Optimize Cert Pinning (#8282)

v2rayN/ServiceLib/Manager/CertPemManager.cs

@@ -202,7 +202,7 @@ public class CertPemManager
     /// <summary>
     /// Get certificate in PEM format from a server with CA pinning validation
     /// </summary>
-    public async Task<(string?, string?)> GetCertPemAsync(string target, string serverName, int timeout = 10)
+    public async Task<(string?, string?)> GetCertPemAsync(string target, string serverName, int timeout = 4)
     {
         try
         {
@@ -216,7 +216,13 @@ public class CertPemManager
 
             using var ssl = new SslStream(client.GetStream(), false, ValidateServerCertificate);
 
-            await ssl.AuthenticateAsClientAsync(serverName);
+            var sslOptions = new SslClientAuthenticationOptions
+            {
+                TargetHost = serverName,
+                RemoteCertificateValidationCallback = ValidateServerCertificate
+            };
+
+            await ssl.AuthenticateAsClientAsync(sslOptions, cts.Token);
 
             var remote = ssl.RemoteCertificate;
             if (remote == null)
@@ -242,7 +248,7 @@ public class CertPemManager
     /// <summary>
     /// Get certificate chain in PEM format from a server with CA pinning validation
     /// </summary>
-    public async Task<(List<string>, string?)> GetCertChainPemAsync(string target, string serverName, int timeout = 10)
+    public async Task<(List<string>, string?)> GetCertChainPemAsync(string target, string serverName, int timeout = 4)
     {
         var pemList = new List<string>();
         try
@@ -257,7 +263,13 @@ public class CertPemManager
 
             using var ssl = new SslStream(client.GetStream(), false, ValidateServerCertificate);
 
-            await ssl.AuthenticateAsClientAsync(serverName);
+            var sslOptions = new SslClientAuthenticationOptions
+            {
+                TargetHost = serverName,
+                RemoteCertificateValidationCallback = ValidateServerCertificate
+            };
+
+            await ssl.AuthenticateAsClientAsync(sslOptions, cts.Token);
 
             if (ssl.RemoteCertificate is not X509Certificate2 certChain)
             {
@@ -330,10 +342,74 @@ public class CertPemManager
         return TrustedCaThumbprints.Contains(rootThumbprint);
     }
 
-    public string ExportCertToPem(X509Certificate2 cert)
+    public static string ExportCertToPem(X509Certificate2 cert)
     {
         var der = cert.Export(X509ContentType.Cert);
-        var b64 = Convert.ToBase64String(der, Base64FormattingOptions.InsertLineBreaks);
+        var b64 = Convert.ToBase64String(der);
         return $"-----BEGIN CERTIFICATE-----\n{b64}\n-----END CERTIFICATE-----\n";
     }
+
+    /// <summary>
+    /// Parse concatenated PEM certificates string into a list of individual certificates
+    /// Normalizes format: removes line breaks from base64 content for better compatibility
+    /// </summary>
+    /// <param name="pemChain">Concatenated PEM certificates string (supports both \r\n and \n line endings)</param>
+    /// <returns>List of individual PEM certificate strings with normalized format</returns>
+    public static List<string> ParsePemChain(string pemChain)
+    {
+        var certs = new List<string>();
+        if (string.IsNullOrWhiteSpace(pemChain))
+        {
+            return certs;
+        }
+
+        // Normalize line endings (CRLF -> LF) at the beginning
+        pemChain = pemChain.Replace("\r\n", "\n").Replace("\r", "\n");
+
+        const string beginMarker = "-----BEGIN CERTIFICATE-----";
+        const string endMarker = "-----END CERTIFICATE-----";
+
+        var index = 0;
+        while (index < pemChain.Length)
+        {
+            var beginIndex = pemChain.IndexOf(beginMarker, index, StringComparison.Ordinal);
+            if (beginIndex == -1)
+                break;
+
+            var endIndex = pemChain.IndexOf(endMarker, beginIndex, StringComparison.Ordinal);
+            if (endIndex == -1)
+                break;
+
+            // Extract certificate content
+            var base64Start = beginIndex + beginMarker.Length;
+            var base64Content = pemChain.Substring(base64Start, endIndex - base64Start);
+
+            // Remove all whitespace from base64 content
+            base64Content = new string(base64Content.Where(c => !char.IsWhiteSpace(c)).ToArray());
+
+            // Reconstruct with clean format: BEGIN marker + base64 (no line breaks) + END marker
+            var normalizedCert = $"{beginMarker}\n{base64Content}\n{endMarker}\n";
+            certs.Add(normalizedCert);
+
+            // Move to next certificate
+            index = endIndex + endMarker.Length;
+        }
+
+        return certs;
+    }
+
+    /// <summary>
+    /// Concatenate a list of PEM certificates into a single string
+    /// </summary>
+    /// <param name="pemList">List of individual PEM certificate strings</param>
+    /// <returns>Concatenated PEM certificates string</returns>
+    public static string ConcatenatePemChain(IEnumerable<string> pemList)
+    {
+        if (pemList == null)
+        {
+            return string.Empty;
+        }
+
+        return string.Concat(pemList);
+    }
 }

v2rayN/ServiceLib/Resx/ResUI.Designer.cs

@@ -19,7 +19,7 @@ namespace ServiceLib.Resx {
     // 类通过类似于 ResGen 或 Visual Studio 的工具自动生成的。
     // 若要添加或移除成员，请编辑 .ResX 文件，然后重新运行 ResGen
     // (以 /str 作为命令选项)，或重新生成 VS 项目。
-    [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "17.0.0.0")]
+    [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "18.0.0.0")]
     [global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
     [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
     public class ResUI {
@@ -2599,8 +2599,10 @@ namespace ServiceLib.Resx {
         }
         
         /// <summary>
-        ///   查找类似 Server certificate (PEM format, optional). Entering a certificate will pin it.
+        ///   查找类似 Server Certificate (PEM format, optional)
-        ///Do not use the &quot;Fetch Certificate&quot; button when &quot;Allow Insecure&quot; is enabled. 的本地化字符串。
+        ///When specified, the certificate will be pinned, and &quot;Allow Insecure&quot; will be disabled.
+        ///
+        ///The &quot;Get Certificate&quot; action may fail if a self-signed certificate is used or if the system contains an untrusted or malicious CA. 的本地化字符串。
         /// </summary>
         public static string TbCertPinningTips {
             get {

v2rayN/ServiceLib/Resx/ResUI.fa-Ir.resx

@@ -1606,8 +1606,10 @@
     <value>Certificate Pinning</value>
   </data>
   <data name="TbCertPinningTips" xml:space="preserve">
-    <value>Server certificate (PEM format, optional). Entering a certificate will pin it.
+    <value>Server Certificate (PEM format, optional)
-Do not use the "Fetch Certificate" button when "Allow Insecure" is enabled.</value>
+When specified, the certificate will be pinned, and "Allow Insecure" will be disabled.
+
+The "Get Certificate" action may fail if a self-signed certificate is used or if the system contains an untrusted or malicious CA.</value>
   </data>
   <data name="TbFetchCert" xml:space="preserve">
     <value>Fetch Certificate</value>

v2rayN/ServiceLib/Resx/ResUI.fr.resx

@@ -1603,8 +1603,10 @@
     <value>Certificate Pinning</value>
   </data>
   <data name="TbCertPinningTips" xml:space="preserve">
-    <value>Certificat serveur (PEM, optionnel). L’ajout d’un certificat le fixe.
+    <value>Server Certificate (PEM format, optional)
-Ne pas utiliser « Obtenir le certificat » si « Autoriser non sécurisé » est activé.</value>
+When specified, the certificate will be pinned, and "Allow Insecure" will be disabled.
+
+The "Get Certificate" action may fail if a self-signed certificate is used or if the system contains an untrusted or malicious CA.</value>
   </data>
   <data name="TbFetchCert" xml:space="preserve">
     <value>Obtenir le certificat</value>

v2rayN/ServiceLib/Resx/ResUI.hu.resx

@@ -1606,8 +1606,10 @@
     <value>Certificate Pinning</value>
   </data>
   <data name="TbCertPinningTips" xml:space="preserve">
-    <value>Server certificate (PEM format, optional). Entering a certificate will pin it.
+    <value>Server Certificate (PEM format, optional)
-Do not use the "Fetch Certificate" button when "Allow Insecure" is enabled.</value>
+When specified, the certificate will be pinned, and "Allow Insecure" will be disabled.
+
+The "Get Certificate" action may fail if a self-signed certificate is used or if the system contains an untrusted or malicious CA.</value>
   </data>
   <data name="TbFetchCert" xml:space="preserve">
     <value>Fetch Certificate</value>

v2rayN/ServiceLib/Resx/ResUI.resx

@@ -1606,8 +1606,10 @@
     <value>Certificate Pinning</value>
   </data>
   <data name="TbCertPinningTips" xml:space="preserve">
-    <value>Server certificate (PEM format, optional). Entering a certificate will pin it.
+    <value>Server Certificate (PEM format, optional)
-Do not use the "Fetch Certificate" button when "Allow Insecure" is enabled.</value>
+When specified, the certificate will be pinned, and "Allow Insecure" will be disabled.
+
+The "Get Certificate" action may fail if a self-signed certificate is used or if the system contains an untrusted or malicious CA.</value>
   </data>
   <data name="TbFetchCert" xml:space="preserve">
     <value>Fetch Certificate</value>

v2rayN/ServiceLib/Resx/ResUI.ru.resx

@@ -1606,8 +1606,10 @@
     <value>Certificate Pinning</value>
   </data>
   <data name="TbCertPinningTips" xml:space="preserve">
-    <value>Server certificate (PEM format, optional). Entering a certificate will pin it.
+    <value>Server Certificate (PEM format, optional)
-Do not use the "Fetch Certificate" button when "Allow Insecure" is enabled.</value>
+When specified, the certificate will be pinned, and "Allow Insecure" will be disabled.
+
+The "Get Certificate" action may fail if a self-signed certificate is used or if the system contains an untrusted or malicious CA.</value>
   </data>
   <data name="TbFetchCert" xml:space="preserve">
     <value>Fetch Certificate</value>

v2rayN/ServiceLib/Resx/ResUI.zh-Hans.resx

@@ -1603,8 +1603,10 @@
     <value>固定证书</value>
   </data>
   <data name="TbCertPinningTips" xml:space="preserve">
-    <value>服务器证书（PEM 格式，可选）。填入后将固定该证书。
+    <value>服务器证书（PEM 格式，可选）
-启用“跳过证书验证”时，请勿使用 '获取证书'。</value>
+当指定此证书后，将固定该证书，并禁用“跳过证书验证”选项。
+
+“获取证书”操作可能失败，原因可能是使用了自签证书，或系统中存在不受信任或恶意的 CA。</value>
   </data>
   <data name="TbFetchCert" xml:space="preserve">
     <value>获取证书</value>

v2rayN/ServiceLib/Resx/ResUI.zh-Hant.resx

@@ -1603,8 +1603,10 @@
     <value>Certificate Pinning</value>
   </data>
   <data name="TbCertPinningTips" xml:space="preserve">
-    <value>Server certificate (PEM format, optional). Entering a certificate will pin it.
+    <value>Server Certificate (PEM format, optional)
-Do not use the "Fetch Certificate" button when "Allow Insecure" is enabled.</value>
+When specified, the certificate will be pinned, and "Allow Insecure" will be disabled.
+
+The "Get Certificate" action may fail if a self-signed certificate is used or if the system contains an untrusted or malicious CA.</value>
   </data>
   <data name="TbFetchCert" xml:space="preserve">
     <value>Fetch Certificate</value>

