Fix passing self signed cert via arg/env

[lixin9311]

We cannot pass standard x509 cert, which includes at least two EOLs, via argument/env.

This patch fixes the issue with self signed certificates on Android and other clients.

[lixin9311]

btw, this also fixes #65

[lixin9311]

And checking the CA certificate before initializing v2ray would be better. v2ray err handling/logging is a mess.

[lixin9311]

@madeye Could you pls update the Android plugin accordingly to fix the issue? I'm currently using a self-build version to use my self signed certificate.

[Mygod]

I thought DisableSystemRoot is required to make this work. Did you test your change?

[lixin9311]

I thought DisableSystemRoot is required to make this work. Did you test your change?

Yes, I have tested it on Android, the issue mentioned in DisableSystemRoot was caused by appending an invalid cert here.
https://github.com/v2ray/v2ray-core/blob/master/transport/internet/tls/config_other.go#L48

So we won't need to DisableSystemRoot.

[Mygod]

If we are using self signed certificate, we can disable system root certificates to enhance security as we know exactly what certificate we will get, even if the attacker has compromised the root certificate system.

[lixin9311]

Sure, I think it could be another feature. Anyway, this will work either disable system root cert or not.

[Mygod]

Disabling system root cert is also useful for debugging when the your certificate is not self signed.

[lixin9311]

While getting self-signed certs working on Windows, I found an upstream issue here.

https://github.com/v2ray/v2ray-core/blob/master/transport/internet/tls/config_windows.go#L9

v2ray will only load the given self-signed cert when DisableSystemRoot is set. I don't think that is the correct behavior. And it is not consistent with other OSs.

The relevant issue here, v2ray/v2ray-core#1513

I think it should load the given cert, whether the DisableSystemRoot was set or not.

I will send a pull request to upstream. For now, self-signed certs cannot work on Windows until we update the upstream.

[Mygod]

By the way what exactly does this PR fix? I don't think this PR serves any purpose. You are supposed to remove EOLs before passing it to arg.

@madeye Revert?

[lixin9311]

By the way what exactly does this PR fix? I don't think this PR serves any purpose. You are supposed to remove EOLs before passing it to arg.

@madeye Revert?

No. Standard x509 cert in PEM format MUST include at least two EOLs. Removing the EOLs will make the cert invalid.

-----BEGIN ENCRYPTED PRIVATE KEY-----asdfasdfasdf-----END ENCRYPTED PRIVATE KEY-----

Is invalid PEM format

-----BEGIN ENCRYPTED PRIVATE KEY-----
AS_LONG_AS_YOU_WANT
-----END ENCRYPTED PRIVATE KEY-----

Will be a valid PEM private key or cert.

It will fix E v2ray : v2ray.com/core/transport/internet/tls: failed to load system root certificate > v2ray.com/core/transport/internet/tls: append cert to root error.

Along with v2ray/v2ray-core@3b087bf all issues mentioned in #65 will be solved. But unfortunately, the v2ray upstream somehow reverted the patch. It seems like the guy was misconfiguring his certificates v2ray/v2ray-core#1982

[lixin9311]

By the way what exactly does this PR fix? I don't think this PR serves any purpose. You are supposed to remove EOLs before passing it to arg.

@madeye Revert?

Using self-signed cert by passing it -certRaw, which just like Android

After this patch:

Unpatched version (Current HEAD):

[lixin9311]

FYI

https://tools.ietf.org/html/rfc1421#section-4.4

and

https://tools.ietf.org/html/rfc7468

[Mygod]

I see. Thanks.