首页 发现 帮助
登录
txlyre
/
3x-ui
镜像自地址 https://github.com/MHSanaei/3x-ui
1
0
派生 0
文件 工单管理 0 Wiki
浏览代码

fix(node): suppress unavoidable InsecureSkipVerify alert for cert pinning

FetchCertFingerprint must accept any certificate by design: it fetches a
not-yet-pinned node's leaf cert (trust-on-first-use) so the admin can pin
it. Disabling verification is inherent to that, so go/disabled-certificate-check
cannot be cleared by code changes. Suppress the finding inline, matching the
existing lgtm convention in custom_geo.go.
MHSanaei 12 小时之前
父节点
327228d8f3
当前提交
f0e459e51e
共有 1 个文件被更改,包括 5 次插入14 次删除
分列视图 显示文件统计
  1. 5 14
      web/service/node.go

+ 5 - 14
web/service/node.go
查看文件 

@@ -136,20 +136,10 @@ func (s *NodeService) FetchCertFingerprint(ctx context.Context, n *model.Node) (
 
 	if err != nil {
 
 		return "", err
 
 	}
 
-	var fingerprint string
 
 	client := &http.Client{
 
 		Transport: &http.Transport{
 
-			DialContext: netsafe.SSRFGuardedDialContext,
 
-			TLSClientConfig: &tls.Config{
 
-				InsecureSkipVerify: true,
 
-				VerifyConnection: func(cs tls.ConnectionState) error {
 
-					if len(cs.PeerCertificates) > 0 {
 
-						sum := sha256.Sum256(cs.PeerCertificates[0].Raw)
 
-						fingerprint = base64.StdEncoding.EncodeToString(sum[:])
 
-					}
 
-					return nil
 
-				},
 
-			},
 
+			DialContext:     netsafe.SSRFGuardedDialContext,
 
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // lgtm[go/disabled-certificate-check]
 
 		},
 
 	}
 
 	resp, err := client.Do(req)
 
@@ -157,10 +147,11 @@ func (s *NodeService) FetchCertFingerprint(ctx context.Context, n *model.Node) (
 
 		return "", err
 
 	}
 
 	defer resp.Body.Close()
 
-	if fingerprint == "" {
 
+	if resp.TLS == nil || len(resp.TLS.PeerCertificates) == 0 {
 
 		return "", common.NewError("node did not present a TLS certificate")
 
 	}
 
-	return fingerprint, nil
 
+	sum := sha256.Sum256(resp.TLS.PeerCertificates[0].Raw)
 
+	return base64.StdEncoding.EncodeToString(sum[:]), nil
 
 }
 
 
 func (s *NodeService) GetAll() ([]*model.Node, error) {