v2rayN/ServiceLib/Services/CoreConfig/Singbox/SingboxOutboundService.cs

@@ -261,13 +261,7 @@ public partial class CoreConfigSingboxService
                 }
                 if (node.StreamSecurity == Global.StreamSecurity)
                 {
-                    var certs = node.Cert
+                    var certs = CertPemManager.ParsePemChain(node.Cert);
-                        ?.Split("-----END CERTIFICATE-----", StringSplitOptions.RemoveEmptyEntries)
-                        .Select(s => s.TrimEx())
-                        .Where(s => !s.IsNullOrEmpty())
-                        .Select(s => s + "\n-----END CERTIFICATE-----")
-                        .Select(s => s.Replace("\r\n", "\n"))
-                        .ToList() ?? new();
                     if (certs.Count > 0)
                     {
                         tls.certificate = certs;

v2rayN/ServiceLib/Services/CoreConfig/V2ray/V2rayOutboundService.cs

@@ -245,13 +245,6 @@ public partial class CoreConfigV2rayService
             var host = node.RequestHost.TrimEx();
             var path = node.Path.TrimEx();
             var sni = node.Sni.TrimEx();
-            var certs = node.Cert
-                ?.Split("-----END CERTIFICATE-----", StringSplitOptions.RemoveEmptyEntries)
-                .Select(s => s.TrimEx())
-                .Where(s => !s.IsNullOrEmpty())
-                .Select(s => s + "\n-----END CERTIFICATE-----")
-                .Select(s => s.Replace("\r\n", "\n"))
-                .ToList() ?? new();
             var useragent = "";
             if (!_config.CoreBasicItem.DefUserAgent.IsNullOrEmpty())
             {
@@ -284,6 +277,7 @@ public partial class CoreConfigV2rayService
                 {
                     tlsSettings.serverName = Utils.String2List(host)?.First();
                 }
+                var certs = CertPemManager.ParsePemChain(node.Cert);
                 if (certs.Count > 0)
                 {
                     var certsettings = new List<CertificateSettings4Ray>();

v2rayN/ServiceLib/ViewModels/AddServerViewModel.cs

@@ -2,8 +2,6 @@ namespace ServiceLib.ViewModels;
 
 public class AddServerViewModel : MyReactiveObject
 {
-    private string _certError = string.Empty;
-
     [Reactive]
     public ProfileItem SelectedSource { get; set; }
 
@@ -112,11 +110,11 @@ public class AddServerViewModel : MyReactiveObject
         }
     }
 
-    private void UpdateCertTip()
+    private void UpdateCertTip(string? errorMessage = null)
     {
-        CertTip = _certError.IsNullOrEmpty()
+        CertTip = errorMessage.IsNullOrEmpty()
             ? (Cert.IsNullOrEmpty() ? ResUI.CertNotSet : ResUI.CertSet)
-            : _certError;
+            : errorMessage;
     }
 
     private async Task FetchCert()
@@ -137,17 +135,16 @@ public class AddServerViewModel : MyReactiveObject
         }
         if (!Utils.IsDomain(serverName))
         {
-            _certError = ResUI.ServerNameMustBeValidDomain;
+            UpdateCertTip(ResUI.ServerNameMustBeValidDomain);
-            UpdateCertTip();
-            _certError = string.Empty;
             return;
         }
         if (SelectedSource.Port > 0)
         {
             domain += $":{SelectedSource.Port}";
         }
-        (Cert, _certError) = await CertPemManager.Instance.GetCertPemAsync(domain, serverName);
+        string certError;
-        UpdateCertTip();
+        (Cert, certError) = await CertPemManager.Instance.GetCertPemAsync(domain, serverName);
+        UpdateCertTip(certError);
     }
 
