[feat] use fingerprint-based verification for both default and self-hosted servers

.github/ISSUE_TEMPLATE/问题反馈.md

@@ -1,6 +1,6 @@
 ---
 name: 问题反馈
-about: Create a report to help us improve
+about: 请在此提交问题报告，以便持续优化产品。
 title: ''
 labels: bug
 assignees: kunkundi

.github/ISSUE_TEMPLATE/需求建议.md

@@ -0,0 +1,28 @@
+---
+name: 需求建议
+about: 请在此提交功能需求或改进建议，以便后续迭代参考。
+title: ''
+labels: enhancement
+assignees: kunkundi
+
+---
+
+**功能/改进建议描述**
+清晰简洁地描述希望新增的功能或改进的内容。
+
+**使用场景 / 背景**
+说明该功能或改进的使用场景，以及解决后带来的价值。
+
+**预期效果**
+描述你认为最理想的功能表现或改进效果。
+
+**参考示例（可选）**
+提供类似功能截图、参考链接或其他说明，帮助更好理解需求。
+
+**优先级（可选）**
+- [ ] 高
+- [ ] 中
+- [ ] 低
+
+**补充信息（可选）**
+其他相关信息或特殊要求。

README.md

@@ -169,7 +169,7 @@ xmake r -d crossdesk
 
 ## 自托管服务器
 推荐使用Docker部署CrossDesk Server。
-```
+```bash
 sudo docker run -d \
   --name crossdesk_server \
   --network host \
@@ -181,7 +181,7 @@ sudo docker run -d \
   -e MAX_PORT=xxxxx \
   -v /var/lib/crossdesk:/var/lib/crossdesk \
   -v /var/log/crossdesk:/var/log/crossdesk \
-  crossdesk/crossdesk-server:v1.1.2
+  crossdesk/crossdesk-server:v1.1.3
 ```
 
 上述命令中，用户需注意的参数如下：
@@ -194,9 +194,25 @@ sudo docker run -d \
 - MIN_PORT/MAX_PORT：COTURN 服务使用的端口范围，例如：MIN_PORT=50000, MAX_PORT=60000，范围可根据客户端数量调整。
 - `-v /var/lib/crossdesk:/var/lib/crossdesk`：持久化数据库和证书文件到宿主机
 - `-v /var/log/crossdesk:/var/log/crossdesk`：持久化日志文件到宿主机
-- 
+
+**示例**：
+```bash
+sudo docker run -d \
+  --name crossdesk_server \
+  --network host \
+  -e EXTERNAL_IP=114.114.114.114 \
+  -e INTERNAL_IP=10.0.0.1 \
+  -e CROSSDESK_SERVER_PORT=9099 \
+  -e COTURN_PORT=3478 \
+  -e MIN_PORT=50000 \
+  -e MAX_PORT=60000 \
+  -v /var/lib/crossdesk:/var/lib/crossdesk \
+  -v /var/log/crossdesk:/var/log/crossdesk \
+  crossdesk/crossdesk-server:v1.1.3
+```
+
 **注意**：
-- **服务器需开放端口：3478/udp，3478/tcp，MIN_PORT-MAX_PORT/udp，CROSSDESK_SERVER_PORT/tcp。**
+- **服务器需开放端口：COTURN_PORT/udp，COTURN_PORT/tcp，MIN_PORT-MAX_PORT/udp，CROSSDESK_SERVER_PORT/tcp。**
 - 如果不挂载 volume，容器删除后数据会丢失
 - 证书文件会在首次启动时自动生成并持久化到宿主机的 `/var/lib/crossdesk/certs` 路径下
 - 数据库文件会自动创建并持久化到宿主机的 `/var/lib/crossdesk/db/crossdesk-server.db` 路径下
@@ -213,21 +229,19 @@ sudo mkdir -p /var/lib/crossdesk /var/log/crossdesk
 sudo chown -R $(id -u):$(id -g) /var/lib/crossdesk /var/log/crossdesk
 ```
 
-## 证书文件
-在宿主机的 `/var/lib/crossdesk/certs` 路径下可找到证书文件 `crossdesk.cn_root.crt`，下载到你的客户端主机，并在客户端的**自托管服务器设置**中选择相应的**证书文件路径**。
 
 ### 客户端
-1. 点击右上角设置进入设置页面。<br>
+1. 点击右上角设置进入设置页面。<br><br>
 <img width="600" height="210" alt="image" src="https://github.com/user-attachments/assets/6431131d-b32a-4726-8783-6788f47baa3b" /><br><br>
 
-3. 点击点击**自托管服务器配置**。<br><br>
-<img width="600" height="160" alt="image" src="https://github.com/user-attachments/assets/24c761a3-1985-4d7e-84be-787383c2afb8" /><br><br>
+2. 点击点击`自托管服务器配置`按钮。<br><br>
+<img width="600" height="140" alt="image" src="https://github.com/user-attachments/assets/24c761a3-1985-4d7e-84be-787383c2afb8" /><br><br>
 
-5. 在**证书文件路径**选择框中找到 **crossdesk.cn_root.crt** 的存放路径，选中 **crossdesk.cn_root.crt**，点击确认。<br><br>
-<img width="600" height="220" alt="image" src="https://github.com/user-attachments/assets/4af7cd3a-c72e-44fb-b032-30e050019c2a" /><br><br>
+3. 输入`服务器地址`(**EXTERNAL_IP**)、`信令服务端口`(**CROSSDESK_SERVER_PORT**)、`中继服务端口`(**COTURN_PORT**)。<br><br>
+<img width="600" height="200" alt="image" src="https://github.com/user-attachments/assets/9a32ddd5-37f8-4bee-9a51-eae295820f9a" /><br><br>
 
-7. 勾选使用**自托管服务器配置**，点击确认配置生效。<br><br>
-<img width="600" height="160" alt="image" src="https://github.com/user-attachments/assets/1e455dc3-4087-4f37-a544-1ff9f8789383" /><br><br>
+4. 后续如果自托管服务器被重置或因其他原因导致证书更换，可以点击`重置证书指纹`按钮重置客户端保存的证书指纹。<br><br>
+<img width="600" height="200" alt="image" src="https://github.com/user-attachments/assets/d9e423ab-0c2b-4fab-b132-4dc27462d704" /><br><br>
 
 ### Web 客户端
 详情见项目 [CrossDesk Web Client](https://github.com/kunkundi/crossdesk-web-client)。

README_EN.md

@@ -189,7 +189,7 @@ sudo docker run -d \
   -e MAX_PORT=xxxxx \
   -v /var/lib/crossdesk:/var/lib/crossdesk \
   -v /var/log/crossdesk:/var/log/crossdesk \
-  crossdesk/crossdesk-server:v1.1.2
+  crossdesk/crossdesk-server:v1.1.3
 ```
 
 The parameters you need to pay attention to are as follows:
@@ -203,8 +203,24 @@ The parameters you need to pay attention to are as follows:
 - `-v /var/lib/crossdesk:/var/lib/crossdesk`: Persists database and certificate files on the host machine.
 - `-v /var/log/crossdesk:/var/log/crossdesk`: Persists log files on the host machine.
 
+**Example**:
+```bash
+sudo docker run -d \
+  --name crossdesk_server \
+  --network host \
+  -e EXTERNAL_IP=114.114.114.114 \
+  -e INTERNAL_IP=10.0.0.1 \
+  -e CROSSDESK_SERVER_PORT=9099 \
+  -e COTURN_PORT=3478 \
+  -e MIN_PORT=50000 \
+  -e MAX_PORT=60000 \
+  -v /var/lib/crossdesk:/var/lib/crossdesk \
+  -v /var/log/crossdesk:/var/log/crossdesk \
+  crossdesk/crossdesk-server:v1.1.3
+```
+
 **Notes**
-- **The server must open the following ports: 3478/udp, 3478/tcp, MIN_PORT–MAX_PORT/udp, and CROSSDESK_SERVER_PORT/tcp.**
+- **The server must open the following ports: COTURN_PORT/udp, COTURN_PORT/tcp, MIN_PORT–MAX_PORT/udp, and CROSSDESK_SERVER_PORT/tcp.**
 - If you don’t mount volumes, all data will be lost when the container is removed.
 - Certificate files will be automatically generated on first startup and persisted to the host at `/var/lib/crossdesk/certs`.
 - The database file will be automatically created and stored at `/var/lib/crossdesk/db/crossdesk-server.db`.
@@ -222,25 +238,21 @@ sudo mkdir -p /var/lib/crossdesk /var/log/crossdesk
 sudo chown -R $(id -u):$(id -g) /var/lib/crossdesk /var/log/crossdesk
 ```
 
-### Certificate Files
-You can find the certificate file `crossdesk.cn_root.crt` at `/var/lib/crossdesk/certs` on the host machine.
-Download it to your client device and select it in the **Certificate File Path** field under the CrossDesk client’s **Self-Hosted Server Settings**.
-
 ### Server Side
 Place **crossdesk.cn.key** and **crossdesk.cn_bundle.crt** into the **/path/to/your/certs** directory.
 
 ### Client Side
-1. Click the settings icon in the top-right corner to enter the settings page.<br>
+1. Click the settings icon in the top-right corner to enter the settings page.<br><br>
 <img width="600" height="210" alt="image" src="https://github.com/user-attachments/assets/6431131d-b32a-4726-8783-6788f47baa3b" /><br><br>
 
-2. Click **Self-Hosted Server Configuration**.<br><br>
+2. Click `Self-Hosted Server Configuration` button.<br><br>
 <img width="600" height="160" alt="image" src="https://github.com/user-attachments/assets/24c761a3-1985-4d7e-84be-787383c2afb8" /><br><br>
 
-3. In the **Certificate File Path** selection, locate and select the **crossdesk.cn_root.crt** file.<br><br>
-<img width="600" height="220" alt="image" src="https://github.com/user-attachments/assets/4af7cd3a-c72e-44fb-b032-30e050019c2a" /><br><br>
+3. Enter the `Server Address` (**EXTERNAL_IP**), `Signaling Service Port` (**CROSSDESK_SERVER_PORT**), and `Relay Service Port` (**COTURN_PORT**).<br><br>
+<img width="600" height="200" alt="image" src="https://github.com/user-attachments/assets/9a32ddd5-37f8-4bee-9a51-eae295820f9a" /><br><br>
 
-4. Check the option to use **Self-Hosted Server Configuration**.<br><br>
-<img width="600" height="160" alt="image" src="https://github.com/user-attachments/assets/1e455dc3-4087-4f37-a544-1ff9f8789383" /><br><br>
+4. If the self-hosted server is later reset or the certificate is replaced for any reason, you can click the `Reset Certificate Fingerprint` button to clear the certificate fingerprint saved on the client.<br><br>
+<img width="600" height="200" alt="image" src="https://github.com/user-attachments/assets/d9e423ab-0c2b-4fab-b132-4dc27462d704" /><br><br>
 
 ### Web Client
 See [CrossDesk Web Client](https://github.com/kunkundi/crossdesk-web-client)。

src/config_center/config_center.cpp

@@ -77,6 +77,64 @@ int ConfigCenter::Load() {
   } else {
     cert_file_path_ = "";
   }
+  const char* cert_fingerprint_value =
+      ini_.GetValue(section_, "cert_fingerprint", nullptr);
+  if (cert_fingerprint_value != nullptr && strlen(cert_fingerprint_value) > 0) {
+    cert_fingerprint_ = cert_fingerprint_value;
+  } else {
+    cert_fingerprint_ = "";
+  }
+  const char* cert_fingerprint_server_host_value =
+      ini_.GetValue(section_, "cert_fingerprint_server_host", nullptr);
+  if (cert_fingerprint_server_host_value != nullptr &&
+      strlen(cert_fingerprint_server_host_value) > 0) {
+    cert_fingerprint_server_host_ = cert_fingerprint_server_host_value;
+  } else {
+    cert_fingerprint_server_host_ = "";
+  }
+
+  const char* default_cert_fingerprint_value =
+      ini_.GetValue(section_, "default_cert_fingerprint", nullptr);
+  if (default_cert_fingerprint_value != nullptr &&
+      strlen(default_cert_fingerprint_value) > 0) {
+    default_cert_fingerprint_ = default_cert_fingerprint_value;
+  } else {
+    default_cert_fingerprint_ = "";
+  }
+  const char* default_cert_fingerprint_server_host_value =
+      ini_.GetValue(section_, "default_cert_fingerprint_server_host", nullptr);
+  if (default_cert_fingerprint_server_host_value != nullptr &&
+      strlen(default_cert_fingerprint_server_host_value) > 0) {
+    default_cert_fingerprint_server_host_ =
+        default_cert_fingerprint_server_host_value;
+  } else {
+    default_cert_fingerprint_server_host_ = "";
+  }
+
+  if (enable_self_hosted_ && !cert_fingerprint_.empty() &&
+      !cert_fingerprint_server_host_.empty() &&
+      signal_server_host_ != cert_fingerprint_server_host_) {
+    LOG_INFO("Server IP changed from {} to {}, clearing old fingerprint",
+             cert_fingerprint_server_host_, signal_server_host_);
+    cert_fingerprint_.clear();
+    cert_fingerprint_server_host_.clear();
+    ini_.Delete(section_, "cert_fingerprint", false);
+    ini_.Delete(section_, "cert_fingerprint_server_host", false);
+    ini_.SaveFile(config_path_.c_str());
+  }
+
+  if (!enable_self_hosted_ && !default_cert_fingerprint_.empty() &&
+      !default_cert_fingerprint_server_host_.empty() &&
+      signal_server_host_default_ != default_cert_fingerprint_server_host_) {
+    LOG_INFO(
+        "Default server IP changed from {} to {}, clearing old fingerprint",
+        default_cert_fingerprint_server_host_, signal_server_host_default_);
+    default_cert_fingerprint_.clear();
+    default_cert_fingerprint_server_host_.clear();
+    ini_.Delete(section_, "default_cert_fingerprint", false);
+    ini_.Delete(section_, "default_cert_fingerprint_server_host", false);
+    ini_.SaveFile(config_path_.c_str());
+  }
 
   enable_autostart_ =
       ini_.GetBoolValue(section_, "enable_autostart", enable_autostart_);
@@ -108,6 +166,18 @@ int ConfigCenter::Save() {
     ini_.SetLongValue(section_, "coturn_server_port",
                       static_cast<long>(coturn_server_port_));
     ini_.SetValue(section_, "cert_file_path", cert_file_path_.c_str());
+    if (!cert_fingerprint_.empty()) {
+      ini_.SetValue(section_, "cert_fingerprint", cert_fingerprint_.c_str());
+      ini_.SetValue(section_, "cert_fingerprint_server_host",
+                    cert_fingerprint_server_host_.c_str());
+    }
+  }
+
+  if (!default_cert_fingerprint_.empty()) {
+    ini_.SetValue(section_, "default_cert_fingerprint",
+                  default_cert_fingerprint_.c_str());
+    ini_.SetValue(section_, "default_cert_fingerprint_server_host",
+                  default_cert_fingerprint_server_host_.c_str());
   }
 
   ini_.SetBoolValue(section_, "enable_autostart", enable_autostart_);
@@ -200,6 +270,15 @@ int ConfigCenter::SetSrtp(bool enable_srtp) {
 }
 
 int ConfigCenter::SetServerHost(const std::string& signal_server_host) {
+  if (enable_self_hosted_ && !cert_fingerprint_.empty() &&
+      signal_server_host != signal_server_host_) {
+    LOG_INFO("Server IP changed from {} to {}, clearing old fingerprint",
+             signal_server_host_, signal_server_host);
+    cert_fingerprint_.clear();
+    cert_fingerprint_server_host_.clear();
+    ini_.Delete(section_, "cert_fingerprint", false);
+    ini_.Delete(section_, "cert_fingerprint_server_host", false);
+  }
   signal_server_host_ = signal_server_host;
   ini_.SetValue(section_, "signal_server_host", signal_server_host_.c_str());
   SI_Error rc = ini_.SaveFile(config_path_.c_str());
@@ -241,6 +320,57 @@ int ConfigCenter::SetCertFilePath(const std::string& cert_file_path) {
   return 0;
 }
 
+int ConfigCenter::SetCertFingerprint(const std::string& fingerprint) {
+  cert_fingerprint_ = fingerprint;
+  cert_fingerprint_server_host_ = signal_server_host_;
+  ini_.SetValue(section_, "cert_fingerprint", cert_fingerprint_.c_str());
+  ini_.SetValue(section_, "cert_fingerprint_server_host",
+                cert_fingerprint_server_host_.c_str());
+  SI_Error rc = ini_.SaveFile(config_path_.c_str());
+  if (rc < 0) {
+    return -1;
+  }
+  return 0;
+}
+
+int ConfigCenter::SetDefaultCertFingerprint(const std::string& fingerprint) {
+  default_cert_fingerprint_ = fingerprint;
+  default_cert_fingerprint_server_host_ = signal_server_host_default_;
+  ini_.SetValue(section_, "default_cert_fingerprint",
+                default_cert_fingerprint_.c_str());
+  ini_.SetValue(section_, "default_cert_fingerprint_server_host",
+                default_cert_fingerprint_server_host_.c_str());
+  SI_Error rc = ini_.SaveFile(config_path_.c_str());
+  if (rc < 0) {
+    return -1;
+  }
+  return 0;
+}
+
+int ConfigCenter::ClearCertFingerprint() {
+  cert_fingerprint_.clear();
+  cert_fingerprint_server_host_.clear();
+  ini_.Delete(section_, "cert_fingerprint", false);
+  ini_.Delete(section_, "cert_fingerprint_server_host", false);
+  SI_Error rc = ini_.SaveFile(config_path_.c_str());
+  if (rc < 0) {
+    return -1;
+  }
+  return 0;
+}
+
+int ConfigCenter::ClearDefaultCertFingerprint() {
+  default_cert_fingerprint_.clear();
+  default_cert_fingerprint_server_host_.clear();
+  ini_.Delete(section_, "default_cert_fingerprint", false);
+  ini_.Delete(section_, "default_cert_fingerprint_server_host", false);
+  SI_Error rc = ini_.SaveFile(config_path_.c_str());
+  if (rc < 0) {
+    return -1;
+  }
+  return 0;
+}
+
 int ConfigCenter::SetSelfHosted(bool enable_self_hosted) {
   enable_self_hosted_ = enable_self_hosted;
   ini_.SetBoolValue(section_, "enable_self_hosted", enable_self_hosted_);
@@ -272,6 +402,28 @@ int ConfigCenter::SetSelfHosted(bool enable_self_hosted) {
     if (cert_file_path_value != nullptr && strlen(cert_file_path_value) > 0) {
       cert_file_path_ = cert_file_path_value;
     }
+    const char* cert_fingerprint_value =
+        ini_.GetValue(section_, "cert_fingerprint", nullptr);
+    if (cert_fingerprint_value != nullptr &&
+        strlen(cert_fingerprint_value) > 0) {
+      cert_fingerprint_ = cert_fingerprint_value;
+    }
+    const char* cert_fingerprint_server_host_value =
+        ini_.GetValue(section_, "cert_fingerprint_server_host", nullptr);
+    if (cert_fingerprint_server_host_value != nullptr &&
+        strlen(cert_fingerprint_server_host_value) > 0) {
+      cert_fingerprint_server_host_ = cert_fingerprint_server_host_value;
+    }
+
+    if (!cert_fingerprint_.empty() && !cert_fingerprint_server_host_.empty() &&
+        signal_server_host_ != cert_fingerprint_server_host_) {
+      LOG_INFO("Server IP changed from {} to {}, clearing old fingerprint",
+               cert_fingerprint_server_host_, signal_server_host_);
+      cert_fingerprint_.clear();
+      cert_fingerprint_server_host_.clear();
+      ini_.Delete(section_, "cert_fingerprint", false);
+      ini_.Delete(section_, "cert_fingerprint_server_host", false);
+    }
 
     ini_.SetValue(section_, "signal_server_host", signal_server_host_.c_str());
     ini_.SetLongValue(section_, "signal_server_port",
@@ -279,6 +431,11 @@ int ConfigCenter::SetSelfHosted(bool enable_self_hosted) {
     ini_.SetLongValue(section_, "coturn_server_port",
                       static_cast<long>(coturn_server_port_));
     ini_.SetValue(section_, "cert_file_path", cert_file_path_.c_str());
+    if (!cert_fingerprint_.empty()) {
+      ini_.SetValue(section_, "cert_fingerprint", cert_fingerprint_.c_str());
+      ini_.SetValue(section_, "cert_fingerprint_server_host",
+                    cert_fingerprint_server_host_.c_str());
+    }
   }
 
   SI_Error rc = ini_.SaveFile(config_path_.c_str());
@@ -368,6 +525,14 @@ int ConfigCenter::GetCoturnServerPort() const { return coturn_server_port_; }
 
 std::string ConfigCenter::GetCertFilePath() const { return cert_file_path_; }
 
+std::string ConfigCenter::GetCertFingerprint() const {
+  return cert_fingerprint_;
+}
+
+std::string ConfigCenter::GetDefaultCertFingerprint() const {
+  return default_cert_fingerprint_;
+}
+
 std::string ConfigCenter::GetDefaultServerHost() const {
   return signal_server_host_default_;
 }

src/config_center/config_center.h

@@ -38,6 +38,10 @@ class ConfigCenter {
   int SetServerPort(int signal_server_port);
   int SetCoturnServerPort(int coturn_server_port);
   int SetCertFilePath(const std::string& cert_file_path);
+  int SetCertFingerprint(const std::string& fingerprint);
+  int SetDefaultCertFingerprint(const std::string& fingerprint);
+  int ClearCertFingerprint();
+  int ClearDefaultCertFingerprint();
   int SetSelfHosted(bool enable_self_hosted);
   int SetMinimizeToTray(bool enable_minimize_to_tray);
   int SetAutostart(bool enable_autostart);
@@ -56,6 +60,8 @@ class ConfigCenter {
   int GetSignalServerPort() const;
   int GetCoturnServerPort() const;
   std::string GetCertFilePath() const;
+  std::string GetCertFingerprint() const;
+  std::string GetDefaultCertFingerprint() const;
   std::string GetDefaultServerHost() const;
   int GetDefaultSignalServerPort() const;
   int GetDefaultCoturnServerPort() const;
@@ -88,6 +94,10 @@ class ConfigCenter {
   int coturn_server_port_default_ = 3478;
   std::string cert_file_path_ = "";
   std::string cert_file_path_default_ = "";
+  std::string cert_fingerprint_ = "";
+  std::string cert_fingerprint_server_host_ = "";
+  std::string default_cert_fingerprint_ = "";
+  std::string default_cert_fingerprint_server_host_ = "";
   bool enable_self_hosted_ = false;
   bool enable_minimize_to_tray_ = false;
   bool enable_autostart_ = false;

src/gui/assets/localization/localization.h

@@ -116,6 +116,9 @@ static std::vector<std::string> self_hosted_server_certificate_path = {
     reinterpret_cast<const char*>(u8"证书文件路径:"), "Certificate File Path:"};
 static std::vector<std::string> select_a_file = {
     reinterpret_cast<const char*>(u8"请选择文件"), "Please select a file"};
+static std::vector<std::string> reset_cert_fingerprint = {
+    reinterpret_cast<const char*>(u8"重置证书指纹"),
+    "Reset Certificate Fingerprint"};
 static std::vector<std::string> ok = {reinterpret_cast<const char*>(u8"确认"),
                                       "OK"};
 static std::vector<std::string> cancel = {

src/gui/panels/local_peer_panel.cpp

@@ -233,15 +233,41 @@ int Render::LocalWindow() {
                     sizeof(password_saved_) - 1);
             password_saved_[sizeof(password_saved_) - 1] = '\0';
 
-            std::string client_id_with_password =
-                std::string(client_id_) + "@" + password_saved_;
-            strncpy(client_id_with_password_, client_id_with_password.c_str(),
-                    sizeof(client_id_with_password_) - 1);
-            client_id_with_password_[sizeof(client_id_with_password_) - 1] =
-                '\0';
+            // if self hosted
+            if (config_center_->IsSelfHosted()) {
+              std::string self_hosted_id_str;
+              if (strlen(self_hosted_id_) > 0) {
+                const char* at_pos = strchr(self_hosted_id_, '@');
+                if (at_pos != nullptr) {
+                  self_hosted_id_str =
+                      std::string(self_hosted_id_, at_pos - self_hosted_id_);
+                } else {
+                  self_hosted_id_str = self_hosted_id_;
+                }
+              } else {
+                self_hosted_id_str = client_id_;
+              }
+
+              std::string new_self_hosted_id =
+                  self_hosted_id_str + "@" + password_saved_;
+              memset(&self_hosted_id_, 0, sizeof(self_hosted_id_));
+              strncpy(self_hosted_id_, new_self_hosted_id.c_str(),
+                      sizeof(self_hosted_id_) - 1);
+              self_hosted_id_[sizeof(self_hosted_id_) - 1] = '\0';
+
+            } else {
+              std::string client_id_with_password =
+                  std::string(client_id_) + "@" + password_saved_;
+              strncpy(client_id_with_password_, client_id_with_password.c_str(),
+                      sizeof(client_id_with_password_) - 1);
+              client_id_with_password_[sizeof(client_id_with_password_) - 1] =
+                  '\0';
+            }
 
             SaveSettingsIntoCacheFile();
 
+            memset(new_password_, 0, sizeof(new_password_));
+
             LeaveConnection(peer_, client_id_);
             DestroyPeer(&peer_);
             focus_on_input_widget_ = true;

src/gui/render.cpp

@@ -203,22 +203,41 @@ Render::~Render() {}
 
 int Render::SaveSettingsIntoCacheFile() {
   cd_cache_mutex_.lock();
-  std::ofstream cd_cache_file(cache_path_ + "/secure_cache.enc",
-                              std::ios::binary);
-  if (!cd_cache_file) {
+
+  std::ofstream cd_cache_v2_file(cache_path_ + "/secure_cache_v2.enc",
+                                 std::ios::binary);
+  if (!cd_cache_v2_file) {
     cd_cache_mutex_.unlock();
     return -1;
   }
 
-  memset(&cd_cache_.client_id_with_password, 0,
-         sizeof(cd_cache_.client_id_with_password));
-  memcpy(cd_cache_.client_id_with_password, client_id_with_password_,
+  memset(&cd_cache_v2_.client_id_with_password, 0,
+         sizeof(cd_cache_v2_.client_id_with_password));
+  memcpy(cd_cache_v2_.client_id_with_password, client_id_with_password_,
          sizeof(client_id_with_password_));
-  memcpy(&cd_cache_.key, &aes128_key_, sizeof(aes128_key_));
-  memcpy(&cd_cache_.iv, &aes128_iv_, sizeof(aes128_iv_));
+  memcpy(&cd_cache_v2_.key, &aes128_key_, sizeof(aes128_key_));
+  memcpy(&cd_cache_v2_.iv, &aes128_iv_, sizeof(aes128_iv_));
+
+  memset(&cd_cache_v2_.self_hosted_id, 0, sizeof(cd_cache_v2_.self_hosted_id));
+  memcpy(cd_cache_v2_.self_hosted_id, self_hosted_id_, sizeof(self_hosted_id_));
+
+  cd_cache_v2_file.write(reinterpret_cast<char*>(&cd_cache_v2_),
+                         sizeof(CDCacheV2));
+  cd_cache_v2_file.close();
+
+  std::ofstream cd_cache_file(cache_path_ + "/secure_cache.enc",
+                              std::ios::binary);
+  if (cd_cache_file) {
+    memset(&cd_cache_.client_id_with_password, 0,
+           sizeof(cd_cache_.client_id_with_password));
+    memcpy(cd_cache_.client_id_with_password, client_id_with_password_,
+           sizeof(client_id_with_password_));
+    memcpy(&cd_cache_.key, &aes128_key_, sizeof(aes128_key_));
+    memcpy(&cd_cache_.iv, &aes128_iv_, sizeof(aes128_iv_));
+    cd_cache_file.write(reinterpret_cast<char*>(&cd_cache_), sizeof(CDCache));
+    cd_cache_file.close();
+  }
 
-  cd_cache_file.write(reinterpret_cast<char*>(&cd_cache_), sizeof(CDCache));
-  cd_cache_file.close();
   cd_cache_mutex_.unlock();
 
   return 0;
@@ -226,33 +245,81 @@ int Render::SaveSettingsIntoCacheFile() {
 
 int Render::LoadSettingsFromCacheFile() {
   cd_cache_mutex_.lock();
-  std::ifstream cd_cache_file(cache_path_ + "/secure_cache.enc",
-                              std::ios::binary);
-  if (!cd_cache_file) {
+
+  std::ifstream cd_cache_v2_file(cache_path_ + "/secure_cache_v2.enc",
+                                 std::ios::binary);
+  bool v2_file_exists = cd_cache_v2_file.good();
+
+  if (v2_file_exists) {
+    cd_cache_v2_file.read(reinterpret_cast<char*>(&cd_cache_v2_),
+                          sizeof(CDCacheV2));
+    cd_cache_v2_file.close();
+
+    memset(&client_id_with_password_, 0, sizeof(client_id_with_password_));
+    memcpy(client_id_with_password_, cd_cache_v2_.client_id_with_password,
+           sizeof(client_id_with_password_));
+
+    memset(&self_hosted_id_, 0, sizeof(self_hosted_id_));
+    memcpy(self_hosted_id_, cd_cache_v2_.self_hosted_id,
+           sizeof(self_hosted_id_));
+
+    memcpy(aes128_key_, cd_cache_v2_.key, sizeof(cd_cache_v2_.key));
+    memcpy(aes128_iv_, cd_cache_v2_.iv, sizeof(cd_cache_v2_.iv));
+
+    LOG_INFO("Load settings from v2 cache file");
+  } else {
+    std::ifstream cd_cache_file(cache_path_ + "/secure_cache.enc",
+                                std::ios::binary);
+    if (!cd_cache_file) {
+      cd_cache_mutex_.unlock();
+
+      memset(password_saved_, 0, sizeof(password_saved_));
+      memset(aes128_key_, 0, sizeof(aes128_key_));
+      memset(aes128_iv_, 0, sizeof(aes128_iv_));
+      memset(self_hosted_id_, 0, sizeof(self_hosted_id_));
+
+      thumbnail_.reset();
+      thumbnail_ = std::make_shared<Thumbnail>(cache_path_ + "/thumbnails/");
+      thumbnail_->GetKeyAndIv(aes128_key_, aes128_iv_);
+      thumbnail_->DeleteAllFilesInDirectory();
+
+      SaveSettingsIntoCacheFile();
+
+      return -1;
+    }
+
+    cd_cache_file.read(reinterpret_cast<char*>(&cd_cache_), sizeof(CDCache));
+    cd_cache_file.close();
+
+    memset(&cd_cache_v2_.client_id_with_password, 0,
+           sizeof(cd_cache_v2_.client_id_with_password));
+    memcpy(cd_cache_v2_.client_id_with_password,
+           cd_cache_.client_id_with_password,
+           sizeof(cd_cache_.client_id_with_password));
+    memcpy(&cd_cache_v2_.key, &cd_cache_.key, sizeof(cd_cache_.key));
+    memcpy(&cd_cache_v2_.iv, &cd_cache_.iv, sizeof(cd_cache_.iv));
+
+    memset(&cd_cache_v2_.self_hosted_id, 0,
+           sizeof(cd_cache_v2_.self_hosted_id));
+
+    memset(&client_id_with_password_, 0, sizeof(client_id_with_password_));
+    memcpy(client_id_with_password_, cd_cache_.client_id_with_password,
+           sizeof(client_id_with_password_));
+
+    memset(&self_hosted_id_, 0, sizeof(self_hosted_id_));
+
+    memcpy(aes128_key_, cd_cache_.key, sizeof(cd_cache_.key));
+    memcpy(aes128_iv_, cd_cache_.iv, sizeof(cd_cache_.iv));
+
     cd_cache_mutex_.unlock();
-
-    memset(password_saved_, 0, sizeof(password_saved_));
-    memset(aes128_key_, 0, sizeof(aes128_key_));
-    memset(aes128_iv_, 0, sizeof(aes128_iv_));
-
-    thumbnail_.reset();
-    thumbnail_ = std::make_shared<Thumbnail>(cache_path_ + "/thumbnails/");
-    thumbnail_->GetKeyAndIv(aes128_key_, aes128_iv_);
-    thumbnail_->DeleteAllFilesInDirectory();
-
     SaveSettingsIntoCacheFile();
+    cd_cache_mutex_.lock();
 
-    return -1;
+    LOG_INFO("Migrated settings from v1 to v2 cache file");
   }
 
-  cd_cache_file.read(reinterpret_cast<char*>(&cd_cache_), sizeof(CDCache));
-  cd_cache_file.close();
   cd_cache_mutex_.unlock();
 
-  memset(&client_id_with_password_, 0, sizeof(client_id_with_password_));
-  memcpy(client_id_with_password_, cd_cache_.client_id_with_password,
-         sizeof(client_id_with_password_));
-
   if (strchr(client_id_with_password_, '@') != nullptr) {
     std::string id, password;
     const char* at_pos = strchr(client_id_with_password_, '@');
@@ -273,9 +340,6 @@ int Render::LoadSettingsFromCacheFile() {
     password_saved_[sizeof(password_saved_) - 1] = '\0';
   }
 
-  memcpy(aes128_key_, cd_cache_.key, sizeof(cd_cache_.key));
-  memcpy(aes128_iv_, cd_cache_.iv, sizeof(cd_cache_.iv));
-
   thumbnail_.reset();
   thumbnail_ = std::make_shared<Thumbnail>(cache_path_ + "/thumbnails/",
                                            aes128_key_, aes128_iv_);
@@ -473,18 +537,75 @@ int Render::CreateConnectionPeer() {
   std::string signal_server_ip;
   int signal_server_port;
   int coturn_server_port;
-  std::string tls_cert_path;
+  std::string tls_cert_fingerprint;
 
   if (config_center_->IsSelfHosted()) {
     signal_server_ip = config_center_->GetSignalServerHost();
     signal_server_port = config_center_->GetSignalServerPort();
     coturn_server_port = config_center_->GetCoturnServerPort();
-    tls_cert_path = config_center_->GetCertFilePath();
+    tls_cert_fingerprint = config_center_->GetCertFingerprint();
+
+    std::string current_self_hosted_ip = config_center_->GetSignalServerHost();
+    bool use_cached_id = false;
+
+    // Check secure_cache_v2.enc exists or not
+    std::ifstream v2_file(cache_path_ + "/secure_cache_v2.enc",
+                          std::ios::binary);
+    if (v2_file.good()) {
+      CDCacheV2 temp_cache;
+      v2_file.read(reinterpret_cast<char*>(&temp_cache), sizeof(CDCacheV2));
+      v2_file.close();
+
+      if (strlen(temp_cache.self_hosted_id) > 0) {
+        memset(&self_hosted_id_, 0, sizeof(self_hosted_id_));
+        strncpy(self_hosted_id_, temp_cache.self_hosted_id,
+                sizeof(self_hosted_id_) - 1);
+        self_hosted_id_[sizeof(self_hosted_id_) - 1] = '\0';
+        use_cached_id = true;
+
+        std::string id, password;
+        const char* at_pos = strchr(self_hosted_id_, '@');
+        if (at_pos == nullptr) {
+          id = self_hosted_id_;
+          password.clear();
+        } else {
+          id.assign(self_hosted_id_, at_pos - self_hosted_id_);
+          password = at_pos + 1;
+        }
+
+        memset(&client_id_, 0, sizeof(client_id_));
+        strncpy(client_id_, id.c_str(), sizeof(client_id_) - 1);
+        client_id_[sizeof(client_id_) - 1] = '\0';
+
+        memset(&password_saved_, 0, sizeof(password_saved_));
+        strncpy(password_saved_, password.c_str(), sizeof(password_saved_) - 1);
+        password_saved_[sizeof(password_saved_) - 1] = '\0';
+      }
+    } else {
+      memset(&self_hosted_id_, 0, sizeof(self_hosted_id_));
+      LOG_INFO(
+          "secure_cache_v2.enc not found, will use empty id to get new id from "
+          "server");
+    }
+
+    if (use_cached_id && strlen(self_hosted_id_) > 0) {
+      memset(&self_hosted_user_id_, 0, sizeof(self_hosted_user_id_));
+      strncpy(self_hosted_user_id_, self_hosted_id_,
+              sizeof(self_hosted_user_id_) - 1);
+      self_hosted_user_id_[sizeof(self_hosted_user_id_) - 1] = '\0';
+      params_.user_id = self_hosted_user_id_;
+    } else {
+      memset(&self_hosted_user_id_, 0, sizeof(self_hosted_user_id_));
+      params_.user_id = self_hosted_user_id_;
+      LOG_INFO(
+          "Using empty id for self-hosted server, server will assign new id");
+    }
   } else {
     signal_server_ip = config_center_->GetDefaultServerHost();
     signal_server_port = config_center_->GetDefaultSignalServerPort();
     coturn_server_port = config_center_->GetDefaultCoturnServerPort();
-    tls_cert_path = config_center_->GetDefaultCertFilePath();
+    tls_cert_fingerprint = config_center_->GetDefaultCertFingerprint();
+    params_.user_id = client_id_with_password_;
   }
 
