xtls-rprx-vision 偶发 ssl 错误

[ghost]

Welcome

• [X] Yes, I'm using the latest major release. Only such installations are supported.
• [X] Yes, I'm using the latest Golang release. Only such installations are supported.
• [X] Yes, I've searched similar issues on GitHub and didn't find any.
• [X] Yes, I've included all information below (version, FULL config, FULL log, etc).

Description of the problem

在使用 VLESS + tcp + xtls-rprx-vision 时，遇到了 tls 握手失败，类似于 https://github.com/XTLS/Xray-core/issues/1444

有时候浏览器提示证书错误，有时候浏览器半天加载不出页面。(Xray-core 正常)

Version of sing-box

```console $ sing-box version sing-box: 1.2-beta5 Neko: N/A sing-box version 1.2-beta5 Environment: go1.20 linux/amd64 Tags: with_gvisor,with_quic,with_wireguard,with_utls,with_v2ray_api,with_grpc Revision: f66d63b59783384a5b9763a60344ba80bf0dcf3b CGO: enabled ``` 用的内核经过了隔壁的魔改，如果是隔壁的问题那我就关了。

Server and client configuration file

server: xray v1.7.5 ```console $ cat /usr/local/etc/xray/config.json { "routing": { "routing": { "domainStrategy": "IPIfNonMatch", "domainMatcher": "hybrid", "rules": [ { "type": "field", "domain": [ "geosite:cn" ], "outboundTag": "warp" }, { "type": "field", "ip": [ "geoip:cn" ], "outboundTag": "warp" }, { "type": "field", "domain": [ "geosite:openai" ], "outboundTag": "warp" } ] } }, "dns": { "servers": [ "https://one.one.one.one/dns-query", "https://8888.google/dns-query" ] }, "inbounds": [ { "port": 443, "protocol": "vless", "settings": { "clients": [ { "id": "uuid", "level": 1, "flow": "xtls-rprx-vision,none" } ], "fallbacks": [ { "alpn": "h2", "dest": 54249 }, { "alpn": "http/1.1", "dest": 80 } ], "decryption": "none" }, "streamSettings": { "network": "tcp", "security": "tls", "tlsSettings": { "certificates": [ { "certificateFile": "/usr/local/etc/xray/cert.crt", "keyFile": "/usr/local/etc/xray/key.key" } ] } } }, { "listen": "127.0.0.1", "port": 50274, "protocol": "vmess", "settings": { "clients": [ { "id": "uuid", "level": 1, "alterId": 0 } ] }, "streamSettings": { "network": "ws", "wsSettings": { "path": "/path" } } } ], "outbounds": [ { "protocol": "freedom", "tag": "direct" }, { "protocol": "blackhole", "tag": "block" }, { "protocol": "wireguard", "settings": { "secretKey": "...", "address": [ "172.16.0.2/32", "2606:4700:110:8949:fed8:2642:a640:c8e1/128" ], "peers": [ { "publicKey": "...", "endpoint": "engage.cloudflareclient.com:2408" } ] }, "tag": "warp" } ] } ``` client: ``` { "dns": { "rules": [ { "domain": [], "domain_keyword": [], "domain_regex": [], "domain_suffix": [], "geosite": [ "cn" ], "server": "dns-direct" } ], "servers": [ { "address": "https://8888.google/dns-query", "address_resolver": "dns-underlying", "detour": "proxy", "strategy": "", "tag": "dns-remote" }, { "address": "underlying://0.0.0.0", "address_resolver": "dns-underlying", "detour": "direct", "strategy": "", "tag": "dns-direct" }, { "address": "underlying://0.0.0.0", "detour": "direct", "tag": "dns-underlying" } ] }, "inbounds": [ { "listen": "127.0.0.1", "listen_port": 2080, "sniff": true, "sniff_override_destination": false, "tag": "mixed-in", "type": "mixed" } ], "log": { "level": "trace" }, "outbounds": [ { "domain_strategy": "", "flow": "xtls-rprx-vision", "network": "tcp", "packet_encoding": "xudp", "server": "server", "server_port": 443, "tag": "proxy", "tls": { "alpn": [ "h2", "http/1.1" ], "enabled": true, "server_name": "server.com" }, "type": "vless", "uuid": "uuid" }, { "tag": "direct", "type": "direct" }, { "tag": "bypass", "type": "direct" }, { "tag": "block", "type": "block" }, { "tag": "dns-out", "type": "dns" } ], "route": { "auto_detect_interface": true, "final": "proxy", "geoip": { "path": "/opt/nekoray/geoip.db" }, "geosite": { "path": "/opt/nekoray/geosite.db" }, "rules": [ { "outbound": "dns-out", "protocol": "dns" }, { "geoip": [ "cn", "private" ], "ip_cidr": [], "outbound": "bypass" }, { "domain": [], "domain_keyword": [], "domain_regex": [], "domain_suffix": [], "geosite": [ "cn" ], "outbound": "bypass" } ] } } ```

Server and client log file

DEBUG[0044] [3374732906] inbound/mixed[mixed-in]: connection closed: process connection from 127.0.0.1:16276: upload: EOF | download: read tcp [ip]:64494->[ip]:443: use of closed network connection | upstream: context canceled
DEBUG[0044] [1949758800] inbound/mixed[mixed-in]: connection closed: process connection from 127.0.0.1:38090: upload: EOF | download: read tcp [ip]:42516->[ip]:443: use of closed network connection | upstream: context canceled
DEBUG[0044] [3121685569] inbound/mixed[mixed-in]: connection closed: process connection from 127.0.0.1:38102: download: read tcp [ip]:42520->[ip]:443: use of closed network connection | upload: read tcp 127.0.0.1:2080->127.0.0.1:38102: use of closed network connection | upstream: context canceled
DEBUG[0044] [1903964935] inbound/mixed[mixed-in]: connection closed: process connection from 127.0.0.1:37208: download: read tcp [ip]:6190->[ip:443: use of closed network connection | upload: read tcp 127.0.0.1:2080->127.0.0.1:37208: use of closed network connection | upstream: context canceled
INFO[0000] router: using vless[proxy] as default outbound for connection
INFO[0000] router: using direct[direct] as default outbound for packet connection
INFO[0000] router: loaded geoip database: 250 codes
INFO[0000] router: loaded geosite database: 1362 codes
INFO[0000] router: updated default interface wlp3s0, index 3
INFO[0000] inbound/mixed[mixed-in]: tcp server started at 127.0.0.1:2080
INFO[0000] sing-box started (0.166s)
INFO[0003] [3114740701] inbound/mixed[mixed-in]: inbound connection from 127.0.0.1:63986
INFO[0003] [3114740701] inbound/mixed[mixed-in]: inbound connection to google.com:443
DEBUG[0003] [3114740701] router: sniffed protocol: tls, domain: google.com
INFO[0004] [3114740701] outbound/vless[proxy]: outbound connection to google.com:443
TRACE[0004] outbound/vless[proxy]: XtlsFilterTls found tls client hello! 517
TRACE[0004] outbound/vless[proxy]: XtlsPadding 517 474 0
TRACE[0004] outbound/vless[proxy]: Xtls Unpadding new block 21 6931 padding 0 0
TRACE[0004] outbound/vless[proxy]: XtlsFilterTls found tls 1.3! 1163 4867 true
TRACE[0004] outbound/vless[proxy]: XtlsPadding 74 990 0
TRACE[0004] outbound/vless[proxy]: XtlsPadding 98 1024 2
