Optimize Cert Pinning (2dust#8282)

Author: DHR60

v2rayN/ServiceLib/Manager/CertPemManager.cs

@@ -202,7 +202,7 @@ public class CertPemManager
     /// <summary>
     /// Get certificate in PEM format from a server with CA pinning validation
     /// </summary>
-    public async Task<(string?, string?)> GetCertPemAsync(string target, string serverName, int timeout = 10)
+    public async Task<(string?, string?)> GetCertPemAsync(string target, string serverName, int timeout = 4)
     {
         try
         {
@@ -216,7 +216,13 @@ public class CertPemManager
 
             using var ssl = new SslStream(client.GetStream(), false, ValidateServerCertificate);
 
-            await ssl.AuthenticateAsClientAsync(serverName);
+            var sslOptions = new SslClientAuthenticationOptions
+            {
+                TargetHost = serverName,
+                RemoteCertificateValidationCallback = ValidateServerCertificate
+            };
+
+            await ssl.AuthenticateAsClientAsync(sslOptions, cts.Token);
 
             var remote = ssl.RemoteCertificate;
             if (remote == null)
@@ -242,7 +248,7 @@ public class CertPemManager
     /// <summary>
     /// Get certificate chain in PEM format from a server with CA pinning validation
     /// </summary>
-    public async Task<(List<string>, string?)> GetCertChainPemAsync(string target, string serverName, int timeout = 10)
+    public async Task<(List<string>, string?)> GetCertChainPemAsync(string target, string serverName, int timeout = 4)
     {
         var pemList = new List<string>();
         try
@@ -257,7 +263,13 @@ public class CertPemManager
 
             using var ssl = new SslStream(client.GetStream(), false, ValidateServerCertificate);
 
-            await ssl.AuthenticateAsClientAsync(serverName);
+            var sslOptions = new SslClientAuthenticationOptions
+            {
+                TargetHost = serverName,
+                RemoteCertificateValidationCallback = ValidateServerCertificate
+            };
+
+            await ssl.AuthenticateAsClientAsync(sslOptions, cts.Token);
 
             if (ssl.RemoteCertificate is not X509Certificate2 certChain)
             {
@@ -330,10 +342,74 @@ private bool ValidateServerCertificate(
         return TrustedCaThumbprints.Contains(rootThumbprint);
     }
 
-    public string ExportCertToPem(X509Certificate2 cert)
+    public static string ExportCertToPem(X509Certificate2 cert)
     {
         var der = cert.Export(X509ContentType.Cert);
-        var b64 = Convert.ToBase64String(der, Base64FormattingOptions.InsertLineBreaks);
+        var b64 = Convert.ToBase64String(der);
         return $"-----BEGIN CERTIFICATE-----\n{b64}\n-----END CERTIFICATE-----\n";
     }
+
+    /// <summary>
+    /// Parse concatenated PEM certificates string into a list of individual certificates
+    /// Normalizes format: removes line breaks from base64 content for better compatibility
+    /// </summary>
+    /// <param name="pemChain">Concatenated PEM certificates string (supports both \r\n and \n line endings)</param>
+    /// <returns>List of individual PEM certificate strings with normalized format</returns>
+    public static List<string> ParsePemChain(string pemChain)
+    {
+        var certs = new List<string>();
+        if (string.IsNullOrWhiteSpace(pemChain))
+        {
+            return certs;
+        }
+
+        // Normalize line endings (CRLF -> LF) at the beginning
+        pemChain = pemChain.Replace("\r\n", "\n").Replace("\r", "\n");
+
+        const string beginMarker = "-----BEGIN CERTIFICATE-----";
+        const string endMarker = "-----END CERTIFICATE-----";
+
+        var index = 0;
+        while (index < pemChain.Length)
+        {
+            var beginIndex = pemChain.IndexOf(beginMarker, index, StringComparison.Ordinal);
+            if (beginIndex == -1)
+                break;
+
+            var endIndex = pemChain.IndexOf(endMarker, beginIndex, StringComparison.Ordinal);
+            if (endIndex == -1)
+                break;
+
+            // Extract certificate content
+            var base64Start = beginIndex + beginMarker.Length;
+            var base64Content = pemChain.Substring(base64Start, endIndex - base64Start);
+
+            // Remove all whitespace from base64 content
+            base64Content = new string(base64Content.Where(c => !char.IsWhiteSpace(c)).ToArray());
+
+            // Reconstruct with clean format: BEGIN marker + base64 (no line breaks) + END marker
+            var normalizedCert = $"{beginMarker}\n{base64Content}\n{endMarker}\n";
+            certs.Add(normalizedCert);
+
+            // Move to next certificate
+            index = endIndex + endMarker.Length;
+        }
+
+        return certs;
+    }
+
+    /// <summary>
+    /// Concatenate a list of PEM certificates into a single string
+    /// </summary>
+    /// <param name="pemList">List of individual PEM certificate strings</param>
+    /// <returns>Concatenated PEM certificates string</returns>
+    public static string ConcatenatePemChain(IEnumerable<string> pemList)
+    {
+        if (pemList == null)
+        {
+            return string.Empty;
+        }
+
+        return string.Concat(pemList);
+    }
 }

