Skip to content

Commit

Permalink
更新伪造 SNI 规则 CA 兼容 #173
Browse files Browse the repository at this point in the history
  • Loading branch information
SeaHOH committed Jan 28, 2021
1 parent dfbded2 commit a414760
Show file tree
Hide file tree
Showing 3 changed files with 83 additions and 2 deletions.
73 changes: 73 additions & 0 deletions cert/cacerts/misc.pem
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
## CloudFlare Origin SSL Certificate Authority
## origin_ca_rsa_root
## O: CloudFlare, Inc.

-----BEGIN CERTIFICATE-----
MIIEADCCAuigAwIBAgIID+rOSdTGfGcwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNV
BAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91
ZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQH
Ew1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMB4XDTE5MDgyMzIx
MDgwMFoXDTI5MDgxNTE3MDAwMFowgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBD
bG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wg
Q2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMw
EQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAwEiVZ/UoQpHmFsHvk5isBxRehukP8DG9JhFev3WZtG76WoTthvLJFRKFCHXm
V6Z5/66Z4S09mgsUuFwvJzMnE6Ej6yIsYNCb9r9QORa8BdhrkNn6kdTly3mdnykb
OomnwbUfLlExVgNdlP0XoRoeMwbQ4598foiHblO2B/LKuNfJzAMfS7oZe34b+vLB
yrP/1bgCSLdc1AxQc1AC0EsQQhgcyTJNgnG4va1c7ogPlwKyhbDyZ4e59N5lbYPJ
SmXI/cAe3jXj1FBLJZkwnoDKe0v13xeF+nF32smSH0qB7aJX2tBMW4TWtFPmzs5I
lwrFSySWAdwYdgxw180yKU0dvwIDAQABo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYD
VR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUJOhTV118NECHqeuU27rhFnj8KaQw
HwYDVR0jBBgwFoAUJOhTV118NECHqeuU27rhFnj8KaQwDQYJKoZIhvcNAQELBQAD
ggEBAHwOf9Ur1l0Ar5vFE6PNrZWrDfQIMyEfdgSKofCdTckbqXNTiXdgbHs+TWoQ
wAB0pfJDAHJDXOTCWRyTeXOseeOi5Btj5CnEuw3P0oXqdqevM1/+uWp0CM35zgZ8
VD4aITxity0djzE6Qnx3Syzz+ZkoBgTnNum7d9A66/V636x4vTeqbZFBr9erJzgz
hhurjcoacvRNhnjtDRM0dPeiCJ50CP3wEYuvUzDHUaowOsnLCjQIkWbR7Ni6KEIk
MOz2U0OBSif3FTkhCgZWQKOOLo1P42jHC3ssUZAtVNXrCk3fw9/E15k8NPkBazZ6
0iykLhH1trywrKRMVw67F44IE8Y=
-----END CERTIFICATE-----

## DDoS-GUARD
## O/CN: ddos-guard

-----BEGIN CERTIFICATE-----
MIIC2DCCAcACCQD6cDrf+5h8CTANBgkqhkiG9w0BAQsFADAuMQswCQYDVQQGEwJF
VTEKMAgGA1UECAwBKjETMBEGA1UECgwKZGRvcy1ndWFyZDAeFw0xODAzMjgxOTI2
MTNaFw0yODAzMjUxOTI2MTNaMC4xCzAJBgNVBAYTAkVVMQowCAYDVQQIDAEqMRMw
EQYDVQQKDApkZG9zLWd1YXJkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAzKzaWH/6SlOzAEg9angONqEF1Oj6XUY0bD7r0RLD4LFCJz+ijj8tvYMrnAud
RV29cPsd81XvdC+ig7TQG6GMwpNMGf6LkBWpIyhzxpJBi5bkrF9XcgivOhR4vn2T
PDjtKdL8gnivv1NOcJCPlCkgBHTWQjWmtz2mVT4F63kWySGYLqp6I7W/9Rx8eMDM
L+o7zFnP0kh6ywOJa4yHWQPwWMvfdXy9uY4EL6Q0Tx3Mh5wGTZ9Q1cQLiGznsKau
bY9rzH6u2ib/ZN3ZgtH8JtzD8A8V0s6e3cQlzLvNUrMc7yLPnpc738ZgEM2EkL3a
ZyGo8CkpAwcH6JOUJKmrOQ7TewIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAxdiUM
btMJxd5fd9nXNAVy6F032z4xhAeDoNe5wVGHEJ8uqxiX3TVsSPJJnAJGWi/5E79S
44TP+gst/MwwXZXB4CsRwy3QqB5s1NmedFM9BOBue2YPEuFc20RwHj2i6S4+doHJ
eLuQK3wHiO+/5eUu9KB5OVrY9BT8cBmxj6pzFwiJWgNRXfLzr4SUm6fQMqm13cyC
CzRahrGQFdPU2TkRlrXgmQwhoOavHnvBogrzD4U8j0I8yOebSGprpKehwGhzTozg
19/Imahru19aOD42v2C75tWIU/WSzOjFw3za5TxywfaBDLszAmjoTflAid/RM1SD
AzuxI494CzdwGm1p
-----END CERTIFICATE-----

## 198.251.89.38
## CN: localhost
## 02 d3 a0 4a ad 30 b5 27 97 03 30 af d7 d2 10 1e e8 a1 a3 72

-----BEGIN CERTIFICATE-----
MIIC2TCCAcGgAwIBAgIUAtOgSq0wtSeXAzCv19IQHuiho3IwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIwMDUwNzE4MDM0M1oXDTMwMDUw
NTE4MDM0M1owFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEApsJqmmNtXOmm6WX8+oBV2I+AG/z6k9OjTHNwDaowOTzB
N0k9/MilaRC9p5y9+gJF3NeT8W34XFvfHGXPAQqBgEKAsEo6X8kxXaoGsvUI86bE
h2jS4t8FCpzHHwAEUsM4CCOX8pMDbgjFX++oLyirfNDcEpm45qPAmWRn/OD5le9P
0fNpFSFJSH8VsSC84MH86b8N7x88cV1kSefxg14IwseyFP7/NtBCbD3zoo+wIwln
kepCRoUKX1q8Iof6dYArhFr/09pNu5Qh+54BJtDq0EdZJStnCgLp0+a6EBcFZGMv
qx/Ln/IxmN9g/sXxxTw7XqnM2DFwGNTKAgMPaL22pQIDAQABoyMwITAJBgNVHRME
AjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQsFAAOCAQEAjeHY
by2ZKIiNHCbXO5lyd7U0fLeFBHG6Ktfed+UUFsN1crI+8Jot4qi47WAaKhFxVOe4
XNNqyBC0K6Pdck/vMkOZWnAxpoCGjnVxYcl6b41QxL1bMxZB/OfloArGJxGn9jDb
IPtwWv0KYIjIeehbu8OOEv9e9H4K7ECCOH6SI5ygMItICmI66dL7hrvPLa1WZyNA
tjrXu4x3Ld3mBe7HbWn12yhpbR2jPoX7xRqPb8yzkZs6Pm2CvmmRp8PhkHc6ADMP
b7mXXEH0XoyNCX2Ngk3bGX+vvebolt5YKNwxLj4jMLvc49gcIvzwX9EKo21a/W/O
qd81R4/MnjrGNxJowQ==
-----END CERTIFICATE-----
3 changes: 3 additions & 0 deletions config/ActionFilter.ini
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,9 @@ wikipedia.org = @none
.wikipedia.org = @none
cn.nytimes.com = [email protected]
.nytimes.com = *.cloudfront.net
archive.is = [email protected]
nyaa.si = ddos-guard@none
.nyaa.si = localhost@none
#>>>

[1-forward] #转发,非 fakecert 连接由代理解析并连接后再转发,不支持复用连接
Expand Down
9 changes: 7 additions & 2 deletions local/compat/openssl.py
Original file line number Diff line number Diff line change
Expand Up @@ -189,9 +189,14 @@ def match_hostname(cert, hostname):
# The subject is only checked when there is no dNSName entry in subjectAltName
# XXX according to RFC 2818, the most specific Common Name must be used.
value = cert.get_subject().commonName
if _dnsname_match(value, hostname):
if value is not None:
if _dnsname_match(value, hostname):
return
dnsnames.append(value)
elif cert.get_issuer().organizationName == hostname:
# If there is no common name, then check issuer's organization name
# e.g. CloudFlare ddos-guard
return
dnsnames.append(value)
if len(dnsnames) > 1:
raise CertificateError(-1, "hostname %r doesn't match either of %s"
% (hostname, ', '.join(map(repr, dnsnames))))
Expand Down

0 comments on commit a414760

Please sign in to comment.