From d0396a3854d7db5b0a506aaeebb39da20722895d Mon Sep 17 00:00:00 2001
From: xfy <i@rua.plus>
Date: Mon, 13 Apr 2026 16:20:20 +0800
Subject: [PATCH] =?UTF-8?q?fix(stream):=20=E6=B7=BB=E5=8A=A0=20SSL=20?=
 =?UTF-8?q?=E8=AF=81=E4=B9=A6=E9=AA=8C=E8=AF=81=E7=A6=81=E7=94=A8=E7=9A=84?=
 =?UTF-8?q?=E5=AE=89=E5=85=A8=E8=AD=A6=E5=91=8A?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

当 verify=false 跳过证书验证时，打印警告日志提醒中间人攻击风险

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 internal/stream/ssl.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/internal/stream/ssl.go b/internal/stream/ssl.go
index 9bb5810..5b621a5 100644
--- a/internal/stream/ssl.go
+++ b/internal/stream/ssl.go
@@ -16,6 +16,7 @@ import (
 	"sync"
 
 	"rua.plus/lolly/internal/config"
+	"rua.plus/lolly/internal/logging"
 	"rua.plus/lolly/internal/sslutil"
 )
 
@@ -190,6 +191,7 @@ func (m *ProxySSLManager) GetClientTLSConfig(serverName string) *tls.Config {
 		tlsConfig.RootCAs = m.rootCAPool
 	} else if !m.config.Verify {
 		// 跳过证书验证
+		logging.Warn().Msg("SSL证书验证已禁用，连接可能遭受中间人攻击")
 		tlsConfig.InsecureSkipVerify = true
 	}