fix(tls): pin remote cert via native uTLS handshake instead of xray subprocess

GetRemoteCertHash shelled out to 'xray tls ping' and scraped its stdout, which swallowed the real failure (a refused dial surfaced only as 'no certificate hash found'). Replace it with a native uTLS Chrome handshake: dial/handshake errors now surface verbatim, host:port is honoured, and the leaf is taken from PeerCertificates[0] so IP-only self-signed certs (no DNS SANs) hash correctly. Mirrors alireza0/x-ui@1372ad0 without its nil-leaf panic.
This commit is contained in:
MHSanaei
2026-06-21 19:51:18 +02:00
parent 03e89683dd
commit 0483273839
2 changed files with 37 additions and 41 deletions
+1 -1
View File
@@ -86,7 +86,7 @@ require (
github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
github.com/quic-go/qpack v0.6.0 // indirect
github.com/quic-go/quic-go v0.60.0 // indirect
github.com/refraction-networking/utls v1.8.3-0.20260301010127-aa6edf4b11af // indirect
github.com/refraction-networking/utls v1.8.3-0.20260301010127-aa6edf4b11af
github.com/rogpeppe/go-internal v1.15.0 // indirect
github.com/sagernet/sing v0.8.10 // indirect
github.com/sagernet/sing-shadowsocks v0.2.9 // indirect