Draft: Add Approved Certificate for WebTunnel
This merge request adds approved certificate setting to WebTunnel.
Once this hash is set, then the certificate will not be checked by standard WebPKI, and instead be verified with the supplied certificate chain hash, in the same as pinnedPeerCertificateChainSha256
and allowInsecureIfPinnedPeerCertificate
in TLS Security Setting works.
In order to generate the hash for pinning without accessing to server, run:
openssl s_client -showcerts -servername example.com -connect example.com:443 < /dev/null
And copy & paste the certificate to a separate file, from the leaf to all the other intermediary chains. (A correctly configured server should not send the root certificate as it can be inferred.)
Then run
./v2ray tls certChainHash --cert '****.pem'
To generate the certificate chain hash, the output should look like "MSsZ1bKO+7hhQCB9gSSB9abfyLtyIBCDRcuNLVBVjdE=".
(This command line tool will be bundled inside WebTunnel server binary in a separate merge request)
Then construct a bridgeline with this certificate hash:
webtunnel ****:443 **** url=**** approvedCert=MSsZ1bKO+7hhQCB9gSSB9abfyLtyIBCDRcuNLVBVjdE= ver=0.0.1
The connection should proceed as expected.
See also: #40