Reject SSL handshake for unknown SNI for panel and subscription ports #1328
Labels
enhancement
New feature or request
low priority
It should be done in proper time
to deploy
To be deployed during the time
Comments
pulsarice
changed the title
|
Good idea in case of security. |
|
It avoid access to the panel if admin want to use self signed certificate or same. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
When the panel is set to listen on a specific Domain, if we use this command
curl https://panelIP:panelPort -Ivkwe will see the certificate CN that was used on the panel.An attacker could use the certificate CN as SNI to try to connect to server.
Describe the solution you'd like
Like xray-core's rejectUnknownSni feature, I think It would be better:
When the panel is set to listen on a specific Domain, if the SNI does not match the domain specified, the server would reject TLS handshakes altogether and would not announce the certificate CN specified on server.
something like nginx's ssl_reject_handshake directive.
The text was updated successfully, but these errors were encountered: