Reality does not verify certificates of its destination #1734
Description
Actually, I consider this is a "feature".
We can use a self-signed CA to issue any certificates to Reality.
And Reality does not care if the certificate is self-signed. It will not verify it.
Config:
"inbounds": [
{
"tag": "vless-in",
"listen": "0.0.0.0",
"port": 443,
"protocol": "vless",
"settings": {
"clients": [
{
"id": "e7608361-3f0b-4d52-bf9f-bd9dea5a2a6b",
"flow": "xtls-rprx-vision"
}
],
"decryption": "none"
},
"streamSettings": {
"network": "tcp",
"security": "reality",
"realitySettings": {
"show": false,
"privateKey": "<Server_X25519_Private_Key>",
"shortIds": ["<Server_Short_ID>"],
"dest": "127.0.0.1:444",
"serverNames": ["www.gov.cn"]
}
}
},
{
"tag": "dummy-ca",
"listen": "127.0.0.1",
"port": 444,
"protocol": "http",
"settings": {"allowTransparent": true},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
"rejectUnknownSni": false,
"alpn": ["http/1.1"],
"minVersion": "1.3",
"certificates": [
{
"usage": "issue",
"oneTimeLoading": true,
"certificateFile": "fakeCA.cer",
"keyFile": "fakeCA.key"
}
]
}
}
}
]
Just set a dummy HTTP inbound, with TLS configuration set to use a CA certificate. And it will sign your Reality with any SNI you set, in the "serverNames" array.