Главная Обзор Помощь
Вход
txlyre
/
3x-ui
зеркало из https://github.com/MHSanaei/3x-ui
1
0
Ответвить 0
Файлы Задачи 0 Вики
Просмотр исходного кода

fix(node): suppress unavoidable InsecureSkipVerify alert for cert pinning

FetchCertFingerprint must accept any certificate by design: it fetches a
not-yet-pinned node's leaf cert (trust-on-first-use) so the admin can pin
it. Disabling verification is inherent to that, so go/disabled-certificate-check
cannot be cleared by code changes. Suppress the finding inline, matching the
existing lgtm convention in custom_geo.go.
MHSanaei 14 часов назад
Родитель
327228d8f3
Сommit
f0e459e51e
1 измененных файлов с 5 добавлено и 14 удалено
Единый вид Показать статистику Diff
  1. 5 14
      web/service/node.go

+ 5 - 14
web/service/node.go
Просмотреть файл 

@@ -136,20 +136,10 @@ func (s *NodeService) FetchCertFingerprint(ctx context.Context, n *model.Node) (
 
 	if err != nil {
 
 	if err != nil {
 
 		return "", err
 
 		return "", err
 
 	}
 
 	}
 
-	var fingerprint string
 
 	client := &http.Client{
 
 	client := &http.Client{
 
 		Transport: &http.Transport{
 
 		Transport: &http.Transport{
 
-			DialContext: netsafe.SSRFGuardedDialContext,
 
-			TLSClientConfig: &tls.Config{
 
-				InsecureSkipVerify: true,
 
-				VerifyConnection: func(cs tls.ConnectionState) error {
 
-					if len(cs.PeerCertificates) > 0 {
 
-						sum := sha256.Sum256(cs.PeerCertificates[0].Raw)
 
-						fingerprint = base64.StdEncoding.EncodeToString(sum[:])
 
-					}
 
-					return nil
 
-				},
 
-			},
 
+			DialContext:     netsafe.SSRFGuardedDialContext,
 
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // lgtm[go/disabled-certificate-check]
 
 		},
 
 		},
 
 	}
 
 	}
 
 	resp, err := client.Do(req)
 
 	resp, err := client.Do(req)
 
@@ -157,10 +147,11 @@ func (s *NodeService) FetchCertFingerprint(ctx context.Context, n *model.Node) (
 
 		return "", err
 
 		return "", err
 
 	}
 
 	}
 
 	defer resp.Body.Close()
 
 	defer resp.Body.Close()
 
-	if fingerprint == "" {
 
+	if resp.TLS == nil || len(resp.TLS.PeerCertificates) == 0 {
 
 		return "", common.NewError("node did not present a TLS certificate")
 
 		return "", common.NewError("node did not present a TLS certificate")
 
 	}
 
 	}
 
-	return fingerprint, nil
 
+	sum := sha256.Sum256(resp.TLS.PeerCertificates[0].Raw)
 
+	return base64.StdEncoding.EncodeToString(sum[:]), nil
 
 }
 
 }
 
 
 
 func (s *NodeService) GetAll() ([]*model.Node, error) {
 
 func (s *NodeService) GetAll() ([]*model.Node, error) {