TRACE[0004] outbound/vless[proxy]: XtlsWrite writeV 0 1127 0
TRACE[0005] outbound/vless[proxy]: Xtls Unpadding new block 5 948 padding 0 2
TRACE[0005] outbound/vless[proxy]: XtlsRead readV
INFO[0005] [1031615206] inbound/mixed[mixed-in]: inbound connection from 127.0.0.1:11098
INFO[0005] [1031615206] inbound/mixed[mixed-in]: inbound connection to alive.github.com:443
DEBUG[0005] [1031615206] router: sniffed protocol: tls, domain: alive.github.com
INFO[0006] [1031615206] outbound/vless[proxy]: outbound connection to alive.github.com:443
TRACE[0006] outbound/vless[proxy]: XtlsFilterTls found tls client hello! 517
TRACE[0006] outbound/vless[proxy]: XtlsPadding 517 661 0
TRACE[0007] outbound/vless[proxy]: Xtls Unpadding new block 21 2048 padding 0 0
TRACE[0007] outbound/vless[proxy]: XtlsFilterTls found tls 1.3! 1163 4867 true
TRACE[0007] outbound/vless[proxy]: Xtls Unpadding new block 5 772 padding 271 0
TRACE[0007] outbound/vless[proxy]: XtlsPadding 64 1003 0
TRACE[0007] outbound/vless[proxy]: XtlsPadding 1096 57 2
TRACE[0007] outbound/vless[proxy]: XtlsWrite writeV 0 1158 0
INFO[0007] [3211094168] inbound/mixed[mixed-in]: inbound connection from 127.0.0.1:11104
INFO[0007] [3211094168] inbound/mixed[mixed-in]: inbound connection to clients4.google.com:443
DEBUG[0007] [3211094168] router: sniffed protocol: tls, domain: clients4.google.com
TRACE[0007] outbound/vless[proxy]: Xtls Unpadding new block 5 158 padding 1116 2
TRACE[0007] outbound/vless[proxy]: XtlsRead readV
INFO[0007] [3211094168] outbound/vless[proxy]: outbound connection to clients4.google.com:443
TRACE[0007] outbound/vless[proxy]: XtlsFilterTls found tls client hello! 775
TRACE[0007] outbound/vless[proxy]: XtlsPadding 775 448 0
TRACE[0008] outbound/vless[proxy]: Xtls Unpadding new block 21 380 padding 987 0
TRACE[0008] outbound/vless[proxy]: XtlsFilterTls found tls 1.3! 380 4867 true
TRACE[0008] outbound/vless[proxy]: XtlsPadding 74 1032 0
TRACE[0008] outbound/vless[proxy]: XtlsPadding 98 1191 2
TRACE[0008] outbound/vless[proxy]: XtlsWrite writeV 0 1294 0
DEBUG[0008] [3211094168] inbound/mixed[mixed-in]: connection closed: process connection from 127.0.0.1:11104: download: EOF | upload: EOF
INFO[0024] [1287447217] inbound/mixed[mixed-in]: inbound connection from 127.0.0.1:17982
INFO[0024] [1287447217] inbound/mixed[mixed-in]: inbound connection to mtalk.google.com:443
DEBUG[0024] [1287447217] router: sniffed protocol: tls, domain: mtalk.google.com
INFO[0025] [1287447217] outbound/vless[proxy]: outbound connection to mtalk.google.com:443
TRACE[0025] outbound/vless[proxy]: XtlsFilterTls found tls client hello! 517
TRACE[0025] outbound/vless[proxy]: XtlsPadding 517 844 0
TRACE[0025] outbound/vless[proxy]: Xtls Unpadding new block 21 6763 padding 0 0
TRACE[0025] outbound/vless[proxy]: XtlsFilterTls found tls 1.3! 1163 4867 true
TRACE[0025] outbound/vless[proxy]: XtlsPadding 64 1082 0
TRACE[0025] outbound/vless[proxy]: XtlsPadding 246 968 2
TRACE[0025] outbound/vless[proxy]: XtlsWrite writeV 0 1219 0
TRACE[0026] outbound/vless[proxy]: Xtls Unpadding new block 5 535 padding 432 2
TRACE[0026] outbound/vless[proxy]: XtlsRead readV

