github
/
frp
mirror of https://github.com/fatedier/frp
1
0
Fork 0
Code Issues Releases Wiki Activity

improve random TLS certificate generation (#4923)

pull/4924/head
fatedier 2025-08-10 22:59:28 +08:00 committed by GitHub
parent dc3bc9182c
commit 024e4f5f1d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 31 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Release.md
View File

@ -1,7 +1,7 @@
## Features ## Features
* Support tokenSource for loading authentication tokens from files * Support tokenSource for loading authentication tokens from files.
## Fixes ## Fixes
* Fix SSH tunnel gateway incorrectly binding to proxyBindAddr instead of bindAddr, which caused external connections to fail when proxyBindAddr was set to 127.0.0.1 * Fix SSH tunnel gateway incorrectly binding to proxyBindAddr instead of bindAddr, which caused external connections to fail when proxyBindAddr was set to 127.0.0.1.

36
pkg/transport/tls.go
View File

@ -22,6 +22,7 @@ import (
"encoding/pem" "encoding/pem"
"math/big" "math/big"
"os" "os"
"time"
) )
func newCustomTLSKeyPair(certfile, keyfile string) (*tls.Certificate, error) { func newCustomTLSKeyPair(certfile, keyfile string) (*tls.Certificate, error) {
@ -32,12 +33,30 @@ func newCustomTLSKeyPair(certfile, keyfile string) (*tls.Certificate, error) {
return &tlsCert, nil return &tlsCert, nil
} }
func newRandomTLSKeyPair() *tls.Certificate { func newRandomTLSKeyPair() (*tls.Certificate, error) {
key, err := rsa.GenerateKey(rand.Reader, 2048) key, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil { if err != nil {
panic(err) return nil, err
} }
template := x509.Certificate{SerialNumber: big.NewInt(1)}
// Generate a random positive serial number with 128 bits of entropy.
// RFC 5280 requires serial numbers to be positive integers (not zero).
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
if err != nil {
return nil, err
}
// Ensure serial number is positive (not zero)
if serialNumber.Sign() == 0 {
serialNumber = big.NewInt(1)
}
template := x509.Certificate{
SerialNumber: serialNumber,
NotBefore: time.Now().Add(-1 * time.Hour),
NotAfter: time.Now().Add(365 * 24 * time.Hour * 10),
}
certDER, err := x509.CreateCertificate( certDER, err := x509.CreateCertificate(
rand.Reader, rand.Reader,
&template, &template,
@ -45,16 +64,16 @@ func newRandomTLSKeyPair() *tls.Certificate {
&key.PublicKey, &key.PublicKey,
key) key)
if err != nil { if err != nil {
panic(err) return nil, err
} }
keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)}) keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key)})
certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER}) certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER})
tlsCert, err := tls.X509KeyPair(certPEM, keyPEM) tlsCert, err := tls.X509KeyPair(certPEM, keyPEM)
if err != nil { if err != nil {
panic(err) return nil, err
} }
return &tlsCert return &tlsCert, nil
} }
// Only support one ca file to add // Only support one ca file to add
@ -76,7 +95,10 @@ func NewServerTLSConfig(certPath, keyPath, caPath string) (*tls.Config, error) {
if certPath == "" || keyPath == "" { if certPath == "" || keyPath == "" {
// server will generate tls conf by itself // server will generate tls conf by itself
cert := newRandomTLSKeyPair() cert, err := newRandomTLSKeyPair()
if err != nil {
return nil, err
}
base.Certificates = []tls.Certificate{*cert} base.Certificates = []tls.Certificate{*cert}
} else { } else {
cert, err := newCustomTLSKeyPair(certPath, keyPath) cert, err := newCustomTLSKeyPair(certPath, keyPath)