate) ProtoReflect

func (x *Certificate) ProtoReflect() protoreflect.Message

func (*Certificate) Reset

func (x *Certificate) Reset()

func (*Certificate) String

func (x *Certificate) String() string

type Certificate_Usage

type Certificate_Usage int32
const (
	Certificate_ENCIPHERMENT     Certificate_Usage = 0
	Certificate_AUTHORITY_VERIFY Certificate_Usage = 1
	Certificate_AUTHORITY_ISSUE  Certificate_Usage = 2
)

func (Certificate_Usage) Descriptor

func (Certificate_Usage) Enum

func (Certificate_Usage) EnumDescriptor deprecated

func (Certificate_Usage) EnumDescriptor() ([]byte, []int)

Deprecated: Use Certificate_Usage.Descriptor instead.

func (Certificate_Usage) Number

func (Certificate_Usage) String

func (x Certificate_Usage) String() string

func (Certificate_Usage) Type

type Config

type Config struct {

	// Whether or not to allow self-signed certificates.
	AllowInsecure bool `protobuf:"varint,1,opt,name=allow_insecure,json=allowInsecure,proto3" json:"allow_insecure,omitempty"`
	// List of certificates to be served on server.
	Certificate []*Certificate `protobuf:"bytes,2,rep,name=certificate,proto3" json:"certificate,omitempty"`
	// Override server name.
	ServerName string `protobuf:"bytes,3,opt,name=server_name,json=serverName,proto3" json:"server_name,omitempty"`
	// Lists of string as ALPN values.
	NextProtocol []string `protobuf:"bytes,4,rep,name=next_protocol,json=nextProtocol,proto3" json:"next_protocol,omitempty"`
	// Whether or not to enable session (ticket) resumption.
	EnableSessionResumption bool `` /* 133-byte string literal not displayed */
	// If true, root certificates on the system will not be loaded for
	// verification.
	DisableSystemRoot bool `protobuf:"varint,6,opt,name=disable_system_root,json=disableSystemRoot,proto3" json:"disable_system_root,omitempty"`
	// The minimum TLS version.
	MinVersion string `protobuf:"bytes,7,opt,name=min_version,json=minVersion,proto3" json:"min_version,omitempty"`
	// The maximum TLS version.
	MaxVersion string `protobuf:"bytes,8,opt,name=max_version,json=maxVersion,proto3" json:"max_version,omitempty"`
	// Specify cipher suites, except for TLS 1.3.
	CipherSuites string `protobuf:"bytes,9,opt,name=cipher_suites,json=cipherSuites,proto3" json:"cipher_suites,omitempty"`
	// Whether the server selects its most preferred ciphersuite.
	// Deprecated: crypto/tls has ignored this field.
	//
	// Deprecated: Marked as deprecated in transport/internet/tls/config.proto.
	PreferServerCipherSuites bool `` /* 139-byte string literal not displayed */
	// TLS Client Hello fingerprint (uTLS).
	Fingerprint      string `protobuf:"bytes,11,opt,name=fingerprint,proto3" json:"fingerprint,omitempty"`
	RejectUnknownSni bool   `protobuf:"varint,12,opt,name=reject_unknown_sni,json=rejectUnknownSni,proto3" json:"reject_unknown_sni,omitempty"`
	// @Document A pinned certificate chain sha256 hash.
	// @Document If the server's hash does not match this value, the connection will be aborted.
	// @Document This value replace allow_insecure.
	// @Critical
	PinnedPeerCertificateChainSha256 [][]byte `` /* 164-byte string literal not displayed */
	// @Document A pinned certificate public key sha256 hash.
	// @Document If the server's public key hash does not match this value, the connection will be aborted.
	// @Document This value replace allow_insecure.
	// @Critical
	PinnedPeerCertificatePublicKeySha256 [][]byte `` /* 178-byte string literal not displayed */
	MasterKeyLog                         string   `protobuf:"bytes,15,opt,name=master_key_log,json=masterKeyLog,proto3" json:"master_key_log,omitempty"`
	// contains filtered or unexported fields
}

func ConfigFromStreamSettings

func ConfigFromStreamSettings(settings *internet.MemoryStreamConfig) *Config

ConfigFromStreamSettings fetches Config from stream settings. Nil if not found.

func (*Config) BuildCertificates

func (c *Config) BuildCertificates() []*tls.Certificate

BuildCertificates builds a list of TLS certificates from proto definition.

func (*Config) Descriptor deprecated

func (*Config) Descriptor() ([]byte, []int)

Deprecated: Use Config.ProtoReflect.Descriptor instead.

func (*Config) GetAllowInsecure

func (x *Config) GetAllowInsecure() bool

func (*Config) GetCertificate

func (x *Config) GetCertificate() []*Certificate

func (*Config) GetCipherSuites

func (x *Config) GetCipherSuites() string

func (*Config) GetDisableSystemRoot

func (x *Config) GetDisableSystemRoot() bool

func (*Config) GetEnableSessionResumption

func (x *Config) GetEnableSessionResumption() bool

func (*Config) GetFingerprint

func (x *Config) GetFingerprint() string

func (*Config) GetMasterKeyLog

func (x *Config) GetMasterKeyLog() string

func (*Config) GetMaxVersion

func (x *Config) GetMaxVersion() string

func (*Config) GetMinVersion

func (x *Config) GetMinVersion() string

func (*Config) GetNextProtocol

func (x *Config) GetNextProtocol() []string

func (*Config) GetPinnedPeerCertificateChainSha256

func (x *Config) GetPinnedPeerCertificateChainSha256() [][]byte

func (*Config) GetPinnedPeerCertificatePublicKeySha256

func (x *Config) GetPinnedPeerCertificatePublicKeySha256() [][]byte

func (*Config) GetPreferServerCipherSuites deprecated

func (x *Config) GetPreferServerCipherSuites() bool

Deprecated: Marked as deprecated in transport/internet/tls/config.proto.

func (*Config) GetRejectUnknownSni

func (x *Config) GetRejectUnknownSni() bool

func (*Config) GetServerName

func (x *Config) GetServerName() string

func (*Config) GetTLSConfig

func (c *Config) GetTLSConfig(opts ...Option) *tls.Config

GetTLSConfig converts this Config into tls.Config.

func (*Config) ProtoMessage

func (*Config) ProtoMessage()

func (*Config) ProtoReflect

func (x *Config) ProtoReflect() protoreflect.Message

func (*Config) Reset

func (x *Config) Reset()

func (*Config) String

func (x *Config) String() string

type Conn

type Conn struct {
	*tls.Conn
}

func (*Conn) Close

func (c *Conn) Close() error

func (*Conn) HandshakeAddressContext

func (c *Conn) HandshakeAddressContext(ctx context.Context) net.Address

func (*Conn) NegotiatedProtocol

func (c *Conn) NegotiatedProtocol() string

func (*Conn) WriteMultiBuffer

func (c *Conn) WriteMultiBuffer(mb buf.MultiBuffer) error

type Interface

type Interface interface {
	net.Conn
	HandshakeContext(ctx context.Context) error
	VerifyHostname(host string) error
	NegotiatedProtocol() string
}

type Option

type Option func(*tls.Config)

Option for building TLS config.

func WithDestination

func WithDestination(dest net.Destination) Option

WithDestination sets the server name in TLS config. Due to the incorrect structure of GetTLSConfig(), the config.ServerName will always be empty. So the real logic for SNI is: set it to dest -> overwrite it with servername(if it's len>0).

func WithNextProto

func WithNextProto(protocol ...string) Option

WithNextProto sets the ALPN values in TLS config.

type UConn

type UConn struct {
	*utls.UConn
}

func (*UConn) Close

func (c *UConn) Close() error

func (*UConn) HandshakeAddressContext

func (c *UConn) HandshakeAddressContext(ctx context.Context) net.Address

func (*UConn) NegotiatedProtocol

func (c *UConn) NegotiatedProtocol() string

func (*UConn) WebsocketHandshakeContext

func (c *UConn) WebsocketHandshakeContext(ctx context.Context) error

WebsocketHandshake basically calls UConn.Handshake inside it but it will only send http/1.1 in its ALPN.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL