[feat] use fingerprint-based verification for both default and self-hosted servers

.github/ISSUE_TEMPLATE/问题反馈.md

@@ -1,6 +1,6 @@
 ---
 name: 问题反馈
-about: Create a report to help us improve
+about: 请在此提交问题报告，以便持续优化产品。
 title: ''
 labels: bug
 assignees: kunkundi

.github/ISSUE_TEMPLATE/需求建议.md

@@ -0,0 +1,28 @@
+---
+name: 需求建议
+about: 请在此提交功能需求或改进建议，以便后续迭代参考。
+title: ''
+labels: enhancement
+assignees: kunkundi
+
+---
+
+**功能/改进建议描述**
+清晰简洁地描述希望新增的功能或改进的内容。
+
+**使用场景 / 背景**
+说明该功能或改进的使用场景，以及解决后带来的价值。
+
+**预期效果**
+描述你认为最理想的功能表现或改进效果。
+
+**参考示例（可选）**
+提供类似功能截图、参考链接或其他说明，帮助更好理解需求。
+
+**优先级（可选）**
+- [ ] 高
+- [ ] 中
+- [ ] 低
+
+**补充信息（可选）**
+其他相关信息或特殊要求。

README.md

@@ -181,7 +181,7 @@ sudo docker run -d \
   -e MAX_PORT=xxxxx \
   -v /var/lib/crossdesk:/var/lib/crossdesk \
   -v /var/log/crossdesk:/var/log/crossdesk \
-  crossdesk/crossdesk-server:v1.1.2
+  crossdesk/crossdesk-server:v1.1.3
 ```
 
 上述命令中，用户需注意的参数如下：
@@ -208,7 +208,7 @@ sudo docker run -d \
   -e MAX_PORT=60000 \
   -v /var/lib/crossdesk:/var/lib/crossdesk \
   -v /var/log/crossdesk:/var/log/crossdesk \
-  crossdesk/crossdesk-server:v1.1.2
+  crossdesk/crossdesk-server:v1.1.3
 ```
 
 **注意**：
@@ -229,21 +229,19 @@ sudo mkdir -p /var/lib/crossdesk /var/log/crossdesk
 sudo chown -R $(id -u):$(id -g) /var/lib/crossdesk /var/log/crossdesk
 ```
 
-## 证书文件
-在宿主机的 `/var/lib/crossdesk/certs` 路径下可找到证书文件 `crossdesk.cn_root.crt`，下载到你的客户端主机，并在客户端的**自托管服务器设置**中选择相应的**证书文件路径**。
 
 ### 客户端
-1. 点击右上角设置进入设置页面。<br>
+1. 点击右上角设置进入设置页面。<br><br>
 <img width="600" height="210" alt="image" src="https://github.com/user-attachments/assets/6431131d-b32a-4726-8783-6788f47baa3b" /><br><br>
 
-3. 点击点击**自托管服务器配置**。<br><br>
+2. 点击点击`自托管服务器配置`按钮。<br><br>
-<img width="600" height="160" alt="image" src="https://github.com/user-attachments/assets/24c761a3-1985-4d7e-84be-787383c2afb8" /><br><br>
+<img width="600" height="140" alt="image" src="https://github.com/user-attachments/assets/24c761a3-1985-4d7e-84be-787383c2afb8" /><br><br>
 
-5. 在**证书文件路径**选择框中找到 **crossdesk.cn_root.crt** 的存放路径，选中 **crossdesk.cn_root.crt**，点击确认。<br><br>
+3. 输入`服务器地址`(**EXTERNAL_IP**)、`信令服务端口`(**CROSSDESK_SERVER_PORT**)、`中继服务端口`(**COTURN_PORT**)。<br><br>
-<img width="600" height="220" alt="image" src="https://github.com/user-attachments/assets/4af7cd3a-c72e-44fb-b032-30e050019c2a" /><br><br>
+<img width="600" height="200" alt="image" src="https://github.com/user-attachments/assets/9a32ddd5-37f8-4bee-9a51-eae295820f9a" /><br><br>
 
-7. 勾选使用**自托管服务器配置**，点击确认配置生效。<br><br>
+4. 后续如果自托管服务器被重置或因其他原因导致证书更换，可以点击`重置证书指纹`按钮重置客户端保存的证书指纹。<br><br>
-<img width="600" height="160" alt="image" src="https://github.com/user-attachments/assets/1e455dc3-4087-4f37-a544-1ff9f8789383" /><br><br>
+<img width="600" height="200" alt="image" src="https://github.com/user-attachments/assets/d9e423ab-0c2b-4fab-b132-4dc27462d704" /><br><br>
 
 ### Web 客户端
 详情见项目 [CrossDesk Web Client](https://github.com/kunkundi/crossdesk-web-client)。

README_EN.md

@@ -189,7 +189,7 @@ sudo docker run -d \
   -e MAX_PORT=xxxxx \
   -v /var/lib/crossdesk:/var/lib/crossdesk \
   -v /var/log/crossdesk:/var/log/crossdesk \
-  crossdesk/crossdesk-server:v1.1.2
+  crossdesk/crossdesk-server:v1.1.3
 ```
 
 The parameters you need to pay attention to are as follows:
@@ -216,7 +216,7 @@ sudo docker run -d \
   -e MAX_PORT=60000 \
   -v /var/lib/crossdesk:/var/lib/crossdesk \
   -v /var/log/crossdesk:/var/log/crossdesk \
-  crossdesk/crossdesk-server:v1.1.2
+  crossdesk/crossdesk-server:v1.1.3
 ```
 
 **Notes**
@@ -238,25 +238,21 @@ sudo mkdir -p /var/lib/crossdesk /var/log/crossdesk
 sudo chown -R $(id -u):$(id -g) /var/lib/crossdesk /var/log/crossdesk
 ```
 
-### Certificate Files
-You can find the certificate file `crossdesk.cn_root.crt` at `/var/lib/crossdesk/certs` on the host machine.
-Download it to your client device and select it in the **Certificate File Path** field under the CrossDesk client’s **Self-Hosted Server Settings**.
-
 ### Server Side
 Place **crossdesk.cn.key** and **crossdesk.cn_bundle.crt** into the **/path/to/your/certs** directory.
 
 ### Client Side
-1. Click the settings icon in the top-right corner to enter the settings page.<br>
+1. Click the settings icon in the top-right corner to enter the settings page.<br><br>
 <img width="600" height="210" alt="image" src="https://github.com/user-attachments/assets/6431131d-b32a-4726-8783-6788f47baa3b" /><br><br>
 
-2. Click **Self-Hosted Server Configuration**.<br><br>
+2. Click `Self-Hosted Server Configuration` button.<br><br>
 <img width="600" height="160" alt="image" src="https://github.com/user-attachments/assets/24c761a3-1985-4d7e-84be-787383c2afb8" /><br><br>
 
-3. In the **Certificate File Path** selection, locate and select the **crossdesk.cn_root.crt** file.<br><br>
+3. Enter the `Server Address` (**EXTERNAL_IP**), `Signaling Service Port` (**CROSSDESK_SERVER_PORT**), and `Relay Service Port` (**COTURN_PORT**).<br><br>
-<img width="600" height="220" alt="image" src="https://github.com/user-attachments/assets/4af7cd3a-c72e-44fb-b032-30e050019c2a" /><br><br>
+<img width="600" height="200" alt="image" src="https://github.com/user-attachments/assets/9a32ddd5-37f8-4bee-9a51-eae295820f9a" /><br><br>
 
-4. Check the option to use **Self-Hosted Server Configuration**.<br><br>
+4. If the self-hosted server is later reset or the certificate is replaced for any reason, you can click the `Reset Certificate Fingerprint` button to clear the certificate fingerprint saved on the client.<br><br>
-<img width="600" height="160" alt="image" src="https://github.com/user-attachments/assets/1e455dc3-4087-4f37-a544-1ff9f8789383" /><br><br>
+<img width="600" height="200" alt="image" src="https://github.com/user-attachments/assets/d9e423ab-0c2b-4fab-b132-4dc27462d704" /><br><br>
 
 ### Web Client
 See [CrossDesk Web Client](https://github.com/kunkundi/crossdesk-web-client)。

src/config_center/config_center.cpp

@@ -77,6 +77,64 @@ int ConfigCenter::Load() {
   } else {
     cert_file_path_ = "";
   }
+  const char* cert_fingerprint_value =
+      ini_.GetValue(section_, "cert_fingerprint", nullptr);
+  if (cert_fingerprint_value != nullptr && strlen(cert_fingerprint_value) > 0) {
+    cert_fingerprint_ = cert_fingerprint_value;
+  } else {
+    cert_fingerprint_ = "";
+  }
+  const char* cert_fingerprint_server_host_value =
+      ini_.GetValue(section_, "cert_fingerprint_server_host", nullptr);
+  if (cert_fingerprint_server_host_value != nullptr &&
+      strlen(cert_fingerprint_server_host_value) > 0) {
+    cert_fingerprint_server_host_ = cert_fingerprint_server_host_value;
+  } else {
+    cert_fingerprint_server_host_ = "";
+  }
+
+  const char* default_cert_fingerprint_value =
+      ini_.GetValue(section_, "default_cert_fingerprint", nullptr);
+  if (default_cert_fingerprint_value != nullptr &&
+      strlen(default_cert_fingerprint_value) > 0) {
+    default_cert_fingerprint_ = default_cert_fingerprint_value;
+  } else {
+    default_cert_fingerprint_ = "";
+  }
+  const char* default_cert_fingerprint_server_host_value =
+      ini_.GetValue(section_, "default_cert_fingerprint_server_host", nullptr);
+  if (default_cert_fingerprint_server_host_value != nullptr &&
+      strlen(default_cert_fingerprint_server_host_value) > 0) {
+    default_cert_fingerprint_server_host_ =
+        default_cert_fingerprint_server_host_value;
+  } else {
+    default_cert_fingerprint_server_host_ = "";
+  }
+
+  if (enable_self_hosted_ && !cert_fingerprint_.empty() &&
+      !cert_fingerprint_server_host_.empty() &&
+      signal_server_host_ != cert_fingerprint_server_host_) {
+    LOG_INFO("Server IP changed from {} to {}, clearing old fingerprint",
+             cert_fingerprint_server_host_, signal_server_host_);
+    cert_fingerprint_.clear();
+    cert_fingerprint_server_host_.clear();
+    ini_.Delete(section_, "cert_fingerprint", false);
+    ini_.Delete(section_, "cert_fingerprint_server_host", false);
+    ini_.SaveFile(config_path_.c_str());
+  }
+
+  if (!enable_self_hosted_ && !default_cert_fingerprint_.empty() &&
+      !default_cert_fingerprint_server_host_.empty() &&
+      signal_server_host_default_ != default_cert_fingerprint_server_host_) {
+    LOG_INFO(
+        "Default server IP changed from {} to {}, clearing old fingerprint",
+        default_cert_fingerprint_server_host_, signal_server_host_default_);
+    default_cert_fingerprint_.clear();
+    default_cert_fingerprint_server_host_.clear();
+    ini_.Delete(section_, "default_cert_fingerprint", false);
+    ini_.Delete(section_, "default_cert_fingerprint_server_host", false);
+    ini_.SaveFile(config_path_.c_str());
+  }
 
   enable_autostart_ =
       ini_.GetBoolValue(section_, "enable_autostart", enable_autostart_);
@@ -108,6 +166,18 @@ int ConfigCenter::Save() {
     ini_.SetLongValue(section_, "coturn_server_port",
                       static_cast<long>(coturn_server_port_));
     ini_.SetValue(section_, "cert_file_path", cert_file_path_.c_str());
+    if (!cert_fingerprint_.empty()) {
+      ini_.SetValue(section_, "cert_fingerprint", cert_fingerprint_.c_str());
+      ini_.SetValue(section_, "cert_fingerprint_server_host",
+                    cert_fingerprint_server_host_.c_str());
+    }
+  }
+
+  if (!default_cert_fingerprint_.empty()) {
+    ini_.SetValue(section_, "default_cert_fingerprint",
+                  default_cert_fingerprint_.c_str());
+    ini_.SetValue(section_, "default_cert_fingerprint_server_host",
+                  default_cert_fingerprint_server_host_.c_str());
   }
 
   ini_.SetBoolValue(section_, "enable_autostart", enable_autostart_);
@@ -200,6 +270,15 @@ int ConfigCenter::SetSrtp(bool enable_srtp) {
 }
 
 int ConfigCenter::SetServerHost(const std::string& signal_server_host) {
+  if (enable_self_hosted_ && !cert_fingerprint_.empty() &&
+      signal_server_host != signal_server_host_) {
+    LOG_INFO("Server IP changed from {} to {}, clearing old fingerprint",
+             signal_server_host_, signal_server_host);
+    cert_fingerprint_.clear();
+    cert_fingerprint_server_host_.clear();
+    ini_.Delete(section_, "cert_fingerprint", false);
+    ini_.Delete(section_, "cert_fingerprint_server_host", false);
+  }
   signal_server_host_ = signal_server_host;
   ini_.SetValue(section_, "signal_server_host", signal_server_host_.c_str());
   SI_Error rc = ini_.SaveFile(config_path_.c_str());
@@ -241,6 +320,57 @@ int ConfigCenter::SetCertFilePath(const std::string& cert_file_path) {
   return 0;
 }
 
+int ConfigCenter::SetCertFingerprint(const std::string& fingerprint) {
+  cert_fingerprint_ = fingerprint;
+  cert_fingerprint_server_host_ = signal_server_host_;
+  ini_.SetValue(section_, "cert_fingerprint", cert_fingerprint_.c_str());
+  ini_.SetValue(section_, "cert_fingerprint_server_host",
+                cert_fingerprint_server_host_.c_str());
+  SI_Error rc = ini_.SaveFile(config_path_.c_str());
+  if (rc < 0) {
+    return -1;
+  }
+  return 0;
+}
+
+int ConfigCenter::SetDefaultCertFingerprint(const std::string& fingerprint) {
+  default_cert_fingerprint_ = fingerprint;
+  default_cert_fingerprint_server_host_ = signal_server_host_default_;
+  ini_.SetValue(section_, "default_cert_fingerprint",
+                default_cert_fingerprint_.c_str());
+  ini_.SetValue(section_, "default_cert_fingerprint_server_host",
+                default_cert_fingerprint_server_host_.c_str());
+  SI_Error rc = ini_.SaveFile(config_path_.c_str());
+  if (rc < 0) {
+    return -1;
+  }
+  return 0;
+}
+
+int ConfigCenter::ClearCertFingerprint() {
+  cert_fingerprint_.clear();
+  cert_fingerprint_server_host_.clear();
+  ini_.Delete(section_, "cert_fingerprint", false);
+  ini_.Delete(section_, "cert_fingerprint_server_host", false);
+  SI_Error rc = ini_.SaveFile(config_path_.c_str());
+  if (rc < 0) {
+    return -1;
+  }
+  return 0;
+}
+
+int ConfigCenter::ClearDefaultCertFingerprint() {
+  default_cert_fingerprint_.clear();
+  default_cert_fingerprint_server_host_.clear();
+  ini_.Delete(section_, "default_cert_fingerprint", false);
+  ini_.Delete(section_, "default_cert_fingerprint_server_host", false);
+  SI_Error rc = ini_.SaveFile(config_path_.c_str());
+  if (rc < 0) {
+    return -1;
+  }
+  return 0;
+}
+
 int ConfigCenter::SetSelfHosted(bool enable_self_hosted) {
   enable_self_hosted_ = enable_self_hosted;
   ini_.SetBoolValue(section_, "enable_self_hosted", enable_self_hosted_);
@@ -272,6 +402,28 @@ int ConfigCenter::SetSelfHosted(bool enable_self_hosted) {
     if (cert_file_path_value != nullptr && strlen(cert_file_path_value) > 0) {
       cert_file_path_ = cert_file_path_value;
     }
+    const char* cert_fingerprint_value =
+        ini_.GetValue(section_, "cert_fingerprint", nullptr);
+    if (cert_fingerprint_value != nullptr &&
+        strlen(cert_fingerprint_value) > 0) {
+      cert_fingerprint_ = cert_fingerprint_value;
+    }
+    const char* cert_fingerprint_server_host_value =
+        ini_.GetValue(section_, "cert_fingerprint_server_host", nullptr);
+    if (cert_fingerprint_server_host_value != nullptr &&
+        strlen(cert_fingerprint_server_host_value) > 0) {
+      cert_fingerprint_server_host_ = cert_fingerprint_server_host_value;
+    }
+
+    if (!cert_fingerprint_.empty() && !cert_fingerprint_server_host_.empty() &&
+        signal_server_host_ != cert_fingerprint_server_host_) {
+      LOG_INFO("Server IP changed from {} to {}, clearing old fingerprint",
+               cert_fingerprint_server_host_, signal_server_host_);
+      cert_fingerprint_.clear();
+      cert_fingerprint_server_host_.clear();
+      ini_.Delete(section_, "cert_fingerprint", false);
+      ini_.Delete(section_, "cert_fingerprint_server_host", false);
+    }
 
     ini_.SetValue(section_, "signal_server_host", signal_server_host_.c_str());
     ini_.SetLongValue(section_, "signal_server_port",
@@ -279,6 +431,11 @@ int ConfigCenter::SetSelfHosted(bool enable_self_hosted) {
     ini_.SetLongValue(section_, "coturn_server_port",
                       static_cast<long>(coturn_server_port_));
     ini_.SetValue(section_, "cert_file_path", cert_file_path_.c_str());
+    if (!cert_fingerprint_.empty()) {
+      ini_.SetValue(section_, "cert_fingerprint", cert_fingerprint_.c_str());
+      ini_.SetValue(section_, "cert_fingerprint_server_host",
+                    cert_fingerprint_server_host_.c_str());
+    }
   }
 
   SI_Error rc = ini_.SaveFile(config_path_.c_str());
@@ -368,6 +525,14 @@ int ConfigCenter::GetCoturnServerPort() const { return coturn_server_port_; }
 
 std::string ConfigCenter::GetCertFilePath() const { return cert_file_path_; }
 
+std::string ConfigCenter::GetCertFingerprint() const {
+  return cert_fingerprint_;
+}
+
+std::string ConfigCenter::GetDefaultCertFingerprint() const {
+  return default_cert_fingerprint_;
+}
+
 std::string ConfigCenter::GetDefaultServerHost() const {
   return signal_server_host_default_;
 }

src/config_center/config_center.h

@@ -38,6 +38,10 @@ class ConfigCenter {
   int SetServerPort(int signal_server_port);
   int SetCoturnServerPort(int coturn_server_port);
   int SetCertFilePath(const std::string& cert_file_path);
+  int SetCertFingerprint(const std::string& fingerprint);
+  int SetDefaultCertFingerprint(const std::string& fingerprint);
+  int ClearCertFingerprint();
+  int ClearDefaultCertFingerprint();
   int SetSelfHosted(bool enable_self_hosted);
   int SetMinimizeToTray(bool enable_minimize_to_tray);
   int SetAutostart(bool enable_autostart);
@@ -56,6 +60,8 @@ class ConfigCenter {
   int GetSignalServerPort() const;
   int GetCoturnServerPort() const;
   std::string GetCertFilePath() const;
+  std::string GetCertFingerprint() const;
+  std::string GetDefaultCertFingerprint() const;
   std::string GetDefaultServerHost() const;
   int GetDefaultSignalServerPort() const;
   int GetDefaultCoturnServerPort() const;
@@ -88,6 +94,10 @@ class ConfigCenter {
   int coturn_server_port_default_ = 3478;
   std::string cert_file_path_ = "";
   std::string cert_file_path_default_ = "";
+  std::string cert_fingerprint_ = "";
+  std::string cert_fingerprint_server_host_ = "";
+  std::string default_cert_fingerprint_ = "";
+  std::string default_cert_fingerprint_server_host_ = "";
   bool enable_self_hosted_ = false;
   bool enable_minimize_to_tray_ = false;
   bool enable_autostart_ = false;

src/gui/assets/localization/localization.h

@@ -116,6 +116,9 @@ static std::vector<std::string> self_hosted_server_certificate_path = {
     reinterpret_cast<const char*>(u8"证书文件路径:"), "Certificate File Path:"};
 static std::vector<std::string> select_a_file = {
     reinterpret_cast<const char*>(u8"请选择文件"), "Please select a file"};
+static std::vector<std::string> reset_cert_fingerprint = {
+    reinterpret_cast<const char*>(u8"重置证书指纹"),
+    "Reset Certificate Fingerprint"};
 static std::vector<std::string> ok = {reinterpret_cast<const char*>(u8"确认"),
                                       "OK"};
 static std::vector<std::string> cancel = {

src/gui/panels/local_peer_panel.cpp

@@ -233,15 +233,41 @@ int Render::LocalWindow() {
                     sizeof(password_saved_) - 1);
             password_saved_[sizeof(password_saved_) - 1] = '\0';
 
