gfwleak/tango-tfe
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

1. 可以获取x509证书的ct和ev状态。2. hostname不匹配,不认为是非法证书。

Browse Source
This commit is contained in:
zhengchao
2019-05-15 20:09:12 +08:00
parent ae678d5128
commit ea0292f1b4
7 changed files with 846 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
platform/src/ssl_stream.cpp
View File

@@ -173,6 +173,7 @@ struct ssl_upstream_parts
{
struct cert_verify_param verify_param;
struct cert_verify_result verify_result;
char verify_failed_action;
struct ssl_bypass bypass_condition;
@@ -1077,7 +1078,13 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
else
{
s_stream->up_parts.is_server_cert_verify_passed = ssl_trusted_cert_storage_verify_conn(s_stream->mgr->trust_CA_store,
s_stream->ssl, s_stream->up_parts.client_hello->sni, &(s_stream->up_parts.verify_param), error_str, sizeof(error_str));
s_stream->ssl, s_stream->up_parts.client_hello->sni, &(s_stream->up_parts.verify_param),
error_str, sizeof(error_str), &(s_stream->up_parts.verify_result));
TFE_LOG_DEBUG(mgr->logger, "SNI: %s hostmatch:%d, ct:%d, ev:%d",
s_upstream->client_hello->sni,
s_stream->up_parts.verify_result.is_hostmatched,
s_stream->up_parts.verify_result.is_ct,
s_stream->up_parts.verify_result.is_ev);
}
if(s_stream->up_parts.is_server_cert_verify_passed)
{