feat: Generate self-signed at startup to avoid fingerprint
This commit is contained in:
parent
8f83ca0f7b
commit
5b2a34ff2a
6 changed files with 66 additions and 47 deletions
38
Cargo.lock
generated
38
Cargo.lock
generated
|
@ -192,6 +192,7 @@ dependencies = [
|
|||
"aws-lc-sys",
|
||||
"mirai-annotations",
|
||||
"paste",
|
||||
"untrusted 0.7.1",
|
||||
"zeroize",
|
||||
]
|
||||
|
||||
|
@ -1880,6 +1881,19 @@ dependencies = [
|
|||
"getrandom",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "rcgen"
|
||||
version = "0.13.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "54077e1872c46788540de1ea3d7f4ccb1983d12f9aa909b234468676c1a36779"
|
||||
dependencies = [
|
||||
"aws-lc-rs",
|
||||
"ring",
|
||||
"rustls-pki-types",
|
||||
"time",
|
||||
"yasna",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "redox_syscall"
|
||||
version = "0.4.1"
|
||||
|
@ -1974,7 +1988,7 @@ dependencies = [
|
|||
"getrandom",
|
||||
"libc",
|
||||
"spin",
|
||||
"untrusted",
|
||||
"untrusted 0.9.0",
|
||||
"windows-sys 0.52.0",
|
||||
]
|
||||
|
||||
|
@ -2111,7 +2125,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
|
|||
checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765"
|
||||
dependencies = [
|
||||
"ring",
|
||||
"untrusted",
|
||||
"untrusted 0.9.0",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
|
@ -2123,7 +2137,7 @@ dependencies = [
|
|||
"aws-lc-rs",
|
||||
"ring",
|
||||
"rustls-pki-types",
|
||||
"untrusted",
|
||||
"untrusted 0.9.0",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
|
@ -2163,7 +2177,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
|
|||
checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414"
|
||||
dependencies = [
|
||||
"ring",
|
||||
"untrusted",
|
||||
"untrusted 0.9.0",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
|
@ -2774,6 +2788,12 @@ version = "0.2.11"
|
|||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "673aac59facbab8a9007c7f6108d11f63b603f7cabff99fabf650fea5c32b861"
|
||||
|
||||
[[package]]
|
||||
name = "untrusted"
|
||||
version = "0.7.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"
|
||||
|
||||
[[package]]
|
||||
name = "untrusted"
|
||||
version = "0.9.0"
|
||||
|
@ -3146,6 +3166,7 @@ dependencies = [
|
|||
"parking_lot",
|
||||
"pin-project",
|
||||
"ppp",
|
||||
"rcgen",
|
||||
"regex",
|
||||
"rustls-native-certs 0.7.2",
|
||||
"rustls-pemfile 2.1.3",
|
||||
|
@ -3185,6 +3206,15 @@ dependencies = [
|
|||
"time",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "yasna"
|
||||
version = "0.5.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "e17bb3549cc1321ae1296b9cdc2698e2b6cb1992adfa19a8c72e5b7a738f44cd"
|
||||
dependencies = [
|
||||
"time",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "zerocopy"
|
||||
version = "0.7.34"
|
||||
|
|
|
@ -61,9 +61,11 @@ tokio-fd = "0.3.0"
|
|||
|
||||
[target.'cfg(any(target_os = "linux", target_os = "macos"))'.dependencies]
|
||||
tokio-rustls = { version = "0.26.0", features = [] }
|
||||
rcgen = { version = "0.13.1", default-features = false, features = ["aws_lc_rs"] }
|
||||
|
||||
[target.'cfg(not(any(target_os = "linux", target_os = "macos")))'.dependencies]
|
||||
tokio-rustls = { version = "0.26.0", default-features = false, features = ["logging", "tls12", "ring"] }
|
||||
rcgen = { version = "0.13.1", default-features = false, features = ["ring"] }
|
||||
|
||||
|
||||
[dev-dependencies]
|
||||
|
|
|
@ -1,13 +0,0 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIB4DCCAYegAwIBAgIUdoMEAEloOjgFlRjkA7naE+xGBhowCgYIKoZIzj0EAwIw
|
||||
RTELMAkGA1UEBhMCRlIxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu
|
||||
dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAgFw0yNDA4MjYyMTMxMDVaGA8yMTI0MDgy
|
||||
NjIxMzEwNVowRTELMAkGA1UEBhMCRlIxEzARBgNVBAgMClNvbWUtU3RhdGUxITAf
|
||||
BgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDBZMBMGByqGSM49AgEGCCqG
|
||||
SM49AwEHA0IABFd3WKJWOwZ3SwjjGeqIOiLXV1QWpggGMriK0EorXYaE1XJgNlCI
|
||||
TTRtZUAYArThwVpnXPzFrA3LoVtZI0IZvkyjUzBRMB0GA1UdDgQWBBTOra0Tv425
|
||||
GAQl1w5lMmiz0AnJwjAfBgNVHSMEGDAWgBTOra0Tv425GAQl1w5lMmiz0AnJwjAP
|
||||
BgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0cAMEQCIEd/fLYpJKgTu/rAwIfJ
|
||||
CAf2ApXcMA//wgQbABbqAQdpAiACDRz766m9bot2PbMzmXah8wTlwLkY0k400xG4
|
||||
qPrP9w==
|
