[Bug] 1.14.4使用tuic tcp fast open不能传回网页证书

pty819 commented 1 year ago

Verify steps

[X] 确保你使用的是本仓库最新的的 clash 或 clash Alpha 版本 Ensure you are using the latest version of Clash or Clash Premium from this repository.
[X] 如果你可以自己 debug 并解决的话，提交 PR 吧 Is this something you can debug and fix? Send a pull request! Bug fixes and documentation fixes are welcome.
[X] 我已经在 Issue Tracker 中找过我要提出的问题 I have searched on the issue tracker for a related issue.
[X] 我已经使用 Alpha 分支版本测试过，问题依旧存在 I have tested using the dev branch, and the issue still exists.
[X] 我已经仔细看过 Documentation 并无法自行解决问题 I have read the documentation and was unable to solve the issue.
[X] 这是 Clash 核心的问题，并非我所使用的 Clash 衍生版本（如 OpenClash、KoolClash 等）的特定问题 This is an issue of the Clash core per se, not to the derivatives of Clash, like OpenClash or KoolClash.

Clash version

Clash Meta v1.14.4 windows amd64 with go1.20.3 Fri Apr 28 17:12:00 UTC 2023 Use tags: with_gvisor

What OS are you seeing the problem on?

Windows

Clash config

mixed-port: 7890
allow-lan: true
bind-address: '*'
mode: rule
log-level: info
geodata-mode: true
external-controller: '127.0.0.1:9090'

sniffer:                         #【Meta专属】sniffer域名嗅探器
  enable: true                   #嗅探开关
  sniffing:                      #嗅探协议对象：目前支持tls/http
    - tls
    - http
  skip-domain:                   #列表中的sni字段，保留mapping结果，不通过嗅探还原域名
                                 #优先级比force-domain高
    - 'Mijia Cloud'              #米家设备，建议加
    - 'dlg.io.mi.com'
    - '+.apple.com'              #苹果域名，建议加

  force-domain:                  #需要强制嗅探的域名，默认只对IP嗅探
  # - '+'                        #去掉注释后等于全局嗅探
    - 'google.com'

dns:
    enable: true
    ipv6: false
    default-nameserver: [223.5.5.5, 119.29.29.29]
    enhanced-mode: redir-host
    fake-ip-range: 198.18.0.1/16
    use-hosts: true
    nameserver: ['tls://dot.pub:853', 'tls://dns.alidns.com:853']
    fallback: ['quic://dns.adguard-dns.com']
    fallback-filter: { geoip: true, ipcidr: [240.0.0.0/4, 0.0.0.0/32] }
proxies:
    - { name: 'hysteria-altlanta',  type: hysteria, server: , fast_open: true, port: 443, alpn: ['h3'], protocol: udp , up: '100 Mbps', down: '100 Mbps' }
    - { name: 'hysteria-amer1',     type: hysteria, server: ,   fast_open: true, port: 443, alpn: ['h3'], protocol: udp , up: '100 Mbps', down: '100 Mbps'  }
    - { name: 'hysteria-amer2',     type: hysteria, server: ,   fast_open: true, port: 443, alpn: ['h3'], protocol: udp , up: '100 Mbps', down: '100 Mbps' }
    - { name: 'tuic-amer1',         type: tuic,     server: ,     port: 2443, alpn: ['h3'],   token: xingping,    heartbeat-interval: 10000,  reduce-rtt: true,    udp-relay-mode: quic,    congestion-controller: bbr,    fast-open: true}
    - { name: 'tuic-amer2',         type: tuic,     server: ,     port: 2443, alpn: ['h3'],   token: xingping,    heartbeat-interval: 10000,  reduce-rtt: true,    udp-relay-mode: quic,    congestion-controller: bbr,    fast-open: true}
    - { name: 'tuic-altlanta',      type: tuic,     server: ,   port: 2443, alpn: ['h3'],   token: xingping,    heartbeat-interval: 10000,  reduce-rtt: true,    udp-relay-mode: quic,    congestion-controller: bbr}

proxy-groups:
    - { name: PROXY, type: select, proxies: ['自动选择','故障转移','hysteria-amer1','tuic-amer1','hysteria-amer2','tuic-amer2','hysteria-altlanta','tuic-altlanta'] }
    - { name: 自动选择, type: url-test, proxies: ['hysteria-amer1','tuic-amer1','hysteria-amer2','tuic-amer2','hysteria-altlanta','tuic-altlanta'], url: 'http://www.gstatic.com/generate_204', interval: 1800 }
    - { name: 故障转移, type: fallback, proxies: ['hysteria-amer1','tuic-amer1','hysteria-amer2','tuic-amer2','hysteria-altlanta','tuic-altlanta'], url: 'http://www.gstatic.com/generate_204', interval: 360 }

rules:
  - DOMAIN,clash.razord.top,DIRECT
  - DOMAIN,yacd.haishan.me,DIRECT
  - DOMAIN-KEYWORD,bing,PROXY
  - DOMAIN-SUFFIX,live.com,PROXY
  - GEOSITE,category-ads-all,REJECT
  - GEOSITE,icloud@cn,DIRECT
  - GEOSITE,apple@cn,DIRECT
  - GEOSITE,apple-cn,DIRECT
  - GEOSITE,microsoft@cn,DIRECT
  - GEOSITE,facebook,PROXY
  - GEOSITE,youtube,PROXY
  - GEOSITE,geolocation-cn,DIRECT
  - GEOSITE,geolocation-!cn,PROXY
  - GEOIP,telegram,PROXY,no-resolve
  - GEOIP,private,DIRECT,no-resolve
  - GEOIP,LAN,DIRECT
  - GEOIP,CN,DIRECT

  - MATCH,PROXY

Clash log

No response

Description

1.14.3中，tuic协议配置里加上tcp-fast-open可以正常使用，核心升级到1.14.4后，fast open打开网页失败，显示网页无证书，必须去除该字段才能正常使用。

johntaiko commented 1 year ago

Same issue with me

KinoluKaslana commented 1 year ago

一样的，但是我看到tuic最新的（dev branch）server配置有一点变更，tuic服务消息为： [unauthenticated] handling incoming unidirectional stream error: error unmarshaling uni_stream: invalid version: 4 [unauthenticated] handling incoming bidirectional stream error: error unmarshaling bi_stream: invalid version: 4 我这里有两台服务器，较老的一台用的是稍老版本的tuic（并非dev branch），目前非dev branch的tuic可以正常使用。

Same issue with me,I noticed the config of dev branch tuic-server is different with the other branch, may be Clash.Meta has not fit the dev branch tuic-server. I have two VPS with different branch of tuic, the older one works, the dev branch console log is: [unauthenticated] handling incoming unidirectional stream error: error unmarshaling uni_stream: invalid version: 4 [unauthenticated] handling incoming bidirectional stream error: error unmarshaling bi_stream: invalid version: 4

MetaCubeX / mihomo