fix: Resolve certificate validate failure Issues (#9698)

2025-10-12 16:36:12 +08:00 · 2025-07-28 15:36:10 +08:00 · 2025-07-28 15:36:10 +08:00 · 134b17d2f0
commit 134b17d2f0
parent 3af254cdda
3 changed files with 35 additions and 9 deletions
--- a/agent/middleware/certificate.go
+++ b/agent/middleware/certificate.go
@ -1,13 +1,15 @@
 package middleware
 import (
 	"errors"
 	"fmt"
 	"net"
 	"net/http"
 	"strings"
 	"github.com/1Panel-dev/1Panel/agent/app/api/v2/helper"
 	"github.com/1Panel-dev/1Panel/agent/global"
 	"github.com/1Panel-dev/1Panel/agent/utils/cmd"
 	"github.com/1Panel-dev/1Panel/agent/utils/xpack"
 	"github.com/gin-gonic/gin"
 )
@ -17,13 +19,8 @@ func Certificate() gin.HandlerFunc {
 			c.Next()
 			return
 		}
-		if !c.Request.TLS.HandshakeComplete || len(c.Request.TLS.PeerCertificates) == 0 {
+		if !xpack.ValidateCertificate(c) {
-			helper.InternalServer(c, errors.New("no such tls peer certificates"))
+			CloseDirectly(c)
 			return
 		}
 		cert := c.Request.TLS.PeerCertificates[0]
 		if cert.Subject.CommonName != "panel_client" {
 			helper.InternalServer(c, fmt.Errorf("err certificate"))
 			return
 		}
 		conn := c.Request.Header.Get("Connection")
@ -40,3 +37,18 @@ func Certificate() gin.HandlerFunc {
 		c.Next()
 	}
 }
 func CloseDirectly(c *gin.Context) {
 	hijacker, ok := c.Writer.(http.Hijacker)
 	if !ok {
 		c.AbortWithStatus(http.StatusForbidden)
 		return
 	}
 	conn, _, err := hijacker.Hijack()
 	if err != nil {
 		c.AbortWithStatus(http.StatusForbidden)
 		return
 	}
 	_ = conn.(*net.TCPConn).SetLinger(0)
 	conn.Close()
 }
--- a/agent/server/server.go
+++ b/agent/server/server.go
@ -2,6 +2,7 @@ package server
 import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
 	"net"
 	"net/http"
@ -78,9 +79,17 @@ func Start() {
 			fmt.Printf("failed to load X.509 key pair: %s\n", err)
 			return
 		}
 		server.TLSConfig = &tls.Config{
 			Certificates: []tls.Certificate{tlsCert},
-			ClientAuth:   tls.RequireAnyClientCert,
+			ClientAuth:   tls.RequireAndVerifyClientCert,
 		}
 		caItem, _ := settingRepo.GetValueByKey("RootCrt")
 		if len(caItem) != 0 {
 			caCertPool := x509.NewCertPool()
 			rootCrt, _ := encrypt.StringDecrypt(caItem)
 			caCertPool.AppendCertsFromPEM([]byte(rootCrt))
 			server.TLSConfig.ClientCAs = caCertPool
 		}
 		business.Init()
 		global.LOG.Infof("listen at https://0.0.0.0:%s", global.CONF.Base.Port)
--- a/agent/utils/xpack/xpack.go
+++ b/agent/utils/xpack/xpack.go
@ -15,6 +15,7 @@ import (
 	"github.com/1Panel-dev/1Panel/agent/buserr"
 	"github.com/1Panel-dev/1Panel/agent/global"
 	"github.com/1Panel-dev/1Panel/agent/utils/cmd"
 	"github.com/gin-gonic/gin"
 )
 func RemoveTamper(website string) {}
@ -72,3 +73,7 @@ func LoadRequestTransport() *http.Transport {
 		IdleConnTimeout:       15 * time.Second,
 	}
 }
 func ValidateCertificate(c *gin.Context) bool {
 	return true
 }