XTLS / Xray-core

Xray, Penetrates Everything. Also the best v2ray-core, with XTLS support. Fully compatible configuration.
https://t.me/projectXray
Mozilla Public License 2.0
25.48k stars 3.94k forks source link

TLS Version set to 1.3 but the xray client sends 1.0 #1781

Closed arashammm closed 1 year ago

arashammm commented 1 year ago

hello there

So I tried to analyze the client hello message on XTLS-RPRX-VISION to further analyze flaws on my configuration.

I noticed that despite setting tls version to 1.3 on both client and server. my client side still sends client hello in TLSv1.1

Screen Shot 2023-03-12 at 11 40 56 PM

is that something normal? is the client hello tls protocol is always set to 1.1 and than later in the handshake it will change to 1.3? or I can configure that in xray config file?

here is my server side :

... "streamSettings": { "network": "tcp", "security": "tls", "tlsSettings": { "rejectUnknownSni": true, "minVersion": "1.3", "alpn": [ "http/1.1" ], ....

here is my client side:

... "streamSettings": { "network": "tcp", "security": "tls", "tlsSettings": { "serverName": "my sni", "minVersion": "1.3", "allowInsecure": false, "fingerprint": "random" ....

lxhao61 commented 1 year ago
          "alpn": [
            "http/1.1"
          ]

删除或改成如下默认试一试

          "alpn": [
            "h2", 
            "http/1.1"
          ]
arashammm commented 1 year ago
          "alpn": [
            "http/1.1"
          ]

Delete the "alpn" configuration block (the default is as follows) or try as follows

          "alpn": [
            "h2", 
            "http/1.1"
          ]

thanks for the help. but since i'm just investigation client hello I don't think this part has anything to do with that. I'm assuming the issue is about using rather old tls fingerprints?

SakuraSakuraSakuraChan commented 1 year ago

@arashammm Not sure if this helps https://groups.google.com/g/golang-nuts/c/lBLqbPuh8Rk

cross-hello commented 1 year ago

hello there

So I tried to analyze the client hello message on XTLS-RPRX-VISION to further analyze flaws on my configuration.

I noticed that despite setting tls version to 1.3 on both client and server. my client side still sends client hello in TLSv1.1

Screen Shot 2023-03-12 at 11 40 56 PM

is that something normal? is the client hello tls protocol is always set to 1.1 and than later in the handshake it will change to 1.3? or I can configure that in xray config file?

here is my server side :

... "streamSettings": { "network": "tcp", "security": "tls", "tlsSettings": { "rejectUnknownSni": true, "minVersion": "1.3", "alpn": [ "http/1.1" ], ....

here is my client side:

... "streamSettings": { "network": "tcp", "security": "tls", "tlsSettings": { "serverName": "my sni", "minVersion": "1.3", "allowInsecure": false, "fingerprint": "random" ....

Yes, it is intended.

For TLS 1.3, record layer could be set to TLS 1.0 or TLS 1.2.

see here: https://www.analysisman.com/2021/06/wireshark-tls1.2.html?m=1

RPRX commented 1 year ago

首先标题错了,它发的是 1.0,我帮你改了,其次这个是 RFC 8446 推荐的行为:https://www.rfc-editor.org/rfc/rfc8446#section-5.1

RPRX commented 1 year ago

To 群里:

其实 REALITY example 文字第一行说的就是 dest 指向本机的 Nginx:

若用 REALITY 取代 TLS,可消除服务端 TLS 指纹特征,仍有前向保密性等,且证书链攻击无效,安全性超越常规 TLS

并且,客户端必须开指纹模拟,不能用 Go 的指纹,参考 https://github.com/XTLS/Xray-core/discussions/1773#discussioncomment-5276077

秒天秒地秒空气真不是吹的

csryt commented 1 year ago

@RPRX 来水啊