   // self hosted server config
@@ -528,9 +649,30 @@ int Render::CreateConnectionPeer() {
   strncpy((char*)params_.turn_server_password, "crossdeskpw",
           sizeof(params_.turn_server_password) - 1);
   params_.turn_server_password[sizeof(params_.turn_server_password) - 1] = '\0';
-  strncpy(params_.tls_cert_path, tls_cert_path.c_str(),
-          sizeof(params_.tls_cert_path) - 1);
-  params_.tls_cert_path[sizeof(params_.tls_cert_path) - 1] = '\0';
+  strncpy(params_.tls_cert_fingerprint, tls_cert_fingerprint.c_str(),
+          sizeof(params_.tls_cert_fingerprint) - 1);
+  params_.tls_cert_fingerprint[sizeof(params_.tls_cert_fingerprint) - 1] = '\0';
+
+  if (config_center_->IsSelfHosted()) {
+    params_.on_cert_fingerprint = [](const char* fingerprint, void* user_data) {
+      Render* render = static_cast<Render*>(user_data);
+      if (render && render->config_center_) {
+        render->config_center_->SetCertFingerprint(fingerprint);
+        LOG_INFO("Saved self-hosted certificate fingerprint: {}", fingerprint);
+      }
+    };
+    params_.fingerprint_user_data = this;
+  } else {
+    params_.on_cert_fingerprint = [](const char* fingerprint, void* user_data) {
+      Render* render = static_cast<Render*>(user_data);
+      if (render && render->config_center_) {
+        render->config_center_->SetDefaultCertFingerprint(fingerprint);
+        LOG_INFO("Saved default server certificate fingerprint: {}",
+                 fingerprint);
+      }
+    };
+    params_.fingerprint_user_data = this;
+  }
 
   strncpy(params_.log_path, dll_log_path_.c_str(),
           sizeof(params_.log_path) - 1);
@@ -554,7 +696,6 @@ int Render::CreateConnectionPeer() {
   params_.on_connection_status = OnConnectionStatusCb;
   params_.net_status_report = NetStatusReport;
 
-  params_.user_id = client_id_with_password_;
   params_.user_data = this;
 
   peer_ = CreatePeer(&params_);

src/gui/render.h

@@ -277,8 +277,25 @@ class Render {
     unsigned char iv[16];
   };
 
+  struct CDCacheV2 {
+    char client_id_with_password[17];
+    int language;
+    int video_quality;
+    int video_frame_rate;
+    int video_encode_format;
+    bool enable_hardware_video_codec;
+    bool enable_turn;
+    bool enable_srtp;
+
+    unsigned char key[16];
+    unsigned char iv[16];
+
+    char self_hosted_id[17];
+  };
+
  private:
   CDCache cd_cache_;
+  CDCacheV2 cd_cache_v2_;
   std::mutex cd_cache_mutex_;
   std::unique_ptr<ConfigCenter> config_center_;
   ConfigCenter::LANGUAGE localization_language_ =
@@ -470,6 +487,8 @@ class Render {
   char client_id_display_[12] = "";
   char client_id_with_password_[17] = "";
   char password_saved_[7] = "";
+  char self_hosted_id_[17] = "";
+  char self_hosted_user_id_[17] = "";
   int language_button_value_ = 0;
   int video_quality_button_value_ = 0;
   int video_frame_rate_button_value_ = 1;

src/gui/render_callback.cpp

@@ -1,4 +1,5 @@
 #include <cmath>
+#include <fstream>
 
 #include "device_controller.h"
 #include "localization.h"
@@ -556,24 +557,93 @@ void Render::NetStatusReport(const char* client_id, size_t client_id_size,
       password = at_pos + 1;
     }
 
-    memset(&render->client_id_, 0, sizeof(render->client_id_));
-    strncpy(render->client_id_, id.c_str(), sizeof(render->client_id_) - 1);
-    render->client_id_[sizeof(render->client_id_) - 1] = '\0';
+    bool is_self_hosted = render->config_center_->IsSelfHosted();
 
-    memset(&render->password_saved_, 0, sizeof(render->password_saved_));
-    strncpy(render->password_saved_, password.c_str(),
-            sizeof(render->password_saved_) - 1);
-    render->password_saved_[sizeof(render->password_saved_) - 1] = '\0';
+    if (is_self_hosted) {
+      memset(&render->client_id_, 0, sizeof(render->client_id_));
+      strncpy(render->client_id_, id.c_str(), sizeof(render->client_id_) - 1);
+      render->client_id_[sizeof(render->client_id_) - 1] = '\0';
 
