gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

1. 客户端报SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN错误时,不作为maybe pinning; 2. ssl policy中增加protocol_errors的bypass开关。

Browse Source
This commit is contained in:
zhengchao
2019-05-21 11:47:09 +08:00
parent 1f73b4832d
commit 4cd42b9f95
5 changed files with 68 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
plugin/business/ssl-policy/src/ssl_policy.cpp
View File

@@ -21,6 +21,7 @@ struct intercept_param
int bypass_ct_cert;
int bypass_mutual_auth;
int bypass_pinning;
int bypass_protocol_errors;
int no_verify_cn;
int no_verify_issuer;
int no_verify_self_signed;
@@ -84,6 +85,9 @@ void intercept_param_new_cb(int table_id, const char* key, const char* table_lin
if(item && item->type==cJSON_Number) param->bypass_mutual_auth=item->valueint;
item=cJSON_GetObjectItem(exclusions, "pinning");
if(item && item->type==cJSON_Number) param->bypass_pinning=item->valueint;
item=cJSON_GetObjectItem(exclusions, "protocol_errors");
if(item && item->type==cJSON_Number) param->bypass_protocol_errors=item->valueint;
}
cert_verify=cJSON_GetObjectItem(json, "cert_verify");
if(cert_verify)
@@ -178,7 +182,7 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
TFE_LOG_INFO(enforcer->logger, "Failed to get intercept parameter of policy %d.", param->policy_id);
return SSL_ACTION_PASSTHROUGH;
}
int pinning_staus=0, is_ev=0, is_ct=0, is_mauth=0;
int pinning_staus=0, is_ev=0, is_ct=0, is_mauth=0, has_error=0;
if(!param->mirror_client_version)
{
ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_PROTOCOL_MIN_VERSION, SSL3_VERSION);
@@ -200,11 +204,13 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
assert(ret==1);
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_IS_MUTUAL_AUTH, &is_mauth);
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_IS_CT_CERT, &is_ct);
ret=ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS, &has_error);
assert(ret=1);
if( (pinning_staus==1 && param->bypass_pinning) ||
(is_mauth && param->bypass_mutual_auth) ||
(is_ev && param->bypass_ev_cert) ||
(is_ct && param->bypass_ct_cert) )
(is_ct && param->bypass_ct_cert) ||
(has_error && param->bypass_protocol_errors))
{
action=SSL_ACTION_PASSTHROUGH;
}