diff --git a/client/control.go b/client/control.go index 4d16ce99..42cc0464 100644 --- a/client/control.go +++ b/client/control.go @@ -209,13 +209,17 @@ func (ctl *Control) connectServer() (conn net.Conn, err error) { conn = stream } else { var tlsConfig *tls.Config + sn := ctl.clientCfg.TLSServerName + if sn == "" { + sn = ctl.clientCfg.ServerAddr + } if ctl.clientCfg.TLSEnable { tlsConfig, err = transport.NewClientTLSConfig( ctl.clientCfg.TLSCertFile, ctl.clientCfg.TLSKeyFile, ctl.clientCfg.TLSTrustedCaFile, - ctl.clientCfg.ServerAddr) + sn) if err != nil { xl.Warn("fail to build tls configuration when connecting to server, err: %v", err) diff --git a/client/service.go b/client/service.go index 56b70db8..c1627022 100644 --- a/client/service.go +++ b/client/service.go @@ -214,11 +214,16 @@ func (svr *Service) login() (conn net.Conn, session *fmux.Session, err error) { xl := xlog.FromContextSafe(svr.ctx) var tlsConfig *tls.Config if svr.cfg.TLSEnable { + sn := svr.cfg.TLSServerName + if sn == "" { + sn = svr.cfg.ServerAddr + } + tlsConfig, err = transport.NewClientTLSConfig( svr.cfg.TLSCertFile, svr.cfg.TLSKeyFile, svr.cfg.TLSTrustedCaFile, - svr.cfg.ServerAddr) + sn) if err != nil { xl.Warn("fail to build tls configuration when service login, err: %v", err) return diff --git a/conf/frpc_full.ini b/conf/frpc_full.ini index 12b92b6c..01432cc0 100644 --- a/conf/frpc_full.ini +++ b/conf/frpc_full.ini @@ -78,6 +78,7 @@ tls_enable = true # tls_cert_file = client.crt # tls_key_file = client.key # tls_trusted_ca_file = ca.crt +# tls_server_name = example.com # specify a dns server, so frpc will use this instead of default one # dns_server = 8.8.8.8 diff --git a/pkg/config/client.go b/pkg/config/client.go index 4db46206..ed47e316 100644 --- a/pkg/config/client.go +++ b/pkg/config/client.go @@ -109,17 +109,20 @@ type ClientCommonConf struct { // with the server. If "tls_cert_file" and "tls_key_file" are valid, // client will load the supplied tls configuration. TLSEnable bool `ini:"tls_enable" json:"tls_enable"` - // ClientTLSCertPath specifies the path of the cert file that client will + // TLSCertPath specifies the path of the cert file that client will // load. It only works when "tls_enable" is true and "tls_key_file" is valid. TLSCertFile string `ini:"tls_cert_file" json:"tls_cert_file"` - // ClientTLSKeyPath specifies the path of the secret key file that client + // TLSKeyPath specifies the path of the secret key file that client // will load. It only works when "tls_enable" is true and "tls_cert_file" // are valid. TLSKeyFile string `ini:"tls_key_file" json:"tls_key_file"` - // TrustedCaFile specifies the path of the trusted ca file that will load. + // TLSTrustedCaFile specifies the path of the trusted ca file that will load. // It only works when "tls_enable" is valid and tls configuration of server // has been specified. TLSTrustedCaFile string `ini:"tls_trusted_ca_file" json:"tls_trusted_ca_file"` + // TLSServerName specifices the custom server name of tls certificate. By + // default, server name if same to ServerAddr. + TLSServerName string `ini:"tls_server_name" json:"tls_server_name"` // HeartBeatInterval specifies at what interval heartbeats are sent to the // server, in seconds. It is not recommended to change this value. By // default, this value is 30. diff --git a/pkg/config/client_test.go b/pkg/config/client_test.go index 9ad85e38..874421d1 100644 --- a/pkg/config/client_test.go +++ b/pkg/config/client_test.go @@ -60,6 +60,7 @@ var ( tls_cert_file = client.crt tls_key_file = client.key tls_trusted_ca_file = ca.crt + tls_server_name = example.com dns_server = 8.8.8.9 start = ssh,dns heartbeat_interval = 39 @@ -280,6 +281,7 @@ func Test_LoadClientCommonConf(t *testing.T) { TLSCertFile: "client.crt", TLSKeyFile: "client.key", TLSTrustedCaFile: "ca.crt", + TLSServerName: "example.com", DNSServer: "8.8.8.9", Start: []string{"ssh", "dns"}, HeartbeatInterval: 39,