uTLS "chrome_pq" fingerprint doesn't work with Reality (nil ecdhe_key)

[SagePtr]

Operating system

Windows

System version

Windows 10 22H2

Installation type

Original sing-box Command Line

If you are using a graphical client, please provide the version of the client.

No response

Version

sing-box version 1.9.4

Environment: go1.22.6 windows/amd64
Tags: with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_acme,with_clash_api
Revision: 3066dfe3b31c0d436766047ab6c363be5c60ff53
CGO: disabled

sing-box version 1.10.0-beta.5

Environment: go1.23.0 windows/amd64
Tags: with_gvisor,with_quic,with_dhcp,with_wireguard,with_ech,with_utls,with_reality_server,with_acme,with_clash_api
Revision: 1332f13ce91e8f15ec67954d242732cbd45e39f8
CGO: disabled

(tested on both)

Description

If I use uTLS fingerprint = "chrome_pq" on the client together with VLESS+XTLS-Reality server (tested on both Xray and Sing-box, doesn't matter if flow = "xtls-rprx-vision" or flow = "") - it doesn't work with "nil ecdhe_key" error. Setting fingerprint to "chrome" or "firefox" or "edge" works without any problem, but only "chrome_pq" doesn't work. Also, using VLESS+XTLS-Vision or VLESS+TLS works with "chrome_pq" without any problem, it doesn't work only if "chrome_pq" fingerprint is used together with Reality.

Reproduction

For simplicity of reproduction, run both Sing-box client and Sing-box server on the same machine, client listening for socks5 and sending to vless-reality, server listening for vless-reality and outputting to "direct" outbound. Curl is used to perform the query.

Server config:

{
  "log": {
    "level": "debug"
  },
  "inbounds": [
    {
      "type": "vless",
      "listen": "127.0.0.1",
      "listen_port": 1081,
      "users": [
        {
          "uuid": "00112233-4455-6677-8899-aabbccddeeff",
          "flow": ""
        }
      ],
      "tls": {
        "enabled": true,
        "server_name": "cloudflare.com",
        "reality": {
          "enabled": true,
          "handshake": {
            "server": "cloudflare.com",
            "server_port": 443
          },
          "private_key": "CA3HBus3e4CCpLzKVZmf09zdbDG8PcqAjkWZSoEr00c",
          "short_id": [
            "0123456789abcdef"
          ]
        }
      }
    }
  ],
  "outbounds": [
    {
      "type": "direct"
    }
  ]
}

Client config:

{
  "log": {
    "level": "debug"
  },
  "inbounds": [
    {
      "type": "socks",
      "listen": "127.0.0.1",
      "listen_port": 1080
    }
  ],
  "outbounds": [
    {
      "type": "vless",
      "server": "127.0.0.1",
      "server_port": 1081,
      "uuid": "00112233-4455-6677-8899-aabbccddeeff",
      "flow": "",
      "tls": {
        "enabled": true,
        "server_name": "cloudflare.com",
        "reality": {
          "enabled": true,
          "public_key": "19RUco5pNRvlBV2DtwjnbcJW88IRbsi5f7rDGMLkK2E",
          "short_id": "0123456789abcdef"
        },
        "utls": {
          "enabled": true,
          "fingerprint": "chrome_pq"
        }
      }
    }
  ]
}

Curl command which triggers the error:

curl --proxy "socks5h://127.0.0.1:1080/" https://ifconfig.co/

Logs

Curl output:

curl: (35) Recv failure: Connection was aborted

Client log:

INFO[0000] router: updated default interface Network, index 25
INFO[0000] inbound/socks[0]: tcp server started at 127.0.0.1:1080
INFO[0000] sing-box started (0.00s)
INFO[0002] [1171201545 0ms] inbound/socks[0]: inbound connection from 127.0.0.1:60521
INFO[0002] [1171201545 1ms] inbound/socks[0]: inbound connection to ifconfig.co:443
INFO[0002] [1171201545 1ms] outbound/vless[0]: outbound connection to ifconfig.co:443
ERROR[0002] [1171201545 4ms] inbound/socks[0]: process connection from 127.0.0.1:60521: nil ecdhe_key

Server log:

INFO[0000] router: updated default interface Network, index 25
INFO[0000] inbound/vless[0]: tcp server started at 127.0.0.1:1081
INFO[0000] sing-box started (0.11s)
INFO[0004] [2782121937 0ms] inbound/vless[0]: inbound connection from 127.0.0.1:60522
DEBUG[0004] [2782121937 1ms] dns: lookup domain cloudflare.com
DEBUG[0004] [2782121937 23ms] dns: lookup succeed for cloudflare.com: 2606:4700::6810:84e5 2606:4700::6810:85e5 104.16.133.229 104.16.132.229
ERROR[0019] [2782121937 15.9s] inbound/vless[0]: process connection from 127.0.0.1:60522: REALITY: processed invalid connection

Supporter

• [ ] I am a sponsor

Integrity requirements

• [X] I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
• [X] I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
• [X] I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
• [X] I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.

[nekohasekai]

Not supported by reality.