[Feature] 手动配置证书指纹并验证以防中间人攻击 - Githubissues

MetaCubeX / mihomo

A simple Python Pydantic model for Honkai: Star Rail parsed data from the Mihomo API.

https://wiki.metacubex.one

MIT License

15.97k stars 2.6k forks source link

[Feature] 手动配置证书指纹并验证以防中间人攻击 #1593

Closed longern closed 2 hours ago

longern commented 2 hours ago

Verify steps

[X] 我已经在 Issue Tracker 中找过我要提出的请求 I have searched on the issue tracker for a related feature request.
[X] 我已经仔细看过 Documentation 并无法找到这个功能 I have read the documentation and was unable to solve the issue.

Description

当前trojan协议指定skip-cert-verify之后会完全跳过证书的验证，无法防止中间人攻击，应该可以参考WebTransport的机制手动指定证书指纹并进行验证

Possible Solution

增加如certificate-hashes之类的配置项，内容为16进制的证书指纹（例如fc9d3c41...）列表，当且仅当服务端证书指纹与其中之一匹配时连接成功。配置为多个指纹可以在证书更新时提前更新指纹防止因更新期间证书不匹配而连接失败。

Skyxim commented 2 hours ago