SSL 连接失败

[sbilly]

Welcome

• [X] Yes, I'm using the latest major release. Only such installations are supported.
• [X] Yes, I'm using the latest Golang release. Only such installations are supported.
• [X] Yes, I've searched similar issues on GitHub and didn't find any.
• [X] Yes, I've included all information below (version, FULL config, FULL log, etc).

Description of the problem

使用 clash + sing-box 访问一些 ssl 站点时会出现 ssl 协议错误，无法访问原始网站。不使用代理，直接访问或者使用 clash + xray 时可以正常访问。tcp/8118 是 clash 提供的服务。

Version of sing-box

```console $ sing-box version sing-box version 1.3.1-rc.1 Environment: go1.20.6 linux/amd64 Tags: with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_reality_server,with_clash_api Revision: 1c3ce1b3ae66a05468919cc9040094a06da33bda CGO: disabled ```

Server and client configuration file

server ```console { "log": { "disabled": false, "level": "info", "output": "/var/log/sing-box/sing-box.log", "timestamp": true }, "dns": { "servers": [ { "tag": "local", "address": "local", "detour": "direct" } ], "rules": [], "final": "local", "strategy": "prefer_ipv4", "disable_cache": false, "disable_expire": false, "independent_cache": false, "reverse_mapping": false, "fakeip": { "enabled": false, "inet4_range": "198.18.0.0/15", "inet6_range": "fc00::/18" } }, "inbounds": [ { "type": "socks", "tag": "socks-inbound-1080", "listen": "127.0.0.1", "listen_port": 1080, "tcp_fast_open": false, "udp_fragment": false, "sniff": false, "sniff_override_destination": false, "sniff_timeout": "300ms", "domain_strategy": "prefer_ipv4", "udp_timeout": 300, "proxy_protocol": false, "proxy_protocol_accept_no_header": false, "users": [] }, { "type": "vmess", "tag": "vmess-inbound-19873", "listen": "0.0.0.0", "listen_port": 19873, "tcp_fast_open": true, "udp_fragment": true, "sniff": true, "sniff_override_destination": false, "sniff_timeout": "300ms", "domain_strategy": "prefer_ipv4", "udp_timeout": 300, "proxy_protocol": false, "proxy_protocol_accept_no_header": false, "users": [ { "name": "...", "uuid": "...", "alterId": 0 } ] }, { "type": "vmess", "tag": "vmess-inbound-19874", "listen": "0.0.0.0", "listen_port": 19874, "tcp_fast_open": true, "udp_fragment": true, "sniff": true, "sniff_override_destination": false, "sniff_timeout": "300ms", "domain_strategy": "prefer_ipv4", "udp_timeout": 300, "proxy_protocol": false, "proxy_protocol_accept_no_header": false, "users": [ { "name": "...", "uuid": "...", "alterId": 0 } ], "tls": { "enabled": true, "server_name": "who.com", "alpn": [ "http/1.1" ], "min_version": "1.2", "max_version": "1.3", "cipher_suites": [], "certificate": "...", "key": "...", "acme": {} }, "transport": { "type": "ws", "path": "/yyy/xxx", "max_early_data": 0, "early_data_header_name": "Sec-WebSocket-Protocol" } }, { "type": "trojan", "tag": "trojan-inbound-19875", "listen": "0.0.0.0", "listen_port": 19875, "tcp_fast_open": true, "udp_fragment": true, "sniff": true, "sniff_override_destination": false, "sniff_timeout": "300ms", "domain_strategy": "prefer_ipv4", "udp_timeout": 300, "proxy_protocol": false, "proxy_protocol_accept_no_header": false, "users": [ { "name": "...", "password": "..." } ], "tls": { "enabled": true, "server_name": "who.com", "alpn": [ "http/1.1" ], "min_version": "1.2", "max_version": "1.3", "cipher_suites": [], "certificate": "...", "key": "...", "acme": {} }, "transport": { "type": "ws", "path": "/yyy/xxx", "max_early_data": 0, "early_data_header_name": "Sec-WebSocket-Protocol" } } ], "outbounds": [ { "type": "direct", "tag": "direct" }, { "type": "block", "tag": "block" } ], "route": { "geoip": { "path": "/xxx/conf/geoip.db", "download_url": "https://github.com/SagerNet/sing-geoip/releases/latest/download/geoip.db", "download_detour": "direct" }, "geosite": { "path": "/xxx/conf/geosite.db", "download_url": "https://github.com/SagerNet/sing-geosite/releases/latest/download/geosite.db", "download_detour": "direct" }, "rules": [ { "ip_cidr": [ "0.0.0.0/8", "10.0.0.0/8", "100.64.0.0/10", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.2.0/24", "192.168.0.0/16", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "::1/128", "fc00::/7", "fe80::/10" ], "geosite": [ "category-ads" ], "outbound": "block" } ], "final": "direct" }, "experimental": {} } ``` client ```console - name: "trojan.public" type: trojan server: "..." port: 19875 password: "..." udp: false skip-cert-verify: true alpn: - h2 - http/1.1 sni: microsoft.com # udp: true # tls: true # skip-cert-verify: true # servername: example.com # priority over wss host # network: ws # ws-path: /path # ws-headers: # Host: v2ray.com - name: "vmess.cloudflare" type: vmess server: "who.com" port: 443 uuid: "..." alterId: 0 cipher: zero udp: true tls: true skip-cert-verify: true # servername: example.com # priority over wss host network: ws ws-opts: path: /xxx/yyy headers: Host: who.com ```

Server and client log file

```console $HTTP_PROXY=http://127.0.0.1:8118/ HTTPS_PROXY=http://127.0.0.1:8118 curl https://www.edureka.co/community/82700/response-daemon-https-registry-docker-connection-refused -Iv * Uses proxy env variable HTTPS_PROXY == 'http://127.0.0.1:8118' * Trying 127.0.0.1:8118... * Connected to 127.0.0.1 (127.0.0.1) port 8118 (#0) * allocate connect buffer * Establish HTTP proxy tunnel to www.edureka.co:443 > CONNECT www.edureka.co:443 HTTP/1.1 > Host: www.edureka.co:443 > User-Agent: curl/7.88.1 > Proxy-Connection: Keep-Alive > < HTTP/1.1 200 Connection established HTTP/1.1 200 Connection established < * CONNECT phase completed * CONNECT tunnel established, response 200 * ALPN: offers h2,http/1.1 * (304) (OUT), TLS handshake, Client hello (1): * CAfile: /etc/ssl/cert.pem * CApath: none * LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version * Closing connection 0 curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version ```

[sbilly]

有人能提供一个解决思路么？

[sbilly]

给标成 invalid 了，这不是 sing-box 的 issue ？