feat: remove ca and ca-str in hy1/hy2/tuic outbound, using fingerprint instead

component/ca/config.go

@@ -11,7 +11,6 @@ import (
 	"sync"
 
 	"github.com/metacubex/mihomo/common/once"
-	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/ntp"
 )
 
@@ -67,43 +66,19 @@ func ResetCertificate() {
 	initializeCertPool()
 }
 
-func GetCertPool(customCA string, customCAString string) (*x509.CertPool, error) {
-	var certificate []byte
-	var err error
-	if len(customCA) > 0 {
-		path := C.Path.Resolve(customCA)
-		if !C.Path.IsSafePath(path) {
-			return nil, C.Path.ErrNotSafePath(path)
-		}
-		certificate, err = os.ReadFile(path)
-		if err != nil {
-			return nil, fmt.Errorf("load ca error: %w", err)
-		}
-	} else if customCAString != "" {
-		certificate = []byte(customCAString)
-	}
-	if len(certificate) > 0 {
-		certPool := x509.NewCertPool()
-		if !certPool.AppendCertsFromPEM(certificate) {
-			return nil, fmt.Errorf("failed to parse certificate:\n\n %s", certificate)
-		}
-		return certPool, nil
-	} else {
-		mutex.Lock()
-		defer mutex.Unlock()
-		if globalCertPool == nil {
-			initializeCertPool()
-		}
-		return globalCertPool, nil
+func GetCertPool() *x509.CertPool {
+	mutex.Lock()
+	defer mutex.Unlock()
+	if globalCertPool == nil {
+		initializeCertPool()
 	}
+	return globalCertPool
 }
 
 type Option struct {
-	TLSConfig      *tls.Config
-	Fingerprint    string
-	CustomCA       string
-	CustomCAString string
-	ZeroTrust      bool
+	TLSConfig   *tls.Config
+	Fingerprint string
+	ZeroTrust   bool
 }
 
 func GetTLSConfig(opt Option) (tlsConfig *tls.Config, err error) {
@@ -116,10 +91,7 @@ func GetTLSConfig(opt Option) (tlsConfig *tls.Config, err error) {
 	if opt.ZeroTrust {
 		tlsConfig.RootCAs = zeroTrustCertPool()
 	} else {
-		tlsConfig.RootCAs, err = GetCertPool(opt.CustomCA, opt.CustomCAString)
-		if err != nil {
-			return nil, err
-		}
+		tlsConfig.RootCAs = GetCertPool()
 	}
 
 	if len(opt.Fingerprint) > 0 {