INFO[0000] router: using vless[proxy] as default outbound for connection
INFO[0000] router: using direct[direct] as default outbound for packet connection
INFO[0000] router: loaded geoip database: 250 codes
INFO[0000] router: loaded geosite database: 1362 codes
INFO[0000] router: updated default interface wlp3s0, index 3
INFO[0000] inbound/mixed[mixed-in]: tcp server started at 127.0.0.1:2080
INFO[0000] sing-box started (0.144s)
INFO[0002] [2966911456] inbound/mixed[mixed-in]: inbound connection from 127.0.0.1:33774
INFO[0002] [2966911456] inbound/mixed[mixed-in]: inbound connection to youtube.com:443
DEBUG[0002] [2966911456] router: sniffed protocol: tls, domain: youtube.com
INFO[0003] [2966911456] outbound/vless[proxy]: outbound connection to youtube.com:443
TRACE[0003] outbound/vless[proxy]: XtlsFilterTls found tls client hello! 517
TRACE[0003] outbound/vless[proxy]: XtlsPadding 517 676 0
TRACE[0003] outbound/vless[proxy]: Xtls Unpadding new block 21 6931 padding 0 0
TRACE[0003] outbound/vless[proxy]: XtlsFilterTls found tls 1.3! 1163 4867 true
TRACE[0003] outbound/vless[proxy]: XtlsPadding 74 1056 0
TRACE[0003] outbound/vless[proxy]: XtlsPadding 98 1183 2
TRACE[0003] outbound/vless[proxy]: XtlsWrite writeV 0 1286 0
TRACE[0004] outbound/vless[proxy]: Xtls Unpadding new block 5 950 padding 0 2
TRACE[0004] outbound/vless[proxy]: XtlsRead readV
INFO[0010] [223234346] inbound/mixed[mixed-in]: inbound connection from 127.0.0.1:54326
INFO[0010] [223234346] inbound/mixed[mixed-in]: inbound connection to mtalk.google.com:443
DEBUG[0010] [223234346] router: sniffed protocol: tls, domain: mtalk.google.com
INFO[0011] [223234346] outbound/vless[proxy]: outbound connection to mtalk.google.com:443
TRACE[0011] outbound/vless[proxy]: XtlsFilterTls found tls client hello! 517
TRACE[0011] outbound/vless[proxy]: XtlsPadding 517 757 0
TRACE[0011] outbound/vless[proxy]: Xtls Unpadding new block 21 6762 padding 0 0
TRACE[0011] outbound/vless[proxy]: XtlsFilterTls found tls 1.3! 1163 4867 true
TRACE[0011] outbound/vless[proxy]: XtlsPadding 64 941 0
TRACE[0011] outbound/vless[proxy]: XtlsPadding 246 936 2
TRACE[0011] outbound/vless[proxy]: XtlsWrite writeV 0 1187 0
TRACE[0011] outbound/vless[proxy]: Xtls Unpadding new block 5 535 padding 434 2
TRACE[0011] outbound/vless[proxy]: XtlsRead readV

wireshark 抓包已发邮箱。

[nekohasekai]

隔壁是什么东西？

[ghost]

隔壁是什么东西？

https://github.com/MatsuriDayo/nekoray

具体的库在哪我也不知道。我只知道编译是在 go/cmd/nekobox_core 里

[nekohasekai]

请服务器客户端都使用最新 commit 。

[ghost]

@nekohasekai 服务端貌似没有 flow 选项，所以暂时没更换。服务端是自适应吗？

客户端使用最新版后，依然有同样的问题。并且之前刷新一两次就行了，更新后刷新好多遍才能打开网页。

客户端信息

$ ./sing-box version
sing-box version 1.2-beta5

Environment: go1.20 linux/amd64
Tags: with_gvisor,with_quic,with_wireguard,with_utls,with_v2ray_api,with_grpc
Revision: dd0a07624edd45c8c52d196c664863214fdc0249
CGO: enabled

[Gzxhwq]

服务端有flow，且是强制了

[ghost]

@Gzxhwq 那服务端的 flow 是 xtls-rprx-vision 还是 xtls-rprx-vision,none 呢？麻烦完善一下文档

[Gzxhwq]

只能xtls-rprx-vision，sing-box没有xtls-rprx-vision,none的写法，xray下版本也将移除该用法

[ghost]

@Gzxhwq 不，服务端要手动填写，等下我改一下文档。

@nekohasekai 问题已修复(sing-box + xray/sing-box + sing-box)。