-    memset(&render->client_id_with_password_, 0,
-           sizeof(render->client_id_with_password_));
-    strncpy(render->client_id_with_password_, client_id,
-            sizeof(render->client_id_with_password_) - 1);
-    render->client_id_with_password_[sizeof(render->client_id_with_password_) -
+      memset(&render->password_saved_, 0, sizeof(render->password_saved_));
+      strncpy(render->password_saved_, password.c_str(),
+              sizeof(render->password_saved_) - 1);
+      render->password_saved_[sizeof(render->password_saved_) - 1] = '\0';
+
+      memset(&render->self_hosted_id_, 0, sizeof(render->self_hosted_id_));
+      strncpy(render->self_hosted_id_, client_id,
+              sizeof(render->self_hosted_id_) - 1);
+      render->self_hosted_id_[sizeof(render->self_hosted_id_) - 1] = '\0';
+
+      LOG_INFO("Use self-hosted client id [{}] and save to cache file", id);
+
+      render->cd_cache_mutex_.lock();
+
+      std::ifstream v2_file_read(render->cache_path_ + "/secure_cache_v2.enc",
+                                 std::ios::binary);
+      if (v2_file_read.good()) {
+        v2_file_read.read(reinterpret_cast<char*>(&render->cd_cache_v2_),
+                          sizeof(CDCacheV2));
+        v2_file_read.close();
+      } else {
+        memset(&render->cd_cache_v2_, 0, sizeof(CDCacheV2));
+        memset(&render->cd_cache_v2_.client_id_with_password, 0,
+               sizeof(render->cd_cache_v2_.client_id_with_password));
+        strncpy(render->cd_cache_v2_.client_id_with_password,
+                render->client_id_with_password_,
+                sizeof(render->cd_cache_v2_.client_id_with_password));
+        memcpy(&render->cd_cache_v2_.key, &render->aes128_key_,
+               sizeof(render->cd_cache_v2_.key));
+        memcpy(&render->cd_cache_v2_.iv, &render->aes128_iv_,
+               sizeof(render->cd_cache_v2_.iv));
+      }
+
+      memset(&render->cd_cache_v2_.self_hosted_id, 0,
+             sizeof(render->cd_cache_v2_.self_hosted_id));
+      strncpy(render->cd_cache_v2_.self_hosted_id, client_id,
+              sizeof(render->cd_cache_v2_.self_hosted_id) - 1);
+      render->cd_cache_v2_
+          .self_hosted_id[sizeof(render->cd_cache_v2_.self_hosted_id) - 1] =
+          '\0';
+
+      memset(&render->cd_cache_v2_.client_id_with_password, 0,
+             sizeof(render->cd_cache_v2_.client_id_with_password));
+      strncpy(render->cd_cache_v2_.client_id_with_password,
+              render->client_id_with_password_,
+              sizeof(render->cd_cache_v2_.client_id_with_password));
+      memcpy(&render->cd_cache_v2_.key, &render->aes128_key_,
+             sizeof(render->cd_cache_v2_.key));
+      memcpy(&render->cd_cache_v2_.iv, &render->aes128_iv_,
+             sizeof(render->cd_cache_v2_.iv));
+      std::ofstream cd_cache_v2_file(
+          render->cache_path_ + "/secure_cache_v2.enc", std::ios::binary);
+      if (cd_cache_v2_file) {
+        cd_cache_v2_file.write(reinterpret_cast<char*>(&render->cd_cache_v2_),
+                               sizeof(CDCacheV2));
+        cd_cache_v2_file.close();
+      }
+
+      render->cd_cache_mutex_.unlock();
+    } else {
+      memset(&render->client_id_, 0, sizeof(render->client_id_));
+      strncpy(render->client_id_, id.c_str(), sizeof(render->client_id_) - 1);
+      render->client_id_[sizeof(render->client_id_) - 1] = '\0';
+
+      memset(&render->password_saved_, 0, sizeof(render->password_saved_));
+      strncpy(render->password_saved_, password.c_str(),
+              sizeof(render->password_saved_) - 1);
+      render->password_saved_[sizeof(render->password_saved_) - 1] = '\0';
+
+      memset(&render->client_id_with_password_, 0,
+             sizeof(render->client_id_with_password_));
+      strncpy(render->client_id_with_password_, client_id,
+              sizeof(render->client_id_with_password_) - 1);
+      render
+          ->client_id_with_password_[sizeof(render->client_id_with_password_) -
                                      1] = '\0';
 
-    LOG_INFO("Use client id [{}] and save id into cache file", id);
-    render->SaveSettingsIntoCacheFile();
+      LOG_INFO("Use client id [{}] and save id into cache file", id);
+      render->SaveSettingsIntoCacheFile();
+    }
   }
 
   std::string remote_id(user_id, user_id_size);

src/gui/windows/server_settings_window.cpp

@@ -214,20 +214,30 @@ int Render::SelfHostedServerWindow() {
 
       ImGui::Separator();
 
+      // {
+      //   ImGui::AlignTextToFramePadding();
+      //   ImGui::Text(
+      //       "%s",
+      //       localization::reset_cert_fingerprint[localization_language_index_]
+      //           .c_str());
+      //   ImGui::SameLine();
+      //   if (ConfigCenter::LANGUAGE::CHINESE == localization_language_) {
+      //     ImGui::SetCursorPosX(title_bar_button_width_ * 2.5f);
+      //   } else {
+      //     ImGui::SetCursorPosX(title_bar_button_width_ * 3.43f);
+      //   }
+      //   ImGui::SetNextItemWidth(title_bar_button_width_ * 3.8f);
+
+      //   ShowSimpleFileBrowser();
+      // }
       {
         ImGui::AlignTextToFramePadding();
-        ImGui::Text("%s", localization::self_hosted_server_certificate_path
+        if (ImGui::Button(localization::reset_cert_fingerprint
                               [localization_language_index_]
-                                  .c_str());
-        ImGui::SameLine();
-        if (ConfigCenter::LANGUAGE::CHINESE == localization_language_) {
-          ImGui::SetCursorPosX(title_bar_button_width_ * 2.5f);
-        } else {
-          ImGui::SetCursorPosX(title_bar_button_width_ * 3.43f);
+                                  .c_str())) {
+          config_center_->ClearCertFingerprint();
+          LOG_INFO("Certificate fingerprint cleared by user");
         }
-        ImGui::SetNextItemWidth(title_bar_button_width_ * 3.8f);
-
-        ShowSimpleFileBrowser();
       }
 
       if (stream_window_inited_) {