+            // if self hosted
+            if (config_center_->IsSelfHosted()) {
+              std::string self_hosted_id_str;
+              if (strlen(self_hosted_id_) > 0) {
+                const char* at_pos = strchr(self_hosted_id_, '@');
+                if (at_pos != nullptr) {
+                  self_hosted_id_str =
+                      std::string(self_hosted_id_, at_pos - self_hosted_id_);
+                } else {
+                  self_hosted_id_str = self_hosted_id_;
+                }
+              } else {
+                self_hosted_id_str = client_id_;
+              }
+
+              std::string new_self_hosted_id =
+                  self_hosted_id_str + "@" + password_saved_;
+              memset(&self_hosted_id_, 0, sizeof(self_hosted_id_));
+              strncpy(self_hosted_id_, new_self_hosted_id.c_str(),
+                      sizeof(self_hosted_id_) - 1);
+              self_hosted_id_[sizeof(self_hosted_id_) - 1] = '\0';
+
+            } else {
               std::string client_id_with_password =
                   std::string(client_id_) + "@" + password_saved_;
               strncpy(client_id_with_password_, client_id_with_password.c_str(),
                       sizeof(client_id_with_password_) - 1);
               client_id_with_password_[sizeof(client_id_with_password_) - 1] =
                   '\0';
+            }
 
             SaveSettingsIntoCacheFile();
 
+            memset(new_password_, 0, sizeof(new_password_));
+
             LeaveConnection(peer_, client_id_);
             DestroyPeer(&peer_);
             focus_on_input_widget_ = true;

src/gui/render.cpp

@@ -203,22 +203,41 @@ Render::~Render() {}
 
 int Render::SaveSettingsIntoCacheFile() {
   cd_cache_mutex_.lock();
-  std::ofstream cd_cache_file(cache_path_ + "/secure_cache.enc",
+
+  std::ofstream cd_cache_v2_file(cache_path_ + "/secure_cache_v2.enc",
                                  std::ios::binary);
-  if (!cd_cache_file) {
+  if (!cd_cache_v2_file) {
     cd_cache_mutex_.unlock();
     return -1;
   }
 
+  memset(&cd_cache_v2_.client_id_with_password, 0,
+         sizeof(cd_cache_v2_.client_id_with_password));
+  memcpy(cd_cache_v2_.client_id_with_password, client_id_with_password_,
+         sizeof(client_id_with_password_));
+  memcpy(&cd_cache_v2_.key, &aes128_key_, sizeof(aes128_key_));
+  memcpy(&cd_cache_v2_.iv, &aes128_iv_, sizeof(aes128_iv_));
+
+  memset(&cd_cache_v2_.self_hosted_id, 0, sizeof(cd_cache_v2_.self_hosted_id));
+  memcpy(cd_cache_v2_.self_hosted_id, self_hosted_id_, sizeof(self_hosted_id_));
+
+  cd_cache_v2_file.write(reinterpret_cast<char*>(&cd_cache_v2_),
+                         sizeof(CDCacheV2));
+  cd_cache_v2_file.close();
+
+  std::ofstream cd_cache_file(cache_path_ + "/secure_cache.enc",
+                              std::ios::binary);
+  if (cd_cache_file) {
     memset(&cd_cache_.client_id_with_password, 0,
            sizeof(cd_cache_.client_id_with_password));
     memcpy(cd_cache_.client_id_with_password, client_id_with_password_,
            sizeof(client_id_with_password_));
     memcpy(&cd_cache_.key, &aes128_key_, sizeof(aes128_key_));
     memcpy(&cd_cache_.iv, &aes128_iv_, sizeof(aes128_iv_));
-
     cd_cache_file.write(reinterpret_cast<char*>(&cd_cache_), sizeof(CDCache));
     cd_cache_file.close();
+  }
+
   cd_cache_mutex_.unlock();
 
   return 0;
@@ -226,6 +245,29 @@ int Render::SaveSettingsIntoCacheFile() {
 
 int Render::LoadSettingsFromCacheFile() {
   cd_cache_mutex_.lock();
+
+  std::ifstream cd_cache_v2_file(cache_path_ + "/secure_cache_v2.enc",
+                                 std::ios::binary);
+  bool v2_file_exists = cd_cache_v2_file.good();
+
+  if (v2_file_exists) {
+    cd_cache_v2_file.read(reinterpret_cast<char*>(&cd_cache_v2_),
+                          sizeof(CDCacheV2));
+    cd_cache_v2_file.close();
+
+    memset(&client_id_with_password_, 0, sizeof(client_id_with_password_));
+    memcpy(client_id_with_password_, cd_cache_v2_.client_id_with_password,
+           sizeof(client_id_with_password_));
+
+    memset(&self_hosted_id_, 0, sizeof(self_hosted_id_));
+    memcpy(self_hosted_id_, cd_cache_v2_.self_hosted_id,
+           sizeof(self_hosted_id_));
+
+    memcpy(aes128_key_, cd_cache_v2_.key, sizeof(cd_cache_v2_.key));
+    memcpy(aes128_iv_, cd_cache_v2_.iv, sizeof(cd_cache_v2_.iv));
+
+    LOG_INFO("Load settings from v2 cache file");
+  } else {
     std::ifstream cd_cache_file(cache_path_ + "/secure_cache.enc",
                                 std::ios::binary);
     if (!cd_cache_file) {
@@ -234,6 +276,7 @@ int Render::LoadSettingsFromCacheFile() {
       memset(password_saved_, 0, sizeof(password_saved_));
       memset(aes128_key_, 0, sizeof(aes128_key_));
       memset(aes128_iv_, 0, sizeof(aes128_iv_));
+      memset(self_hosted_id_, 0, sizeof(self_hosted_id_));
 
