Closed arashammm closed 1 year ago
"alpn": [
"http/1.1"
]
删除或改成如下默认试一试
"alpn": [
"h2",
"http/1.1"
]
"alpn": [ "http/1.1" ]
Delete the "alpn" configuration block (the default is as follows) or try as follows
"alpn": [ "h2", "http/1.1" ]
thanks for the help. but since i'm just investigation client hello I don't think this part has anything to do with that. I'm assuming the issue is about using rather old tls fingerprints?
@arashammm Not sure if this helps https://groups.google.com/g/golang-nuts/c/lBLqbPuh8Rk
hello there
So I tried to analyze the client hello message on XTLS-RPRX-VISION to further analyze flaws on my configuration.
I noticed that despite setting tls version to 1.3 on both client and server. my client side still sends client hello in TLSv1.1
is that something normal? is the client hello tls protocol is always set to 1.1 and than later in the handshake it will change to 1.3? or I can configure that in xray config file?
here is my server side :
... "streamSettings": { "network": "tcp", "security": "tls", "tlsSettings": { "rejectUnknownSni": true, "minVersion": "1.3", "alpn": [ "http/1.1" ], ....
here is my client side:
... "streamSettings": { "network": "tcp", "security": "tls", "tlsSettings": { "serverName": "my sni", "minVersion": "1.3", "allowInsecure": false, "fingerprint": "random" ....
Yes, it is intended.
For TLS 1.3, record layer could be set to TLS 1.0 or TLS 1.2.
see here: https://www.analysisman.com/2021/06/wireshark-tls1.2.html?m=1
首先标题错了,它发的是 1.0,我帮你改了,其次这个是 RFC 8446 推荐的行为:https://www.rfc-editor.org/rfc/rfc8446#section-5.1
To 群里:
其实 REALITY example 文字第一行说的就是 dest 指向本机的 Nginx:
若用 REALITY 取代 TLS,可消除服务端 TLS 指纹特征,仍有前向保密性等,且证书链攻击无效,安全性超越常规 TLS
并且,客户端必须开指纹模拟,不能用 Go 的指纹,参考 https://github.com/XTLS/Xray-core/discussions/1773#discussioncomment-5276077
秒天秒地秒空气真不是吹的
@RPRX 来水啊
hello there
So I tried to analyze the client hello message on XTLS-RPRX-VISION to further analyze flaws on my configuration.
I noticed that despite setting tls version to 1.3 on both client and server. my client side still sends client hello in TLSv1.1
is that something normal? is the client hello tls protocol is always set to 1.1 and than later in the handshake it will change to 1.3? or I can configure that in xray config file?
here is my server side :
... "streamSettings": { "network": "tcp", "security": "tls", "tlsSettings": { "rejectUnknownSni": true, "minVersion": "1.3", "alpn": [ "http/1.1" ], ....
here is my client side:
... "streamSettings": { "network": "tcp", "security": "tls", "tlsSettings": { "serverName": "my sni", "minVersion": "1.3", "allowInsecure": false, "fingerprint": "random" ....