gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TSG-22752 Delete SSL Fingerprints, use is_app_not_pinning to determine Certificate Not Installed or Certificate Pinning

Browse Source
This commit is contained in:
luwenpeng
2024-10-15 16:18:34 +08:00
parent b7fb2d8a42
commit 8e38bbcf48
12 changed files with 136 additions and 918 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
plugin/business/ssl-policy/src/ssl_policy.cpp
View File

@@ -279,7 +279,7 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void *u_p
ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Invalid Decryption Param");
return SSL_ACTION_PASSTHROUGH;
}
int pinning_staus = 0, is_ev = 0, is_ct = 0, is_mauth = 0, has_error = 0, ja3_pinning_status = 0;
int pinning_staus = 0, is_ev = 0, is_ct = 0, is_mauth = 0, has_error = 0, is_app_not_pinning = 0;
if (!profile_param->mirror_client_version)
{
ret = ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_PROTOCOL_MIN_VERSION, profile_param->ssl_min_version);
@@ -311,7 +311,7 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void *u_p
assert(ret == 0);
ret = ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_PINNING_STATUS, &pinning_staus);
assert(ret == 0);
ret = ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_JA3_PINNING_STATUS, &ja3_pinning_status);
ret = ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_APP_STATUS, &is_app_not_pinning);
assert(ret == 0);
ret = ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_IS_EV_CERT, &is_ev);
assert(ret == 0);
@@ -322,13 +322,13 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void *u_p
ret = ssl_stream_get_integer_opt(upstream, SSL_STREAM_OPT_HAS_PROTOCOL_ERRORS, &has_error);
assert(ret == 0);
if (pinning_staus == 1 && ja3_pinning_status == JA3_PINNING_STATUS_NOT_PINNING && profile_param->bypass_uninstall_cert_traffic)
if (pinning_staus == 1 && is_app_not_pinning == 1 && profile_param->bypass_uninstall_cert_traffic)
{
action = SSL_ACTION_PASSTHROUGH;
ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Certificate Not Installed");
TFE_LOG_DEBUG(g_default_logger, "%s %s enforce policy %s, action PASSTHROUGH due to Certificate Not Installed", addr_string, sni, rule_uuid_str);
}
else if ((pinning_staus == 1 || ja3_pinning_status == JA3_PINNING_STATUS_IS_PINNING) && ja3_pinning_status != JA3_PINNING_STATUS_NOT_PINNING && profile_param->bypass_pinning)
else if (pinning_staus == 1 && is_app_not_pinning == 0 && profile_param->bypass_pinning)
{
action = SSL_ACTION_PASSTHROUGH;
ssl_stream_set_cmsg_string(upstream, TFE_CMSG_SSL_PASSTHROUGH_REASON, "Certificate Pinning");
@@ -366,4 +366,4 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void *u_p
profile_param_free(profile_param);
profile_param = NULL;
return action;
}
}