feat: enhance TLS configuration by regenerating RAM cert with TLS 1.3 in tunnel handshake for improved security control

Author: 𝐘𝐨𝐬𝐞𝐛𝐲𝐭𝐞

internal/common.go

@@ -1031,7 +1031,7 @@ func (c *Common) setControlConn() error {
 	}()
 
 	if c.tlsCode == "1" {
-		c.logger.Info("TLS code-1: certificate fingerprint verifying...")
+		c.logger.Info("TLS code-1: RAM cert fingerprint verifying...")
 	}
 	return nil
 }
@@ -1594,7 +1594,7 @@ func (c *Common) outgoingVerify(signal Signal) {
 		return
 	}
 
-	c.logger.Info("TLS code-1: certificate fingerprint verified: %v", fingerPrint)
+	c.logger.Info("TLS code-1: RAM cert fingerprint verified: %v", fingerPrint)
 
 	// 通知验证完成
 	c.verifyChan <- struct{}{}

internal/server.go

@@ -17,6 +17,7 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/NodePassProject/cert"
 	"github.com/NodePassProject/logs"
 	"github.com/NodePassProject/nph2"
 	"github.com/NodePassProject/npws"
@@ -267,6 +268,17 @@ func (s *Server) tunnelHandshake() error {
 	case <-done:
 		server.Close()
 		s.clientIP = clientIP
+
+		if s.tlsCode == "1" {
+			if newTLSConfig, err := cert.NewTLSConfig(""); err == nil {
+				newTLSConfig.MinVersion = tls.VersionTLS13
+				s.tlsConfig = newTLSConfig
+				s.logger.Info("TLS code-1: RAM cert regenerated with TLS 1.3")
+			} else {
+				s.logger.Warn("Failed to regenerate RAM cert: %v", err)
+			}
+		}
+
 		s.tunnelListener, _ = net.ListenTCP("tcp", s.tunnelTCPAddr)
 		return nil
 	case <-s.ctx.Done():