       thumbnail_.reset();
       thumbnail_ = std::make_shared<Thumbnail>(cache_path_ + "/thumbnails/");
@@ -247,12 +290,36 @@ int Render::LoadSettingsFromCacheFile() {
 
     cd_cache_file.read(reinterpret_cast<char*>(&cd_cache_), sizeof(CDCache));
     cd_cache_file.close();
-  cd_cache_mutex_.unlock();
+
+    memset(&cd_cache_v2_.client_id_with_password, 0,
+           sizeof(cd_cache_v2_.client_id_with_password));
+    memcpy(cd_cache_v2_.client_id_with_password,
+           cd_cache_.client_id_with_password,
+           sizeof(cd_cache_.client_id_with_password));
+    memcpy(&cd_cache_v2_.key, &cd_cache_.key, sizeof(cd_cache_.key));
+    memcpy(&cd_cache_v2_.iv, &cd_cache_.iv, sizeof(cd_cache_.iv));
+
+    memset(&cd_cache_v2_.self_hosted_id, 0,
+           sizeof(cd_cache_v2_.self_hosted_id));
 
     memset(&client_id_with_password_, 0, sizeof(client_id_with_password_));
     memcpy(client_id_with_password_, cd_cache_.client_id_with_password,
            sizeof(client_id_with_password_));
 
+    memset(&self_hosted_id_, 0, sizeof(self_hosted_id_));
+
+    memcpy(aes128_key_, cd_cache_.key, sizeof(cd_cache_.key));
+    memcpy(aes128_iv_, cd_cache_.iv, sizeof(cd_cache_.iv));
+
+    cd_cache_mutex_.unlock();
+    SaveSettingsIntoCacheFile();
+    cd_cache_mutex_.lock();
+
+    LOG_INFO("Migrated settings from v1 to v2 cache file");
+  }
+
+  cd_cache_mutex_.unlock();
+
   if (strchr(client_id_with_password_, '@') != nullptr) {
     std::string id, password;
     const char* at_pos = strchr(client_id_with_password_, '@');
@@ -273,9 +340,6 @@ int Render::LoadSettingsFromCacheFile() {
     password_saved_[sizeof(password_saved_) - 1] = '\0';
   }
 
-  memcpy(aes128_key_, cd_cache_.key, sizeof(cd_cache_.key));
-  memcpy(aes128_iv_, cd_cache_.iv, sizeof(cd_cache_.iv));
-
   thumbnail_.reset();
   thumbnail_ = std::make_shared<Thumbnail>(cache_path_ + "/thumbnails/",
                                            aes128_key_, aes128_iv_);
@@ -473,18 +537,75 @@ int Render::CreateConnectionPeer() {
   std::string signal_server_ip;
   int signal_server_port;
   int coturn_server_port;
-  std::string tls_cert_path;
+  std::string tls_cert_fingerprint;
 
   if (config_center_->IsSelfHosted()) {
     signal_server_ip = config_center_->GetSignalServerHost();
     signal_server_port = config_center_->GetSignalServerPort();
     coturn_server_port = config_center_->GetCoturnServerPort();
-    tls_cert_path = config_center_->GetCertFilePath();
+    tls_cert_fingerprint = config_center_->GetCertFingerprint();
+
+    std::string current_self_hosted_ip = config_center_->GetSignalServerHost();
+    bool use_cached_id = false;
+
+    // Check secure_cache_v2.enc exists or not
+    std::ifstream v2_file(cache_path_ + "/secure_cache_v2.enc",
+                          std::ios::binary);
+    if (v2_file.good()) {
+      CDCacheV2 temp_cache;
+      v2_file.read(reinterpret_cast<char*>(&temp_cache), sizeof(CDCacheV2));
+      v2_file.close();
+
+      if (strlen(temp_cache.self_hosted_id) > 0) {
+        memset(&self_hosted_id_, 0, sizeof(self_hosted_id_));
+        strncpy(self_hosted_id_, temp_cache.self_hosted_id,
+                sizeof(self_hosted_id_) - 1);
+        self_hosted_id_[sizeof(self_hosted_id_) - 1] = '\0';
+        use_cached_id = true;
+
+        std::string id, password;
+        const char* at_pos = strchr(self_hosted_id_, '@');
+        if (at_pos == nullptr) {
+          id = self_hosted_id_;
+          password.clear();
+        } else {
+          id.assign(self_hosted_id_, at_pos - self_hosted_id_);
+          password = at_pos + 1;
+        }
+
+        memset(&client_id_, 0, sizeof(client_id_));
+        strncpy(client_id_, id.c_str(), sizeof(client_id_) - 1);
+        client_id_[sizeof(client_id_) - 1] = '\0';
+
+        memset(&password_saved_, 0, sizeof(password_saved_));
+        strncpy(password_saved_, password.c_str(), sizeof(password_saved_) - 1);
+        password_saved_[sizeof(password_saved_) - 1] = '\0';
+      }
+    } else {
+      memset(&self_hosted_id_, 0, sizeof(self_hosted_id_));
+      LOG_INFO(
+          "secure_cache_v2.enc not found, will use empty id to get new id from "
+          "server");
+    }
+
+    if (use_cached_id && strlen(self_hosted_id_) > 0) {
+      memset(&self_hosted_user_id_, 0, sizeof(self_hosted_user_id_));
+      strncpy(self_hosted_user_id_, self_hosted_id_,
+              sizeof(self_hosted_user_id_) - 1);
+      self_hosted_user_id_[sizeof(self_hosted_user_id_) - 1] = '\0';
+      params_.user_id = self_hosted_user_id_;
+    } else {
+      memset(&self_hosted_user_id_, 0, sizeof(self_hosted_user_id_));
+      params_.user_id = self_hosted_user_id_;
+      LOG_INFO(
+          "Using empty id for self-hosted server, server will assign new id");
+    }
   } else {
     signal_server_ip = config_center_->GetDefaultServerHost();
     signal_server_port = config_center_->GetDefaultSignalServerPort();
     coturn_server_port = config_center_->GetDefaultCoturnServerPort();
-    tls_cert_path = config_center_->GetDefaultCertFilePath();
+    tls_cert_fingerprint = config_center_->GetDefaultCertFingerprint();
+    params_.user_id = client_id_with_password_;
   }
 
   // self hosted server config
@@ -528,9 +649,30 @@ int Render::CreateConnectionPeer() {
   strncpy((char*)params_.turn_server_password, "crossdeskpw",
           sizeof(params_.turn_server_password) - 1);
   params_.turn_server_password[sizeof(params_.turn_server_password) - 1] = '\0';
-  strncpy(params_.tls_cert_path, tls_cert_path.c_str(),
+  strncpy(params_.tls_cert_fingerprint, tls_cert_fingerprint.c_str(),
-          sizeof(params_.tls_cert_path) - 1);
+          sizeof(params_.tls_cert_fingerprint) - 1);
-  params_.tls_cert_path[sizeof(params_.tls_cert_path) - 1] = '\0';
+  params_.tls_cert_fingerprint[sizeof(params_.tls_cert_fingerprint) - 1] = '\0';
+
+  if (config_center_->IsSelfHosted()) {
+    params_.on_cert_fingerprint = [](const char* fingerprint, void* user_data) {
+      Render* render = static_cast<Render*>(user_data);
+      if (render && render->config_center_) {
+        render->config_center_->SetCertFingerprint(fingerprint);
+        LOG_INFO("Saved self-hosted certificate fingerprint: {}", fingerprint);
+      }
+    };
+    params_.fingerprint_user_data = this;
+  } else {
+    params_.on_cert_fingerprint = [](const char* fingerprint, void* user_data) {
+      Render* render = static_cast<Render*>(user_data);
+      if (render && render->config_center_) {
+        render->config_center_->SetDefaultCertFingerprint(fingerprint);
+        LOG_INFO("Saved default server certificate fingerprint: {}",
+                 fingerprint);
+      }
+    };
+    params_.fingerprint_user_data = this;
+  }
 
   strncpy(params_.log_path, dll_log_path_.c_str(),
           sizeof(params_.log_path) - 1);
@@ -554,7 +696,6 @@ int Render::CreateConnectionPeer() {
   params_.on_connection_status = OnConnectionStatusCb;
   params_.net_status_report = NetStatusReport;
 
-  params_.user_id = client_id_with_password_;
   params_.user_data = this;
 
   peer_ = CreatePeer(&params_);

src/gui/render.h

@@ -277,8 +277,25 @@ class Render {
     unsigned char iv[16];
   };
 
+  struct CDCacheV2 {
+    char client_id_with_password[17];
+    int language;
+    int video_quality;
+    int video_frame_rate;
+    int video_encode_format;
+    bool enable_hardware_video_codec;
+    bool enable_turn;
+    bool enable_srtp;
+
+    unsigned char key[16];
+    unsigned char iv[16];
+
+    char self_hosted_id[17];
+  };
+
  private:
   CDCache cd_cache_;
+  CDCacheV2 cd_cache_v2_;
   std::mutex cd_cache_mutex_;
   std::unique_ptr<ConfigCenter> config_center_;
   ConfigCenter::LANGUAGE localization_language_ =
@@ -470,6 +487,8 @@ class Render {
   char client_id_display_[12] = "";
   char client_id_with_password_[17] = "";
   char password_saved_[7] = "";
+  char self_hosted_id_[17] = "";
+  char self_hosted_user_id_[17] = "";
   int language_button_value_ = 0;
   int video_quality_button_value_ = 0;
   int video_frame_rate_button_value_ = 1;

src/gui/render_callback.cpp

@@ -1,4 +1,5 @@
 #include <cmath>
+#include <fstream>
 
 #include "device_controller.h"
 #include "localization.h"
@@ -556,6 +557,73 @@ void Render::NetStatusReport(const char* client_id, size_t client_id_size,
       password = at_pos + 1;
     }
 