||||
-----END CERTIFICATE-----
|
|
@ -1,8 +0,0 @@
|
|||
-----BEGIN EC PARAMETERS-----
|
||||
BggqhkjOPQMBBw==
|
||||
-----END EC PARAMETERS-----
|
||||
-----BEGIN EC PRIVATE KEY-----
|
||||
MHcCAQEEIN9PYI7feqDtiEt2P5Eo1m78mFjrlYeTsOY2HFpSl43roAoGCCqGSM49
|
||||
AwEHoUQDQgAEV3dYolY7BndLCOMZ6og6ItdXVBamCAYyuIrQSitdhoTVcmA2UIhN
|
||||
NG1lQBgCtOHBWmdc/MWsDcuhW1kjQhm+TA==
|
||||
-----END EC PRIVATE KEY-----
|
|
@ -1,23 +1,31 @@
|
|||
use log::info;
|
||||
use rcgen::{date_time_ymd, CertificateParams, DnType, KeyPair};
|
||||
use std::sync::LazyLock;
|
||||
use tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer};
|
||||
use std::time::Instant;
|
||||
use tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer, PrivatePkcs8KeyDer};
|
||||
|
||||
pub static TLS_PRIVATE_KEY: LazyLock<PrivateKeyDer<'static>> = LazyLock::new(|| {
|
||||
info!("Loading embedded tls private key");
|
||||
pub static TLS_CERTIFICATE: LazyLock<(Vec<CertificateDer<'static>>, PrivateKeyDer<'static>)> = LazyLock::new(|| {
|
||||
info!("Generating self-signed tls certificate");
|
||||
|
||||
let key = include_bytes!("../certs/key.pem");
|
||||
let key = rustls_pemfile::private_key(&mut key.as_slice())
|
||||
.expect("failed to load embedded tls private key")
|
||||
.expect("failed to load embedded tls private key");
|
||||
key
|
||||
});
|
||||
pub static TLS_CERTIFICATE: LazyLock<Vec<CertificateDer<'static>>> = LazyLock::new(|| {
|
||||
info!("Loading embedded tls certificate");
|
||||
|
||||
let cert = include_bytes!("../certs/cert.pem");
|
||||
let certs = rustls_pemfile::certs(&mut cert.as_slice())
|
||||
.next()
|
||||
.expect("failed to load embedded tls certificate");
|
||||
|
||||
certs.into_iter().collect()
|
||||
let now = Instant::now();
|
||||
let key_pair = KeyPair::generate().unwrap();
|
||||
let mut cert = CertificateParams::new(vec![]).unwrap();
|
||||
cert.distinguished_name = rcgen::DistinguishedName::new();
|
||||
cert.distinguished_name.push(DnType::CountryName, "FR".to_string());
|
||||
let el = now.elapsed();
|
||||
let year = 2024 - (el.as_nanos() % 2) as i32;
|
||||
let month = 1 + (el.as_nanos() % 12) as u8;
|
||||
let day = 1 + (el.as_nanos() % 31) as u8;
|
||||
cert.not_before = date_time_ymd(year, month, day);
|
||||
|
||||
let el = now.elapsed();
|
||||
let year = 2024 + (el.as_nanos() % 50) as i32;
|
||||
let month = 1 + (el.as_nanos() % 12) as u8;
|
||||
let day = 1 + (el.as_nanos() % 31) as u8;
|
||||
cert.not_after = date_time_ymd(year, month, day);
|
||||
|
||||
let cert = cert.self_signed(&key_pair).unwrap().der().clone();
|
||||
let private_key = PrivateKeyDer::Pkcs8(PrivatePkcs8KeyDer::from(key_pair.serialized_der().to_vec()));
|
||||
|
||||
(vec![cert], private_key)
|
||||
});
|
||||
|
|
|
@ -1069,13 +1069,13 @@ async fn main() -> anyhow::Result<()> {
|
|||
let tls_certificate = if let Some(cert_path) = &args.tls_certificate {
|
||||
tls::load_certificates_from_pem(cert_path).expect("Cannot load tls certificate")
|
||||
} else {
|
||||
embedded_certificate::TLS_CERTIFICATE.clone()
|
||||
embedded_certificate::TLS_CERTIFICATE.0.clone()
|
||||
};
|
||||
|
||||
let tls_key = if let Some(key_path) = &args.tls_private_key {
|
||||
tls::load_private_key_from_file(key_path).expect("Cannot load tls private key")
|
||||
} else {
|
||||
embedded_certificate::TLS_PRIVATE_KEY.clone_key()
|
||||
embedded_certificate::TLS_CERTIFICATE.1.clone_key()
|
||||
};
|
||||
|
||||
let tls_client_ca_certificates = args.tls_client_ca_certs.as_ref().map(|tls_client_ca| {
|
||||
|
@ -1125,7 +1125,7 @@ async fn main() -> anyhow::Result<()> {
|
|||
let http_proxy = mk_http_proxy(args.http_proxy, args.http_proxy_login, args.http_proxy_password)?;
|
||||
let server_config = WsServerConfig {
|
||||
socket_so_mark: args.socket_so_mark,
|
||||
bind: args.remote_addr.socket_addrs(|| Some(8080)).unwrap()[0],
|
||||
bind: args.remote_addr.socket_addrs(|| Some(8080))?[0],
|
||||
websocket_ping_frequency: args
|
||||
.websocket_ping_frequency_sec
|
||||
.or(Some(Duration::from_secs(30)))
|
||||
|
@ -1157,7 +1157,7 @@ async fn main() -> anyhow::Result<()> {
|
|||
}
|
||||
}
|
||||
|
||||
tokio::signal::ctrl_c().await.unwrap();
|
||||
tokio::signal::ctrl_c().await?;
|
||||
Ok(())
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue