Closed repliqa closed 3 months ago
mmmray
commented
5 months ago I encountered the same problem. If I check the logs in nekoray, I see that hysteria core is launched with a tempfile as config. I open the config and am seeing this:
{
"tls": {"certificates": ["<temp filepath>"]}
}I don't see this kind of structure in hysteria2 so I think it's just completely broken.
mmmray
commented
5 months ago Also, pinSHA256 in imported URLs is silently ignored, so secure configs become silently insecure.
I think it is better to launch hysteria2 directly.
repliqa
commented
5 months ago Indeed, shaPIN doesn't work. So I tried using self signed certificate instead and I'm very confused.
When using sing-box core, even if I specify the wrong CA certificate, connection to the server would still be established, meaning no verification is taking place.
And when using xray core, I simply get certificate signed by unknown authority.
Is there no way of securing hysteria2 connection from nekoray/nekobox at all without having to use a CA signed certificate? (I haven't tested CA signed cert yet. I don't even know if it would work or not.)
Describe the problem
I want to use the Hysteria self-signed CA cert for authenticating the server, however even though I used the correct certificate, I get the error that the certificate is not from a trusted CA. Is it something that has to do with the hysteria protocol itself or does CA authentication simply not work? (the hysteria URL scheme only let's you specify the SHA PIN, the official docs doesn't mention specifying the certificate)
Expected behavior: Connecting to the server without errors
Actual behavior: Not connecting to the server
How to reproduce
Generating CA, server keys and certs using certtool, on OpenBSD 7.4 Machine
log
Untrusted CA
If you have logs, please upload them. Please see the detailed steps for exporting logs in the documentation.