+    bool is_self_hosted = render->config_center_->IsSelfHosted();
+
+    if (is_self_hosted) {
+      memset(&render->client_id_, 0, sizeof(render->client_id_));
+      strncpy(render->client_id_, id.c_str(), sizeof(render->client_id_) - 1);
+      render->client_id_[sizeof(render->client_id_) - 1] = '\0';
+
+      memset(&render->password_saved_, 0, sizeof(render->password_saved_));
+      strncpy(render->password_saved_, password.c_str(),
+              sizeof(render->password_saved_) - 1);
+      render->password_saved_[sizeof(render->password_saved_) - 1] = '\0';
+
+      memset(&render->self_hosted_id_, 0, sizeof(render->self_hosted_id_));
+      strncpy(render->self_hosted_id_, client_id,
+              sizeof(render->self_hosted_id_) - 1);
+      render->self_hosted_id_[sizeof(render->self_hosted_id_) - 1] = '\0';
+
+      LOG_INFO("Use self-hosted client id [{}] and save to cache file", id);
+
+      render->cd_cache_mutex_.lock();
+
+      std::ifstream v2_file_read(render->cache_path_ + "/secure_cache_v2.enc",
+                                 std::ios::binary);
+      if (v2_file_read.good()) {
+        v2_file_read.read(reinterpret_cast<char*>(&render->cd_cache_v2_),
+                          sizeof(CDCacheV2));
+        v2_file_read.close();
+      } else {
+        memset(&render->cd_cache_v2_, 0, sizeof(CDCacheV2));
+        memset(&render->cd_cache_v2_.client_id_with_password, 0,
+               sizeof(render->cd_cache_v2_.client_id_with_password));
+        strncpy(render->cd_cache_v2_.client_id_with_password,
+                render->client_id_with_password_,
+                sizeof(render->cd_cache_v2_.client_id_with_password));
+        memcpy(&render->cd_cache_v2_.key, &render->aes128_key_,
+               sizeof(render->cd_cache_v2_.key));
+        memcpy(&render->cd_cache_v2_.iv, &render->aes128_iv_,
+               sizeof(render->cd_cache_v2_.iv));
+      }
+
+      memset(&render->cd_cache_v2_.self_hosted_id, 0,
+             sizeof(render->cd_cache_v2_.self_hosted_id));
+      strncpy(render->cd_cache_v2_.self_hosted_id, client_id,
+              sizeof(render->cd_cache_v2_.self_hosted_id) - 1);
+      render->cd_cache_v2_
+          .self_hosted_id[sizeof(render->cd_cache_v2_.self_hosted_id) - 1] =
+          '\0';
+
+      memset(&render->cd_cache_v2_.client_id_with_password, 0,
+             sizeof(render->cd_cache_v2_.client_id_with_password));
+      strncpy(render->cd_cache_v2_.client_id_with_password,
+              render->client_id_with_password_,
+              sizeof(render->cd_cache_v2_.client_id_with_password));
+      memcpy(&render->cd_cache_v2_.key, &render->aes128_key_,
+             sizeof(render->cd_cache_v2_.key));
+      memcpy(&render->cd_cache_v2_.iv, &render->aes128_iv_,
+             sizeof(render->cd_cache_v2_.iv));
+      std::ofstream cd_cache_v2_file(
+          render->cache_path_ + "/secure_cache_v2.enc", std::ios::binary);
+      if (cd_cache_v2_file) {
+        cd_cache_v2_file.write(reinterpret_cast<char*>(&render->cd_cache_v2_),
+                               sizeof(CDCacheV2));
+        cd_cache_v2_file.close();
+      }
+
+      render->cd_cache_mutex_.unlock();
+    } else {
       memset(&render->client_id_, 0, sizeof(render->client_id_));
       strncpy(render->client_id_, id.c_str(), sizeof(render->client_id_) - 1);
       render->client_id_[sizeof(render->client_id_) - 1] = '\0';
@@ -569,12 +637,14 @@ void Render::NetStatusReport(const char* client_id, size_t client_id_size,
              sizeof(render->client_id_with_password_));
       strncpy(render->client_id_with_password_, client_id,
               sizeof(render->client_id_with_password_) - 1);
-    render->client_id_with_password_[sizeof(render->client_id_with_password_) -
+      render
+          ->client_id_with_password_[sizeof(render->client_id_with_password_) -
                                      1] = '\0';
 
       LOG_INFO("Use client id [{}] and save id into cache file", id);
       render->SaveSettingsIntoCacheFile();
     }
+  }
 
   std::string remote_id(user_id, user_id_size);
   // std::shared_lock lock(render->client_properties_mutex_);

src/gui/windows/server_settings_window.cpp

@@ -214,20 +214,30 @@ int Render::SelfHostedServerWindow() {
 
       ImGui::Separator();
 
+      // {
+      //   ImGui::AlignTextToFramePadding();
+      //   ImGui::Text(
+      //       "%s",
+      //       localization::reset_cert_fingerprint[localization_language_index_]
+      //           .c_str());
+      //   ImGui::SameLine();
+      //   if (ConfigCenter::LANGUAGE::CHINESE == localization_language_) {
+      //     ImGui::SetCursorPosX(title_bar_button_width_ * 2.5f);
+      //   } else {
+      //     ImGui::SetCursorPosX(title_bar_button_width_ * 3.43f);
+      //   }
+      //   ImGui::SetNextItemWidth(title_bar_button_width_ * 3.8f);
+
+      //   ShowSimpleFileBrowser();
+      // }
       {
         ImGui::AlignTextToFramePadding();
-        ImGui::Text("%s", localization::self_hosted_server_certificate_path
+        if (ImGui::Button(localization::reset_cert_fingerprint
                               [localization_language_index_]
-                                  .c_str());
+                                  .c_str())) {
-        ImGui::SameLine();
+          config_center_->ClearCertFingerprint();
-        if (ConfigCenter::LANGUAGE::CHINESE == localization_language_) {
+          LOG_INFO("Certificate fingerprint cleared by user");
-          ImGui::SetCursorPosX(title_bar_button_width_ * 2.5f);
-        } else {
-          ImGui::SetCursorPosX(title_bar_button_width_ * 3.43f);
         }
-        ImGui::SetNextItemWidth(title_bar_button_width_ * 3.8f);
-
-        ShowSimpleFileBrowser();
       }
 
       if (stream_window_inited_) {