Merge pull request #86 from NodePassProject/main

TLS Verification Logic Improvements, Channel Initialization Consistency

Author: 𝐘𝐨𝐬𝐞𝐛𝐲𝐭𝐞

README.md

@@ -112,7 +112,9 @@ The [NodePassProject](https://github.com/NodePassProject) organization develops
 
 ## 📄 License
 
-Project **NodePass** is licensed under the [BSD 3-Clause License](LICENSE).
+- Project **NodePass** is licensed under the [BSD 3-Clause License](LICENSE), which applies to the source code only.
+
+- The **NodePass** name, logo, and official project identity are not covered by the code license and may not be used without explicit authorization.
 
 ## ⚖️ Disclaimer
 
@@ -147,11 +149,6 @@ This project is provided "as is" without any warranties. Users assume all risks
       <a href="https://vps.town"><img src="https://cdn.yobc.de/assets/vpstown.png"></a>
     </td>
   </tr>
-  <tr>
-    <td width="240" align="center">
-      <a href="https://evolution-host.com/vps-hosting.php"><img src="https://cdn.yobc.de/assets/evohost.png"></a>
-    </td>
-  </tr>
 </table>
 
 ## ⭐ Stargazers

README_zh.md

@@ -112,7 +112,9 @@ nodepass "master://:10101/api?log=debug&tls=1"
 
 ## 📄 许可协议
 
-**NodePass** 项目根据 [BSD 3-Clause 许可证](LICENSE)授权。
+- **NodePass** 项目根据 [BSD 3-Clause 许可证](LICENSE)授权，该许可仅适用于源代码本身。
+
+- **NodePass** 项目名称、Logo 及官方身份标识不包含在代码许可中，未经明确授权不得使用。
 
 ## ⚖️ 免责声明
 
@@ -147,13 +149,8 @@ nodepass "master://:10101/api?log=debug&tls=1"
       <a href="https://vps.town"><img src="https://cdn.yobc.de/assets/vpstown.png"></a>
     </td>
   </tr>
-  <tr>
-    <td width="240" align="center">
-      <a href="https://evolution-host.com/vps-hosting.php"><img src="https://cdn.yobc.de/assets/evohost.png"></a>
-    </td>
-  </tr>
 </table>
 
-## ⭐ Star趋势
+## ⭐ Star 趋势
 
 [![Stargazers over time](https://starchart.cc/yosebyte/nodepass.svg?variant=adaptive)](https://starchart.cc/yosebyte/nodepass)

internal/client.go

@@ -33,6 +33,7 @@ func NewClient(parsedURL *url.URL, logger *logs.Logger) (*Client, error) {
 			logger:     logger,
 			signalChan: make(chan Signal, semaphoreLimit),
 			writeChan:  make(chan []byte, semaphoreLimit),
+			verifyChan: make(chan struct{}),
 			tcpBufferPool: &sync.Pool{
 				New: func() any {
 					buf := make([]byte, tcpDataBufSize)
@@ -282,9 +283,6 @@ func (c *Client) tunnelHandshake() error {
 	c.maxPoolCapacity = config.Max
 	c.tlsCode = config.TLS
 	c.poolType = config.Type
-	if c.tlsCode == "1" || c.tlsCode == "2" {
-		c.verifyChan = make(chan struct{})
-	}
 
 	c.logger.Info("Loading tunnel config: FLOW=%v|MAX=%v|TLS=%v|TYPE=%v",
 		c.dataFlow, c.maxPoolCapacity, c.tlsCode, c.poolType)

internal/common.go

@@ -1030,8 +1030,8 @@ func (c *Common) setControlConn() error {
 		}
 	}()
 
-	if c.tlsCode == "1" || c.tlsCode == "2" {
-		c.logger.Info("TLS certificate fingerprint verifying...")
+	if c.tlsCode == "1" {
+		c.logger.Info("TLS code-1: RAM cert fingerprint verifying...")
 	}
 	return nil
 }
@@ -1107,11 +1107,11 @@ func (c *Common) healthCheck() error {
 	ticker := time.NewTicker(reportInterval)
 	defer ticker.Stop()
 
-	if c.tlsCode == "1" || c.tlsCode == "2" {
+	if c.tlsCode == "1" {
 		go func() {
 			select {
 			case <-c.ctx.Done():
-			case <-ticker.C:
+			case <-time.After(reportInterval):
 				c.incomingVerify()
 			}
 		}()
@@ -1203,15 +1203,15 @@ func (c *Common) incomingVerify() {
 		c.writeChan <- c.encode(signalData)
 	}
 
-	c.logger.Debug("TLS verify signal: cid %v -> %v", id, c.controlConn.RemoteAddr())
+	c.logger.Debug("TLS code-1: verify signal: cid %v -> %v", id, c.controlConn.RemoteAddr())
 }
 
 // commonLoop 共用处理循环
 func (c *Common) commonLoop() {
 	for c.ctx.Err() == nil {
 		// 等待连接池准备就绪
 		if c.tunnelPool.Ready() {
-			if c.verifyChan != nil {
+			if c.tlsCode == "1" {
 				select {
 				case <-c.verifyChan:
 					// 证书验证完成
@@ -1475,7 +1475,7 @@ func (c *Common) commonOnce() error {
 			// 处理信号
 			switch signal.ActionType {
 			case "verify":
-				if c.tlsCode == "1" || c.tlsCode == "2" {
+				if c.tlsCode == "1" {
 					go c.outgoingVerify(signal)
 				}
 			case "tcp":
@@ -1594,12 +1594,10 @@ func (c *Common) outgoingVerify(signal Signal) {
 		return
 	}
 
-	c.logger.Info("TLS certificate fingerprint verified: %v", fingerPrint)
+	c.logger.Info("TLS code-1: RAM cert fingerprint verified: %v", fingerPrint)
 
 	// 通知验证完成
-	if c.verifyChan != nil {
-		c.verifyChan <- struct{}{}
-	}
+	c.verifyChan <- struct{}{}
 }
 
 // commonTCPOnce 共用处理单个TCP请求

internal/server.go

@@ -17,6 +17,7 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/NodePassProject/cert"
 	"github.com/NodePassProject/logs"
 	"github.com/NodePassProject/nph2"
 	"github.com/NodePassProject/npws"
@@ -37,6 +38,7 @@ func NewServer(parsedURL *url.URL, tlsCode string, tlsConfig *tls.Config, logger
 			logger:     logger,
 			signalChan: make(chan Signal, semaphoreLimit),
 			writeChan:  make(chan []byte, semaphoreLimit),
+			verifyChan: make(chan struct{}),
 			tcpBufferPool: &sync.Pool{
 				New: func() any {
 					buf := make([]byte, tcpDataBufSize)
@@ -213,10 +215,6 @@ func (s *Server) initTunnelPool() error {
 
 // tunnelHandshake 与客户端进行HTTP握手
 func (s *Server) tunnelHandshake() error {
-	if s.tlsCode == "1" || s.tlsCode == "2" {
-		s.verifyChan = make(chan struct{})
-	}
-
 	var clientIP string
 	done := make(chan struct{})
 
@@ -270,6 +268,17 @@ func (s *Server) tunnelHandshake() error {
 	case <-done:
 		server.Close()
 		s.clientIP = clientIP
+
+		if s.tlsCode == "1" {
+			if newTLSConfig, err := cert.NewTLSConfig(""); err == nil {
+				newTLSConfig.MinVersion = tls.VersionTLS13
+				s.tlsConfig = newTLSConfig
+				s.logger.Info("TLS code-1: RAM cert regenerated with TLS 1.3")
+			} else {
+				s.logger.Warn("Failed to regenerate RAM cert: %v", err)
+			}
+		}
+
 		s.tunnelListener, _ = net.ListenTCP("tcp", s.tunnelTCPAddr)
 		return nil
 	case <-s.ctx.Done():