fix expired cert check

transport/internet/tls/config.go

@@ -3,6 +3,7 @@ package tls
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"time"
 
 	"v2ray.com/core/common/net"
@@ -41,8 +42,14 @@ func (c *Config) BuildCertificates() []tls.Certificate {
 }
 
 func isCertificateExpired(c *tls.Certificate) bool {
+	if c.Leaf == nil && len(c.Certificate) > 0 {
+		if pc, err := x509.ParseCertificate(c.Certificate[0]); err == nil {
+			c.Leaf = pc
+		}
+	}
+
 	// If leaf is not there, the certificate is probably not used yet. We trust user to provide a valid certificate.
-	return c.Leaf != nil && c.Leaf.NotAfter.After(time.Now().Add(-time.Minute))
+	return c.Leaf != nil && c.Leaf.NotAfter.Before(time.Now().Add(-time.Minute))
 }
 
 func issueCertificate(rawCA *Certificate, domain string) (*tls.Certificate, error) {

transport/internet/tls/config_test.go

@@ -33,3 +33,32 @@ func TestCertificateIssuing(t *testing.T) {
 	assert(err, IsNil)
 	assert(x509Cert.NotAfter.After(time.Now()), IsTrue)
 }
+
+func TestExpiredCertificate(t *testing.T) {
+	assert := With(t)
+
+	caCert := cert.MustGenerate(nil, cert.Authority(true), cert.KeyUsage(x509.KeyUsageCertSign))
+	expiredCert := cert.MustGenerate(caCert, cert.NotAfter(time.Now().Add(time.Minute*-2)), cert.CommonName("www.v2ray.com"), cert.DNSNames("www.v2ray.com"))
+
+	certificate := ParseCertificate(caCert)
+	certificate.Usage = Certificate_AUTHORITY_ISSUE
+
+	certificate2 := ParseCertificate(expiredCert)
+
+	c := &Config{
+		Certificate: []*Certificate{
+			certificate,
+			certificate2,
+		},
+	}
+
+	tlsConfig := c.GetTLSConfig()
+	v2rayCert, err := tlsConfig.GetCertificate(&gotls.ClientHelloInfo{
+		ServerName: "www.v2ray.com",
+	})
+	assert(err, IsNil)
+
+	x509Cert, err := x509.ParseCertificate(v2rayCert.Certificate[0])
+	assert(err, IsNil)
+	assert(x509Cert.NotAfter.After(time.Now()), IsTrue)
+}