v2rayN/ServiceLib/Resx/ResUI.Designer.cs

@@ -1606,8 +1606,10 @@
     <value>Certificate Pinning</value>
   </data>
   <data name="TbCertPinningTips" xml:space="preserve">
-    <value>Server certificate (PEM format, optional). Entering a certificate will pin it.
-Do not use the "Fetch Certificate" button when "Allow Insecure" is enabled.</value>
+    <value>Server Certificate (PEM format, optional)
+When specified, the certificate will be pinned, and "Allow Insecure" will be disabled.
+
+The "Get Certificate" action may fail if a self-signed certificate is used or if the system contains an untrusted or malicious CA.</value>
   </data>
   <data name="TbFetchCert" xml:space="preserve">
     <value>Fetch Certificate</value>

v2rayN/ServiceLib/Resx/ResUI.fa-Ir.resx

@@ -1603,8 +1603,10 @@
     <value>Certificate Pinning</value>
   </data>
   <data name="TbCertPinningTips" xml:space="preserve">
-    <value>Certificat serveur (PEM, optionnel). L’ajout d’un certificat le fixe.
-Ne pas utiliser « Obtenir le certificat » si « Autoriser non sécurisé » est activé.</value>
+    <value>Server Certificate (PEM format, optional)
+When specified, the certificate will be pinned, and "Allow Insecure" will be disabled.
+
+The "Get Certificate" action may fail if a self-signed certificate is used or if the system contains an untrusted or malicious CA.</value>
   </data>
   <data name="TbFetchCert" xml:space="preserve">
     <value>Obtenir le certificat</value>
@@ -1627,4 +1629,4 @@ Ne pas utiliser « Obtenir le certificat » si « Autoriser non sécurisé » es
   <data name="TbSettingsCustomSystemProxyScriptPath" xml:space="preserve">
     <value>Chemin script proxy système personnalisé</value>
   </data>
-</root>
+</root>

v2rayN/ServiceLib/Resx/ResUI.fr.resx

@@ -1606,8 +1606,10 @@
     <value>Certificate Pinning</value>
   </data>
   <data name="TbCertPinningTips" xml:space="preserve">
-    <value>Server certificate (PEM format, optional). Entering a certificate will pin it.
-Do not use the "Fetch Certificate" button when "Allow Insecure" is enabled.</value>
+    <value>Server Certificate (PEM format, optional)
+When specified, the certificate will be pinned, and "Allow Insecure" will be disabled.
+
+The "Get Certificate" action may fail if a self-signed certificate is used or if the system contains an untrusted or malicious CA.</value>
   </data>
   <data name="TbFetchCert" xml:space="preserve">
     <value>Fetch Certificate</value>

v2rayN/ServiceLib/Resx/ResUI.hu.resx

@@ -1606,8 +1606,10 @@
     <value>Certificate Pinning</value>
   </data>
   <data name="TbCertPinningTips" xml:space="preserve">
-    <value>Server certificate (PEM format, optional). Entering a certificate will pin it.
-Do not use the "Fetch Certificate" button when "Allow Insecure" is enabled.</value>
+    <value>Server Certificate (PEM format, optional)
+When specified, the certificate will be pinned, and "Allow Insecure" will be disabled.
+
+The "Get Certificate" action may fail if a self-signed certificate is used or if the system contains an untrusted or malicious CA.</value>
   </data>
   <data name="TbFetchCert" xml:space="preserve">
     <value>Fetch Certificate</value>

v2rayN/ServiceLib/Resx/ResUI.resx

@@ -1606,8 +1606,10 @@
     <value>Certificate Pinning</value>
   </data>
   <data name="TbCertPinningTips" xml:space="preserve">
-    <value>Server certificate (PEM format, optional). Entering a certificate will pin it.
-Do not use the "Fetch Certificate" button when "Allow Insecure" is enabled.</value>
+    <value>Server Certificate (PEM format, optional)
+When specified, the certificate will be pinned, and "Allow Insecure" will be disabled.
+
+The "Get Certificate" action may fail if a self-signed certificate is used or if the system contains an untrusted or malicious CA.</value>
   </data>
   <data name="TbFetchCert" xml:space="preserve">
     <value>Fetch Certificate</value>

v2rayN/ServiceLib/Resx/ResUI.ru.resx

@@ -1603,8 +1603,10 @@
     <value>固定证书</value>
   </data>
   <data name="TbCertPinningTips" xml:space="preserve">
-    <value>服务器证书（PEM 格式，可选）。填入后将固定该证书。
-启用“跳过证书验证”时，请勿使用 '获取证书'。</value>
+    <value>服务器证书（PEM 格式，可选）
+当指定此证书后，将固定该证书，并禁用“跳过证书验证”选项。
+
+“获取证书”操作可能失败，原因可能是使用了自签证书，或系统中存在不受信任或恶意的 CA。</value>
   </data>
   <data name="TbFetchCert" xml:space="preserve">
     <value>获取证书</value>

v2rayN/ServiceLib/Resx/ResUI.zh-Hans.resx

@@ -1603,8 +1603,10 @@
     <value>Certificate Pinning</value>
   </data>
   <data name="TbCertPinningTips" xml:space="preserve">
-    <value>Server certificate (PEM format, optional). Entering a certificate will pin it.
-Do not use the "Fetch Certificate" button when "Allow Insecure" is enabled.</value>
+    <value>Server Certificate (PEM format, optional)
+When specified, the certificate will be pinned, and "Allow Insecure" will be disabled.
+
+The "Get Certificate" action may fail if a self-signed certificate is used or if the system contains an untrusted or malicious CA.</value>
   </data>
   <data name="TbFetchCert" xml:space="preserve">
     <value>Fetch Certificate</value>

v2rayN/ServiceLib/Resx/ResUI.zh-Hant.resx

@@ -261,13 +261,7 @@ private async Task<int> GenOutboundTls(ProfileItem node, Outbound4Sbox outbound)
                 }
                 if (node.StreamSecurity == Global.StreamSecurity)
                 {
-                    var certs = node.Cert
-                        ?.Split("-----END CERTIFICATE-----", StringSplitOptions.RemoveEmptyEntries)
-                        .Select(s => s.TrimEx())
-                        .Where(s => !s.IsNullOrEmpty())
-                        .Select(s => s + "\n-----END CERTIFICATE-----")
-                        .Select(s => s.Replace("\r\n", "\n"))
-                        .ToList() ?? new();
+                    var certs = CertPemManager.ParsePemChain(node.Cert);
                     if (certs.Count > 0)
                     {
                         tls.certificate = certs;