add -ca option for client

IrineSistiana · Jun 3, 2020 · 3624633 · 3624633
1 parent 3e0062f
commit 3624633
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -36,8 +36,10 @@ Download here: [release](https://github.com/IrineSistiana/simple-tls/releases)
     # Run as a client
     -n string
         Server certificate name
+    -ca string
+        PEM CA file path. [This imports a file]
     -cca string
-        A base64 encoded PEM CA certificate. Used to verify the identity of the server.
+        A base64 encoded PEM CA certificate. [This imports a base64 string]
 
     # Run as a server
     -s    
@@ -90,9 +92,9 @@ Take [shadowsocks-libev](https://github.com/shadowsocks/shadowsocks-libev) as an
 
 To start a server, the argument `-key` and `-cert` are required. Because simple-tls needs a certificate to establish real TLS1.3 connections.
 
-For your safety, the server certificate verification in simple-tls **can't be disabled**. You need to use `-cca` argument to import the CA certificate in the client if you are using a self-signed certificate in server.
+For your safety, the server certificate verification in simple-tls **can't be disabled**. You need to use `-cca` or `-ca` argument to import the CA certificate in the client if you are using a self-signed certificate in server.
 
-In the test environment, you can use `-gen-cert` in server to quickly generate an ECC certificate, and use `-cca` in the client to import its cert as CA.
+In the test environment, you can use `-gen-cert` in server to quickly generate an ECC certificate, and use `-cca` or `-ca` in the client to import its cert as CA.
 
 ## Tips for speed and stability
 

diff --git a/main.go b/main.go
@@ -24,6 +24,7 @@ import (
 	"encoding/base64"
 	"flag"
 	"fmt"
+	"io/ioutil"
 	"log"
 	"net"
 	"os"
@@ -45,7 +46,7 @@ func main() {
 		os.Exit(0)
 	}()
 
-	var bindAddr, dstAddr, serverName, cca, cert, key, path string
+	var bindAddr, dstAddr, serverName, cca, ca, cert, key, path string
 	var isServer, wss, sendRandomHeader, tfo, vpn, genCert bool
 	var cpu int
 	var timeout time.Duration
@@ -61,7 +62,8 @@ func main() {
 
 	// client only
 	commandLine.StringVar(&serverName, "n", "", "server name")
-	commandLine.StringVar(&cca, "cca", "", "base64 encoded PEM CA. Client will use it to varify the server")
+	commandLine.StringVar(&ca, "ca", "", "PEM CA file path")
+	commandLine.StringVar(&cca, "cca", "", "base64 encoded PEM CA")
 
 	// server only
 	commandLine.BoolVar(&isServer, "s", false, "is server")
@@ -199,7 +201,9 @@ func main() {
 			host = strings.SplitN(bindAddr, ":", 2)[0]
 		}
 		var rootCAs *x509.CertPool
-		if len(cca) != 0 {
+
+		switch {
+		case len(cca) != 0:
 			cca = strings.TrimRight(cca, "=")
 			pem, err := base64.RawStdEncoding.DecodeString(cca)
 			if err != nil {
@@ -210,6 +214,15 @@ func main() {
 			if ok := rootCAs.AppendCertsFromPEM(pem); !ok {
 				log.Fatal("main: AppendCertsFromPEM failed, cca is invaild")
 			}
+		case len(ca) != 0:
+			rootCAs = x509.NewCertPool()
+			certPEMBlock, err := ioutil.ReadFile(ca)
+			if err != nil {
+				log.Fatalf("main: ReadFile ca [%s], %v", ca, err)
+			}
+			if ok := rootCAs.AppendCertsFromPEM(certPEMBlock); !ok {
+				log.Fatal("main: AppendCertsFromPEM failed, ca is invaild")
+			}
 		}
 
 		lc := net.ListenConfig{}