[PR #5133] [CLOSED] fix: respect explicit transport.tls.force = false when trustedCaFile is set #5142

New issue

Closed

opened 2026-05-05 14:55:30 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 14:55:30 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/fatedier/frp/pull/5133
Author: @tensorworkerr
Created: 1/16/2026
Status: ❌ Closed

Base: dev ← Head: fix/tls-force-config-override

📝 Commits (1)

73e4d1f fix: respect explicit transport.tls.force = false when trustedCaFile is set (#5131)

📊 Changes

6 files changed (+53 additions, -7 deletions)

View changed files

📝 pkg/config/flags.go (+1 -1)
📝 pkg/config/legacy/conversion.go (+1 -1)
📝 pkg/config/v1/server.go (+3 -3)
📝 pkg/config/v1/server_test.go (+44 -0)
📝 server/api/controller.go (+3 -1)
📝 server/service.go (+1 -1)

📄 Description

WHY

Fixes #5131

When transport.tls.force = false is explicitly set in frps.toml alongside transport.tls.trustedCaFile, the server incorrectly rejected non-TLS connections.

Root Cause

In ServerTransportConfig.Complete(), the code unconditionally set Force = true whenever TrustedCaFile was configured, ignoring the user's explicit setting.

Solution

Changed TLSServerConfig.Force from bool to *bool to distinguish between unset (nil) and explicitly set false. Now the default is only applied when Force is nil.

Changes

pkg/config/v1/server.go - Changed Force type and fixed Complete()
pkg/config/flags.go - Updated CLI flag binding
pkg/config/legacy/conversion.go - Use lo.ToPtr() for conversion
server/api/controller.go - Use lo.FromPtr() for API response
server/service.go - Use lo.FromPtr() for TLS check
pkg/config/v1/server_test.go - Added 4 test cases

Backward Compatibility

Fully backward compatible - only the explicit force = false case is now respected.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fatedier/frp/pull/5133 **Author:** [@tensorworkerr](https://github.com/tensorworkerr) **Created:** 1/16/2026 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `fix/tls-force-config-override` --- ### 📝 Commits (1) - [`73e4d1f`](https://github.com/fatedier/frp/commit/73e4d1f5e4caf7fdf492fa7fdc9f9fd187515882) fix: respect explicit transport.tls.force = false when trustedCaFile is set (#5131) ### 📊 Changes **6 files changed** (+53 additions, -7 deletions) <details> <summary>View changed files</summary> 📝 `pkg/config/flags.go` (+1 -1) 📝 `pkg/config/legacy/conversion.go` (+1 -1) 📝 `pkg/config/v1/server.go` (+3 -3) 📝 `pkg/config/v1/server_test.go` (+44 -0) 📝 `server/api/controller.go` (+3 -1) 📝 `server/service.go` (+1 -1) </details> ### 📄 Description ### WHY Fixes #5131 When `transport.tls.force = false` is explicitly set in `frps.toml` alongside `transport.tls.trustedCaFile`, the server incorrectly rejected non-TLS connections. ### Root Cause In `ServerTransportConfig.Complete()`, the code unconditionally set `Force = true` whenever `TrustedCaFile` was configured, ignoring the user's explicit setting. ### Solution Changed `TLSServerConfig.Force` from `bool` to `*bool` to distinguish between unset (nil) and explicitly set false. Now the default is only applied when `Force` is nil. ### Changes - `pkg/config/v1/server.go` - Changed `Force` type and fixed `Complete()` - `pkg/config/flags.go` - Updated CLI flag binding - `pkg/config/legacy/conversion.go` - Use `lo.ToPtr()` for conversion - `server/api/controller.go` - Use `lo.FromPtr()` for API response - `server/service.go` - Use `lo.FromPtr()` for TLS check - `pkg/config/v1/server_test.go` - Added 4 test cases ### Backward Compatibility Fully backward compatible - only the explicit `force = false` case is now respected. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>