update: support custom tls server name (#2278)

b5aee82c · yuyulei · GitHub · 0a2384a2 · b5aee82c · b5aee82c
5 changed file
--- a/client/control.go
+++ b/client/control.go
@@ -209,13 +209,17 @@ func (ctl *Control) connectServer() (conn net.Conn, err error) {
 		conn = stream
 	} else {
 		var tlsConfig *tls.Config
+		sn := ctl.clientCfg.TLSServerName
+		if sn == "" {
+			sn = ctl.clientCfg.ServerAddr
+		}

 		if ctl.clientCfg.TLSEnable {
 			tlsConfig, err = transport.NewClientTLSConfig(
 				ctl.clientCfg.TLSCertFile,
 				ctl.clientCfg.TLSKeyFile,
 				ctl.clientCfg.TLSTrustedCaFile,
-				ctl.clientCfg.ServerAddr)
+				sn)

 			if err != nil {
 				xl.Warn("fail to build tls configuration when connecting to server, err: %v", err)

--- a/client/service.go
+++ b/client/service.go
@@ -214,11 +214,16 @@ func (svr *Service) login() (conn net.Conn, session *fmux.Session, err error) {
 	xl := xlog.FromContextSafe(svr.ctx)
 	var tlsConfig *tls.Config
 	if svr.cfg.TLSEnable {
+		sn := svr.cfg.TLSServerName
+		if sn == "" {
+			sn = svr.cfg.ServerAddr
+		}
+
 		tlsConfig, err = transport.NewClientTLSConfig(
 			svr.cfg.TLSCertFile,
 			svr.cfg.TLSKeyFile,
 			svr.cfg.TLSTrustedCaFile,
-			svr.cfg.ServerAddr)
+			sn)
 		if err != nil {
 			xl.Warn("fail to build tls configuration when service login, err: %v", err)
 			return

--- a/conf/frpc_full.ini
+++ b/conf/frpc_full.ini
@@ -78,6 +78,7 @@ tls_enable = true
 # tls_cert_file = client.crt
 # tls_key_file = client.key
 # tls_trusted_ca_file = ca.crt
+# tls_server_name = example.com

 # specify a dns server, so frpc will use this instead of default one
 # dns_server = 8.8.8.8

--- a/pkg/config/client.go
+++ b/pkg/config/client.go
@@ -109,17 +109,20 @@ type ClientCommonConf struct {
 	// with the server. If "tls_cert_file" and "tls_key_file" are valid,
 	// client will load the supplied tls configuration.
 	TLSEnable bool `ini:"tls_enable" json:"tls_enable"`
-	// ClientTLSCertPath specifies the path of the cert file that client will
+	// TLSCertPath specifies the path of the cert file that client will
 	// load. It only works when "tls_enable" is true and "tls_key_file" is valid.
 	TLSCertFile string `ini:"tls_cert_file" json:"tls_cert_file"`
-	// ClientTLSKeyPath specifies the path of the secret key file that client
+	// TLSKeyPath specifies the path of the secret key file that client
 	// will load. It only works when "tls_enable" is true and "tls_cert_file"
 	// are valid.
 	TLSKeyFile string `ini:"tls_key_file" json:"tls_key_file"`
-	// TrustedCaFile specifies the path of the trusted ca file that will load.
+	// TLSTrustedCaFile specifies the path of the trusted ca file that will load.
 	// It only works when "tls_enable" is valid and tls configuration of server
 	// has been specified.
 	TLSTrustedCaFile string `ini:"tls_trusted_ca_file" json:"tls_trusted_ca_file"`
+	// TLSServerName specifices the custom server name of tls certificate. By
+	// default, server name if same to ServerAddr.
+	TLSServerName string `ini:"tls_server_name" json:"tls_server_name"`
 	// HeartBeatInterval specifies at what interval heartbeats are sent to the
 	// server, in seconds. It is not recommended to change this value. By
 	// default, this value is 30.

--- a/pkg/config/client_test.go
+++ b/pkg/config/client_test.go
@@ -60,6 +60,7 @@ var (
 		tls_cert_file = client.crt
 		tls_key_file = client.key
 		tls_trusted_ca_file = ca.crt
+		tls_server_name = example.com
 		dns_server = 8.8.8.9
 		start = ssh,dns
 		heartbeat_interval = 39
@@ -280,6 +281,7 @@ func Test_LoadClientCommonConf(t *testing.T) {
 		TLSCertFile:       "client.crt",
 		TLSKeyFile:        "client.key",
 		TLSTrustedCaFile:  "ca.crt",
+		TLSServerName:     "example.com",
 		DNSServer:         "8.8.8.9",
 		Start:             []string{"ssh", "dns"},
 		HeartbeatInterval: 39,