Draft: Add Approved Certificate for WebTunnel (!24) · Merge requests · The Tor Project / Anti-censorship / Pluggable Transports / WebTunnel

shelikhoo requested to merge shelikhoo/webtunnel:dev-pinpeercert into main Nov 14, 2024

This merge request adds approved certificate setting to WebTunnel.

Once this hash is set, then the certificate will not be checked by standard WebPKI, and instead be verified with the supplied certificate chain hash, in the same as pinnedPeerCertificateChainSha256 and allowInsecureIfPinnedPeerCertificate in TLS Security Setting works.

In order to generate the hash for pinning without accessing to server, run:

openssl s_client -showcerts -servername example.com -connect example.com:443  < /dev/null

And copy & paste the certificate to a separate file, from the leaf to all the other intermediary chains. (A correctly configured server should not send the root certificate as it can be inferred.)

Then run

./v2ray tls certChainHash --cert '****.pem'

To generate the certificate chain hash, the output should look like "MSsZ1bKO+7hhQCB9gSSB9abfyLtyIBCDRcuNLVBVjdE=".

(This command line tool will be bundled inside WebTunnel server binary in a separate merge request)

Then construct a bridgeline with this certificate hash:

webtunnel ****:443 **** url=**** approvedCert=MSsZ1bKO+7hhQCB9gSSB9abfyLtyIBCDRcuNLVBVjdE= ver=0.0.1

The connection should proceed as expected.

Draft: Add Approved Certificate for WebTunnel

Merge request reports