diff --git a/v2rayN/ServiceLib/Manager/CertPemManager.cs b/v2rayN/ServiceLib/Manager/CertPemManager.cs
index 449592a7..9421aabf 100644
--- a/v2rayN/ServiceLib/Manager/CertPemManager.cs
+++ b/v2rayN/ServiceLib/Manager/CertPemManager.cs
@@ -202,7 +202,7 @@ public class CertPemManager
///
/// Get certificate in PEM format from a server with CA pinning validation
///
- public async Task<(string?, string?)> GetCertPemAsync(string target, string serverName, int timeout = 10)
+ public async Task<(string?, string?)> GetCertPemAsync(string target, string serverName, int timeout = 4)
{
try
{
@@ -216,7 +216,13 @@ public class CertPemManager
using var ssl = new SslStream(client.GetStream(), false, ValidateServerCertificate);
- await ssl.AuthenticateAsClientAsync(serverName);
+ var sslOptions = new SslClientAuthenticationOptions
+ {
+ TargetHost = serverName,
+ RemoteCertificateValidationCallback = ValidateServerCertificate
+ };
+
+ await ssl.AuthenticateAsClientAsync(sslOptions, cts.Token);
var remote = ssl.RemoteCertificate;
if (remote == null)
@@ -242,7 +248,7 @@ public class CertPemManager
///
/// Get certificate chain in PEM format from a server with CA pinning validation
///
- public async Task<(List, string?)> GetCertChainPemAsync(string target, string serverName, int timeout = 10)
+ public async Task<(List, string?)> GetCertChainPemAsync(string target, string serverName, int timeout = 4)
{
var pemList = new List();
try
@@ -257,7 +263,13 @@ public class CertPemManager
using var ssl = new SslStream(client.GetStream(), false, ValidateServerCertificate);
- await ssl.AuthenticateAsClientAsync(serverName);
+ var sslOptions = new SslClientAuthenticationOptions
+ {
+ TargetHost = serverName,
+ RemoteCertificateValidationCallback = ValidateServerCertificate
+ };
+
+ await ssl.AuthenticateAsClientAsync(sslOptions, cts.Token);
if (ssl.RemoteCertificate is not X509Certificate2 certChain)
{
@@ -330,10 +342,74 @@ public class CertPemManager
return TrustedCaThumbprints.Contains(rootThumbprint);
}
- public string ExportCertToPem(X509Certificate2 cert)
+ public static string ExportCertToPem(X509Certificate2 cert)
{
var der = cert.Export(X509ContentType.Cert);
- var b64 = Convert.ToBase64String(der, Base64FormattingOptions.InsertLineBreaks);
+ var b64 = Convert.ToBase64String(der);
return $"-----BEGIN CERTIFICATE-----\n{b64}\n-----END CERTIFICATE-----\n";
}
+
+ ///
+ /// Parse concatenated PEM certificates string into a list of individual certificates
+ /// Normalizes format: removes line breaks from base64 content for better compatibility
+ ///
+ /// Concatenated PEM certificates string (supports both \r\n and \n line endings)
+ /// List of individual PEM certificate strings with normalized format
+ public static List ParsePemChain(string pemChain)
+ {
+ var certs = new List();
+ if (string.IsNullOrWhiteSpace(pemChain))
+ {
+ return certs;
+ }
+
+ // Normalize line endings (CRLF -> LF) at the beginning
+ pemChain = pemChain.Replace("\r\n", "\n").Replace("\r", "\n");
+
+ const string beginMarker = "-----BEGIN CERTIFICATE-----";
+ const string endMarker = "-----END CERTIFICATE-----";
+
+ var index = 0;
+ while (index < pemChain.Length)
+ {
+ var beginIndex = pemChain.IndexOf(beginMarker, index, StringComparison.Ordinal);
+ if (beginIndex == -1)
+ break;
+
+ var endIndex = pemChain.IndexOf(endMarker, beginIndex, StringComparison.Ordinal);
+ if (endIndex == -1)
+ break;
+
+ // Extract certificate content
+ var base64Start = beginIndex + beginMarker.Length;
+ var base64Content = pemChain.Substring(base64Start, endIndex - base64Start);
+
+ // Remove all whitespace from base64 content
+ base64Content = new string(base64Content.Where(c => !char.IsWhiteSpace(c)).ToArray());
+
+ // Reconstruct with clean format: BEGIN marker + base64 (no line breaks) + END marker
+ var normalizedCert = $"{beginMarker}\n{base64Content}\n{endMarker}\n";
+ certs.Add(normalizedCert);
+
+ // Move to next certificate
+ index = endIndex + endMarker.Length;
+ }
+
+ return certs;
+ }
+
+ ///
+ /// Concatenate a list of PEM certificates into a single string
+ ///
+ /// List of individual PEM certificate strings
+ /// Concatenated PEM certificates string
+ public static string ConcatenatePemChain(IEnumerable pemList)
+ {
+ if (pemList == null)
+ {
+ return string.Empty;
+ }
+
+ return string.Concat(pemList);
+ }
}
diff --git a/v2rayN/ServiceLib/Resx/ResUI.Designer.cs b/v2rayN/ServiceLib/Resx/ResUI.Designer.cs
index dca8f3cd..222baf3c 100644
--- a/v2rayN/ServiceLib/Resx/ResUI.Designer.cs
+++ b/v2rayN/ServiceLib/Resx/ResUI.Designer.cs
@@ -19,7 +19,7 @@ namespace ServiceLib.Resx {
// 类通过类似于 ResGen 或 Visual Studio 的工具自动生成的。
// 若要添加或移除成员,请编辑 .ResX 文件,然后重新运行 ResGen
// (以 /str 作为命令选项),或重新生成 VS 项目。
- [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "17.0.0.0")]
+ [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "18.0.0.0")]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
[global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
public class ResUI {
@@ -2599,8 +2599,10 @@ namespace ServiceLib.Resx {
}
///
- /// 查找类似 Server certificate (PEM format, optional). Entering a certificate will pin it.
- ///Do not use the "Fetch Certificate" button when "Allow Insecure" is enabled. 的本地化字符串。
+ /// 查找类似 Server Certificate (PEM format, optional)
+ ///When specified, the certificate will be pinned, and "Allow Insecure" will be disabled.
+ ///
+ ///The "Get Certificate" action may fail if a self-signed certificate is used or if the system contains an untrusted or malicious CA. 的本地化字符串。
///
public static string TbCertPinningTips {
get {
diff --git a/v2rayN/ServiceLib/Resx/ResUI.fa-Ir.resx b/v2rayN/ServiceLib/Resx/ResUI.fa-Ir.resx
index 299f6f9f..a35eb3aa 100644
--- a/v2rayN/ServiceLib/Resx/ResUI.fa-Ir.resx
+++ b/v2rayN/ServiceLib/Resx/ResUI.fa-Ir.resx
@@ -1606,8 +1606,10 @@
Certificate Pinning
- Server certificate (PEM format, optional). Entering a certificate will pin it.
-Do not use the "Fetch Certificate" button when "Allow Insecure" is enabled.
+ Server Certificate (PEM format, optional)
+When specified, the certificate will be pinned, and "Allow Insecure" will be disabled.
+
+The "Get Certificate" action may fail if a self-signed certificate is used or if the system contains an untrusted or malicious CA.Fetch Certificate
diff --git a/v2rayN/ServiceLib/Resx/ResUI.fr.resx b/v2rayN/ServiceLib/Resx/ResUI.fr.resx
index e2703fbc..1046c85d 100644
--- a/v2rayN/ServiceLib/Resx/ResUI.fr.resx
+++ b/v2rayN/ServiceLib/Resx/ResUI.fr.resx
@@ -1603,8 +1603,10 @@
Certificate Pinning
- Certificat serveur (PEM, optionnel). L’ajout d’un certificat le fixe.
-Ne pas utiliser « Obtenir le certificat » si « Autoriser non sécurisé » est activé.
+ Server Certificate (PEM format, optional)
+When specified, the certificate will be pinned, and "Allow Insecure" will be disabled.
+
+The "Get Certificate" action may fail if a self-signed certificate is used or if the system contains an untrusted or malicious CA.Obtenir le certificat
@@ -1627,4 +1629,4 @@ Ne pas utiliser « Obtenir le certificat » si « Autoriser non sécurisé » es
Chemin script proxy système personnalisé
-
+
\ No newline at end of file
diff --git a/v2rayN/ServiceLib/Resx/ResUI.hu.resx b/v2rayN/ServiceLib/Resx/ResUI.hu.resx
index dd6a6a63..bf36f7ae 100644
--- a/v2rayN/ServiceLib/Resx/ResUI.hu.resx
+++ b/v2rayN/ServiceLib/Resx/ResUI.hu.resx
@@ -1606,8 +1606,10 @@
Certificate Pinning
- Server certificate (PEM format, optional). Entering a certificate will pin it.
-Do not use the "Fetch Certificate" button when "Allow Insecure" is enabled.
+ Server Certificate (PEM format, optional)
+When specified, the certificate will be pinned, and "Allow Insecure" will be disabled.
+
+The "Get Certificate" action may fail if a self-signed certificate is used or if the system contains an untrusted or malicious CA.Fetch Certificate
diff --git a/v2rayN/ServiceLib/Resx/ResUI.resx b/v2rayN/ServiceLib/Resx/ResUI.resx
index a59d068e..83b73c7d 100644
--- a/v2rayN/ServiceLib/Resx/ResUI.resx
+++ b/v2rayN/ServiceLib/Resx/ResUI.resx
@@ -1606,8 +1606,10 @@
Certificate Pinning
- Server certificate (PEM format, optional). Entering a certificate will pin it.
-Do not use the "Fetch Certificate" button when "Allow Insecure" is enabled.
+ Server Certificate (PEM format, optional)
+When specified, the certificate will be pinned, and "Allow Insecure" will be disabled.
+
+The "Get Certificate" action may fail if a self-signed certificate is used or if the system contains an untrusted or malicious CA.Fetch Certificate
diff --git a/v2rayN/ServiceLib/Resx/ResUI.ru.resx b/v2rayN/ServiceLib/Resx/ResUI.ru.resx
index 59176fa3..fc88148d 100644
--- a/v2rayN/ServiceLib/Resx/ResUI.ru.resx
+++ b/v2rayN/ServiceLib/Resx/ResUI.ru.resx
@@ -1606,8 +1606,10 @@
Certificate Pinning
- Server certificate (PEM format, optional). Entering a certificate will pin it.
-Do not use the "Fetch Certificate" button when "Allow Insecure" is enabled.
+ Server Certificate (PEM format, optional)
+When specified, the certificate will be pinned, and "Allow Insecure" will be disabled.
+
+The "Get Certificate" action may fail if a self-signed certificate is used or if the system contains an untrusted or malicious CA.Fetch Certificate
diff --git a/v2rayN/ServiceLib/Resx/ResUI.zh-Hans.resx b/v2rayN/ServiceLib/Resx/ResUI.zh-Hans.resx
index a58f3c57..438b091f 100644
--- a/v2rayN/ServiceLib/Resx/ResUI.zh-Hans.resx
+++ b/v2rayN/ServiceLib/Resx/ResUI.zh-Hans.resx
@@ -1603,8 +1603,10 @@
固定证书
- 服务器证书(PEM 格式,可选)。填入后将固定该证书。
-启用“跳过证书验证”时,请勿使用 '获取证书'。
+ 服务器证书(PEM 格式,可选)
+当指定此证书后,将固定该证书,并禁用“跳过证书验证”选项。
+
+“获取证书”操作可能失败,原因可能是使用了自签证书,或系统中存在不受信任或恶意的 CA。获取证书
diff --git a/v2rayN/ServiceLib/Resx/ResUI.zh-Hant.resx b/v2rayN/ServiceLib/Resx/ResUI.zh-Hant.resx
index e76a044f..ec29cafa 100644
--- a/v2rayN/ServiceLib/Resx/ResUI.zh-Hant.resx
+++ b/v2rayN/ServiceLib/Resx/ResUI.zh-Hant.resx
@@ -1603,8 +1603,10 @@
Certificate Pinning
- Server certificate (PEM format, optional). Entering a certificate will pin it.
-Do not use the "Fetch Certificate" button when "Allow Insecure" is enabled.
+ Server Certificate (PEM format, optional)
+When specified, the certificate will be pinned, and "Allow Insecure" will be disabled.
+
+The "Get Certificate" action may fail if a self-signed certificate is used or if the system contains an untrusted or malicious CA.Fetch Certificate
diff --git a/v2rayN/ServiceLib/Services/CoreConfig/Singbox/SingboxOutboundService.cs b/v2rayN/ServiceLib/Services/CoreConfig/Singbox/SingboxOutboundService.cs
index 4db9d7cb..9671dc77 100644
--- a/v2rayN/ServiceLib/Services/CoreConfig/Singbox/SingboxOutboundService.cs
+++ b/v2rayN/ServiceLib/Services/CoreConfig/Singbox/SingboxOutboundService.cs
@@ -261,13 +261,7 @@ public partial class CoreConfigSingboxService
}
if (node.StreamSecurity == Global.StreamSecurity)
{
- var certs = node.Cert
- ?.Split("-----END CERTIFICATE-----", StringSplitOptions.RemoveEmptyEntries)
- .Select(s => s.TrimEx())
- .Where(s => !s.IsNullOrEmpty())
- .Select(s => s + "\n-----END CERTIFICATE-----")
- .Select(s => s.Replace("\r\n", "\n"))
- .ToList() ?? new();
+ var certs = CertPemManager.ParsePemChain(node.Cert);
if (certs.Count > 0)
{
tls.certificate = certs;
diff --git a/v2rayN/ServiceLib/Services/CoreConfig/V2ray/V2rayOutboundService.cs b/v2rayN/ServiceLib/Services/CoreConfig/V2ray/V2rayOutboundService.cs
index 73a3a1fd..351c7bf0 100644
--- a/v2rayN/ServiceLib/Services/CoreConfig/V2ray/V2rayOutboundService.cs
+++ b/v2rayN/ServiceLib/Services/CoreConfig/V2ray/V2rayOutboundService.cs
@@ -245,13 +245,6 @@ public partial class CoreConfigV2rayService
var host = node.RequestHost.TrimEx();
var path = node.Path.TrimEx();
var sni = node.Sni.TrimEx();
- var certs = node.Cert
- ?.Split("-----END CERTIFICATE-----", StringSplitOptions.RemoveEmptyEntries)
- .Select(s => s.TrimEx())
- .Where(s => !s.IsNullOrEmpty())
- .Select(s => s + "\n-----END CERTIFICATE-----")
- .Select(s => s.Replace("\r\n", "\n"))
- .ToList() ?? new();
var useragent = "";
if (!_config.CoreBasicItem.DefUserAgent.IsNullOrEmpty())
{
@@ -284,6 +277,7 @@ public partial class CoreConfigV2rayService
{
tlsSettings.serverName = Utils.String2List(host)?.First();
}
+ var certs = CertPemManager.ParsePemChain(node.Cert);
if (certs.Count > 0)
{
var certsettings = new List();
diff --git a/v2rayN/ServiceLib/ViewModels/AddServerViewModel.cs b/v2rayN/ServiceLib/ViewModels/AddServerViewModel.cs
index 221d28d0..804287c5 100644
--- a/v2rayN/ServiceLib/ViewModels/AddServerViewModel.cs
+++ b/v2rayN/ServiceLib/ViewModels/AddServerViewModel.cs
@@ -2,8 +2,6 @@ namespace ServiceLib.ViewModels;
public class AddServerViewModel : MyReactiveObject
{
- private string _certError = string.Empty;
-
[Reactive]
public ProfileItem SelectedSource { get; set; }
@@ -112,11 +110,11 @@ public class AddServerViewModel : MyReactiveObject
}
}
- private void UpdateCertTip()
+ private void UpdateCertTip(string? errorMessage = null)
{
- CertTip = _certError.IsNullOrEmpty()
+ CertTip = errorMessage.IsNullOrEmpty()
? (Cert.IsNullOrEmpty() ? ResUI.CertNotSet : ResUI.CertSet)
- : _certError;
+ : errorMessage;
}
private async Task FetchCert()
@@ -137,17 +135,16 @@ public class AddServerViewModel : MyReactiveObject
}
if (!Utils.IsDomain(serverName))
{
- _certError = ResUI.ServerNameMustBeValidDomain;
- UpdateCertTip();
- _certError = string.Empty;
+ UpdateCertTip(ResUI.ServerNameMustBeValidDomain);
return;
}
if (SelectedSource.Port > 0)
{
domain += $":{SelectedSource.Port}";
}
- (Cert, _certError) = await CertPemManager.Instance.GetCertPemAsync(domain, serverName);
- UpdateCertTip();
+ string certError;
+ (Cert, certError) = await CertPemManager.Instance.GetCertPemAsync(domain, serverName);
+ UpdateCertTip(certError);
}
private async Task FetchCertChain()
@@ -168,17 +165,16 @@ public class AddServerViewModel : MyReactiveObject
}
if (!Utils.IsDomain(serverName))
{
- _certError = ResUI.ServerNameMustBeValidDomain;
- UpdateCertTip();
- _certError = string.Empty;
+ UpdateCertTip(ResUI.ServerNameMustBeValidDomain);
return;
}
if (SelectedSource.Port > 0)
{
domain += $":{SelectedSource.Port}";
}
- (var certs, _certError) = await CertPemManager.Instance.GetCertChainPemAsync(domain, serverName);
- UpdateCertTip();
- Cert = string.Join("\n", certs);
+ string certError;
+ (var certs, certError) = await CertPemManager.Instance.GetCertChainPemAsync(domain, serverName);
+ Cert = CertPemManager.ConcatenatePemChain(certs);
+ UpdateCertTip(certError);
}
}
diff --git a/v2rayN/v2rayN.Desktop/Views/AddServerWindow.axaml b/v2rayN/v2rayN.Desktop/Views/AddServerWindow.axaml
index f01da56d..95c9891b 100644
--- a/v2rayN/v2rayN.Desktop/Views/AddServerWindow.axaml
+++ b/v2rayN/v2rayN.Desktop/Views/AddServerWindow.axaml
@@ -800,9 +800,11 @@
+ Text="{x:Static resx:ResUI.TbCertPinningTips}"
+ TextWrapping="Wrap" />
+ TextWrapping="NoWrap" />
diff --git a/v2rayN/v2rayN/Views/AddServerWindow.xaml b/v2rayN/v2rayN/Views/AddServerWindow.xaml
index 699e4911..64a42cb5 100644
--- a/v2rayN/v2rayN/Views/AddServerWindow.xaml
+++ b/v2rayN/v2rayN/Views/AddServerWindow.xaml
@@ -1021,6 +1021,7 @@
Style="{StaticResource MaterialDesignToolForegroundPopupBox}">
@@ -1044,11 +1043,13 @@
x:Name="txtCert"
Width="400"
Margin="{StaticResource Margin4}"
- VerticalAlignment="Center"
AcceptsReturn="True"
+ HorizontalScrollBarVisibility="Auto"
+ MaxLines="18"
MinLines="6"
Style="{StaticResource MyOutlinedTextBox}"
- TextWrapping="Wrap" />
+ TextWrapping="NoWrap"
+ VerticalScrollBarVisibility="Auto" />