Certificate is not working for TLS with self-signed .cer

[ccloli]

If the server side using a self-signed certificate, and the certificate using an invalid host name, the client cannot connect to the server, as the server side logs remote error: tls: bad certificate.

For example, I configured a server on 1.2.3.4, and self-signed a certificate and its host name is example.com (but I'm not holding it, so accessing the domain directly won't be my server). Then on the client side, I set the server to 1.2.3.4, and specified Hostname in plugin options as example.com, and paste the base64-encoded certificate content. Then I started the connection, but it's not working, server-side says remote error: tls: bad certificate.

The same configuration is working on Windows by importing the .cer file to trusted root certificate, and working on iOS by ignoring SSL error.

[nullstd]

I recently also met this problem, the root cause should lie in how this plugin handles certRaw generated from user inputs on Android, is there a way to show the data received by shadowsocks-android from this plugin?

[lixin9311]

Already fixed in the upstream shadowsocks/v2ray-plugin#128

@madeye Please make a new release?

[lixin9311]

The root cause was well-explained in the pull request.

Although I think it should be fixed on the caller side (e.g. Android app / WinGUI)...
It's difficult to set a multiline env/parameter right.
(see ProxyInstance.kt#L117, it stores the plugin config into JSON, which does not allow real line-breaks)
For the WinGUI, it's the UI design. (I would recommend you to pass the file instead of the content)

Maybe we should obsolete JSON, and start to use YAML.
Anyway, it the current fix for Android.

[Mygod]

JSON supports line break properly (have you tried \n). Personally I don't see why YAML is better than JSON. I would in fact argue for the opposite as JSON is typed.

[lixin9311]

FYI, https://www.gun.io/blog/multi-line-strings-in-json .
\n will not be treated as an escape sequence in JSON.
You can process those \n into line breaks after decoding the JSON. But that would not be standard behavior.

[nullstd]

I agree with @Mygod , it's OK to use \n in JSON string.

Also when I tested self-signed certificate using the build from this https://circleci.com/gh/shadowsocks/v2ray-plugin/20#artifacts, I tried both cert and certRaw(MUST use the original format including all the \n from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----, basically it just means you open the certificate file and copy all the content without any modifications, then paste it after certRaw=, it might look ugly but it works) parameters both on FreeBSD, they all work perfectly.

But when I tried the exactly same settings on Android, it never succeeds.

[lixin9311]

I agree with @Mygod , it's OK to use \n in JSON string.

Also when I tested self-signed certificate using the build from this https://circleci.com/gh/shadowsocks/v2ray-plugin/20#artifacts, I tried both cert and certRaw(MUST use the original format including all the \n from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----, basically it just means you open the certificate file and copy all the content without any modifications, then paste it after certRaw=, it might look ugly but it works) parameters both on FreeBSD, they all work perfectly.

But when I tried the exactly same settings on Android, it never succeeds.

I don't know which version of plugin and which implementation of ss are you testing.

Have you tried a JSON validator before use it?

[ccloli]

\n will not be treated as an escape sequence in JSON.

@lixin9311 JSON comes from JavaScript, and in JavaScript, \n is the line break. And from JSON spec, it lists \n as linefeed escape character, so using \n in JSON is fine.

[lixin9311]

sry, my bad, I mean it should be:

{
  "var" : "first line
second line"
}

you mean:

{
  "var" : "first line\nsecond line"
}

[nullstd]

The root cause should be this:

After user inputs the PEM format certificate, the following code removes all the \n in it, which is wrong. To generate valid certificates from the PEM format certificate, all those \ns are necessary.

v2ray-plugin-android/app/src/main/java/com/github/shadowsocks/plugin/v2ray/ConfigFragment.kt#L66

        putWithDefault("certRaw", certRaw.text?.replace("\n", ""), "")

In addition, the following code also prevents from passing in the original PEM format certificate through plugin options.

shadowsocks-android/plugin/src/main/java/com/github/shadowsocks/plugin/PluginOptions.kt#L41

        check(options.all { !it.isISOControl() }) { "No control characters allowed." }

In order to fix this we need to come up with a solution to safely pass PEM format certificate. I have thought about using Base64 to encode/decode the certificate, what do you guys think?

@Mygod

[Mygod]

We cannot allow control characters. We could try removing the begin end lines and add it later.

[nullstd]

The problem is not only about the begin end lines, removing all the \n in raw certificate file violates the PEM certificate file format. Therefore if control characters are not accepted, maybe we'd better replace certRaw with cert64(Base64 encoded certificate, so that it's a single line without control characters), but this also needs changes from v2ray-plugin repository.

[Mygod]

Are you sure about that? I read RFC and I think it should be fine.

[nullstd]

Here is the code related to certRaw from v2ray-plugin:

https://github.com/shadowsocks/v2ray-plugin/blob/59b8f4fc46c7be399dad0620121a89efa656dc9c/main.go#L185-L191

		} else if *cert != "" || *certRaw != "" {
			certificate := tls.Certificate{Usage: tls.Certificate_AUTHORITY_VERIFY}
			certificate.Certificate, err = readCertificate()
			if err != nil {
				return nil, newError("failed to read cert").Base(err)
			}
			tlsConfig.Certificate = []*tls.Certificate{&certificate}

v2ray-plugin is written in Go, and Go Language API needs the original format without removing \ns, check the examples here:

https://golang.org/pkg/crypto/tls/#example_X509KeyPair

[ccloli]

Removing \n in the base64 content should be fine, but \n after the first line (-----BEGIN CERTIFICATE-----) and before the last line (-----END CERTIFICATE-----) should be kept, or you'll get tls: failed to find any PEM data in certificate input.

Is it possible to allow control characters? Or just escape them like replacing \n as \\n and replacing them back from the plugin? Or in worst adding \n after the first line and before the last line automatically inside the plugin?

BTW does certRaw option also work in v2ray-plugin CLI? If so, how does the CLI handle the new lines?