     private async Task FetchCertChain()
@@ -168,17 +165,16 @@ public class AddServerViewModel : MyReactiveObject
         }
         if (!Utils.IsDomain(serverName))
         {
-            _certError = ResUI.ServerNameMustBeValidDomain;
+            UpdateCertTip(ResUI.ServerNameMustBeValidDomain);
-            UpdateCertTip();
-            _certError = string.Empty;
             return;
         }
         if (SelectedSource.Port > 0)
         {
             domain += $":{SelectedSource.Port}";
         }
-        (var certs, _certError) = await CertPemManager.Instance.GetCertChainPemAsync(domain, serverName);
+        string certError;
-        UpdateCertTip();
+        (var certs, certError) = await CertPemManager.Instance.GetCertChainPemAsync(domain, serverName);
-        Cert = string.Join("\n", certs);
+        Cert = CertPemManager.ConcatenatePemChain(certs);
+        UpdateCertTip(certError);
     }
 }

v2rayN/v2rayN.Desktop/Views/AddServerWindow.axaml

@@ -800,9 +800,11 @@
                                 <Flyout>
                                     <StackPanel>
                                         <TextBlock
+                                            Width="400"
                                             Margin="{StaticResource Margin4}"
                                             VerticalAlignment="Center"
-                                            Text="{x:Static resx:ResUI.TbCertPinningTips}" />
+                                            Text="{x:Static resx:ResUI.TbCertPinningTips}"
+                                            TextWrapping="Wrap" />
                                         <StackPanel HorizontalAlignment="Left" Orientation="Horizontal">
                                             <Button
                                                 x:Name="btnFetchCert"
@@ -816,13 +818,10 @@
                                         <TextBox
                                             x:Name="txtCert"
                                             Width="400"
-                                            MinHeight="100"
                                             Margin="{StaticResource Margin4}"
-                                            HorizontalAlignment="Stretch"
+                                            AcceptsReturn="True"
-                                            VerticalAlignment="Center"
                                             Classes="TextArea"
-                                            MinLines="6"
+                                            TextWrapping="NoWrap" />
-                                            TextWrapping="Wrap" />
                                     </StackPanel>
                                 </Flyout>
                             </Button.Flyout>

v2rayN/v2rayN/Views/AddServerWindow.xaml

@@ -1021,6 +1021,7 @@
                             Style="{StaticResource MaterialDesignToolForegroundPopupBox}">
                             <StackPanel>
                                 <TextBlock
+                                    Width="400"
                                     Margin="{StaticResource Margin4}"
                                     VerticalAlignment="Center"
                                     Style="{StaticResource ToolbarTextBlock}"
@@ -1029,13 +1030,11 @@
                                 <StackPanel HorizontalAlignment="Left" Orientation="Horizontal">
                                     <Button
                                         x:Name="btnFetchCert"
-                                        Width="100"
                                         Margin="{StaticResource MarginLeftRight4}"
                                         Content="{x:Static resx:ResUI.TbFetchCert}"
                                         Style="{StaticResource DefButton}" />
                                     <Button
                                         x:Name="btnFetchCertChain"
-                                        Width="100"
                                         Margin="{StaticResource MarginLeftRight4}"
                                         Content="{x:Static resx:ResUI.TbFetchCertChain}"
                                         Style="{StaticResource DefButton}" />
@@ -1044,11 +1043,13 @@
                                     x:Name="txtCert"
                                     Width="400"
                                     Margin="{StaticResource Margin4}"
-                                    VerticalAlignment="Center"
                                     AcceptsReturn="True"
+                                    HorizontalScrollBarVisibility="Auto"
+                                    MaxLines="18"
                                     MinLines="6"
                                     Style="{StaticResource MyOutlinedTextBox}"
-                                    TextWrapping="Wrap" />
+                                    TextWrapping="NoWrap"
+                                    VerticalScrollBarVisibility="Auto" />
                             </StackPanel>
                         </materialDesign:PopupBox>
                     </StackPanel>