diff --git a/common.go b/common.go index a79cccc..11a6da2 100644 --- a/common.go +++ b/common.go @@ -656,6 +656,15 @@ type Config struct { // testing or in combination with VerifyConnection or VerifyPeerCertificate. InsecureSkipVerify bool + // InsecureSkipServerNameVerify controls whether a client verifies the + // server's certificate chain only without verify host name. + // If InsecureSkipServerNameVerify is true, crypto/tls will do normal + // certificate validation but ignore certifacate's DNSName. This is intended + // to use with spoofed ServerName and VerifyConnection. + // + // This field is ignored when InsecureSkipVerify is true. + InsecureSkipServerNameVerify bool // [uTLS] + // CipherSuites is a list of enabled TLS 1.0–1.2 cipher suites. The order of // the list is ignored. Note that TLS 1.3 ciphersuites are not configurable. // @@ -797,35 +806,36 @@ func (c *Config) Clone() *Config { c.mutex.RLock() defer c.mutex.RUnlock() return &Config{ - Rand: c.Rand, - Time: c.Time, - Certificates: c.Certificates, - NameToCertificate: c.NameToCertificate, - GetCertificate: c.GetCertificate, - GetClientCertificate: c.GetClientCertificate, - GetConfigForClient: c.GetConfigForClient, - VerifyPeerCertificate: c.VerifyPeerCertificate, - VerifyConnection: c.VerifyConnection, - RootCAs: c.RootCAs, - NextProtos: c.NextProtos, - ApplicationSettings: c.ApplicationSettings, - ServerName: c.ServerName, - ClientAuth: c.ClientAuth, - ClientCAs: c.ClientCAs, - InsecureSkipVerify: c.InsecureSkipVerify, - CipherSuites: c.CipherSuites, - PreferServerCipherSuites: c.PreferServerCipherSuites, - SessionTicketsDisabled: c.SessionTicketsDisabled, - SessionTicketKey: c.SessionTicketKey, - ClientSessionCache: c.ClientSessionCache, - MinVersion: c.MinVersion, - MaxVersion: c.MaxVersion, - CurvePreferences: c.CurvePreferences, - DynamicRecordSizingDisabled: c.DynamicRecordSizingDisabled, - Renegotiation: c.Renegotiation, - KeyLogWriter: c.KeyLogWriter, - sessionTicketKeys: c.sessionTicketKeys, - autoSessionTicketKeys: c.autoSessionTicketKeys, + Rand: c.Rand, + Time: c.Time, + Certificates: c.Certificates, + NameToCertificate: c.NameToCertificate, + GetCertificate: c.GetCertificate, + GetClientCertificate: c.GetClientCertificate, + GetConfigForClient: c.GetConfigForClient, + VerifyPeerCertificate: c.VerifyPeerCertificate, + VerifyConnection: c.VerifyConnection, + RootCAs: c.RootCAs, + NextProtos: c.NextProtos, + ApplicationSettings: c.ApplicationSettings, + ServerName: c.ServerName, + ClientAuth: c.ClientAuth, + ClientCAs: c.ClientCAs, + InsecureSkipVerify: c.InsecureSkipVerify, + InsecureSkipServerNameVerify: c.InsecureSkipServerNameVerify, + CipherSuites: c.CipherSuites, + PreferServerCipherSuites: c.PreferServerCipherSuites, + SessionTicketsDisabled: c.SessionTicketsDisabled, + SessionTicketKey: c.SessionTicketKey, + ClientSessionCache: c.ClientSessionCache, + MinVersion: c.MinVersion, + MaxVersion: c.MaxVersion, + CurvePreferences: c.CurvePreferences, + DynamicRecordSizingDisabled: c.DynamicRecordSizingDisabled, + Renegotiation: c.Renegotiation, + KeyLogWriter: c.KeyLogWriter, + sessionTicketKeys: c.sessionTicketKeys, + autoSessionTicketKeys: c.autoSessionTicketKeys, } } diff --git a/handshake_client.go b/handshake_client.go index aa148a0..7588d30 100644 --- a/handshake_client.go +++ b/handshake_client.go @@ -40,9 +40,13 @@ var testingOnlyForceClientHelloSignatureAlgorithms []SignatureScheme func (c *Conn) makeClientHello() (*clientHelloMsg, ecdheParameters, error) { config := c.config - if len(config.ServerName) == 0 && !config.InsecureSkipVerify { - return nil, nil, errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config") + + // [UTLS SECTION START] + skipServerNameVerify := config.InsecureSkipVerify || config.InsecureSkipServerNameVerify + if len(config.ServerName) == 0 && !skipServerNameVerify { + return nil, nil, errors.New("tls: at least one of ServerName, InsecureSkipVerify or InsecureSkipServerNameVerify must be specified in the tls.Config") } + // [UTLS SECTION END] nextProtosLength := 0 for _, proto := range config.NextProtos { @@ -874,13 +878,18 @@ func (c *Conn) verifyServerCertificate(certificates [][]byte) error { } if !c.config.InsecureSkipVerify { + // [UTLS SECTION START] opts := x509.VerifyOptions{ Roots: c.config.RootCAs, CurrentTime: c.config.time(), - DNSName: c.config.ServerName, Intermediates: x509.NewCertPool(), } + if !c.config.InsecureSkipServerNameVerify { + opts.DNSName = c.config.ServerName + } + // [UTLS SECTION END] + for _, cert := range certs[1:] { opts.Intermediates.AddCert(cert) } diff --git a/tls_test.go b/tls_test.go index f2b1b64..83065f6 100644 --- a/tls_test.go +++ b/tls_test.go @@ -814,7 +814,7 @@ func TestCloneNonFuncFields(t *testing.T) { f.Set(reflect.ValueOf("b")) case "ClientAuth": f.Set(reflect.ValueOf(VerifyClientCertIfGiven)) - case "InsecureSkipVerify", "SessionTicketsDisabled", "DynamicRecordSizingDisabled", "PreferServerCipherSuites": + case "InsecureSkipVerify", "InsecureSkipServerNameVerify", "SessionTicketsDisabled", "DynamicRecordSizingDisabled", "PreferServerCipherSuites": f.Set(reflect.ValueOf(true)) case "MinVersion", "MaxVersion": f.Set(reflect.ValueOf(uint16(VersionTLS12))) diff --git a/u_conn.go b/u_conn.go index bf3e053..04f5fad 100644 --- a/u_conn.go +++ b/u_conn.go @@ -377,8 +377,9 @@ func (c *UConn) clientHandshake(ctx context.Context) (err error) { // [uTLS section begins] // don't make new ClientHello, use hs.hello // preserve the checks from beginning and end of makeClientHello() - if len(c.config.ServerName) == 0 && !c.config.InsecureSkipVerify { - return errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config") + skipServerNameVerify := c.config.InsecureSkipVerify || c.config.InsecureSkipServerNameVerify + if len(c.config.ServerName) == 0 && !skipServerNameVerify { + return errors.New("tls: at least one of ServerName, InsecureSkipVerify or InsecureSkipServerNameVerify must be specified in the tls.Config") } nextProtosLength := 0