Closed liushengqi000 closed 2 months ago
liushengqi000
commented
3 months ago
{
"tag": "modifySNI-www-out",
"protocol": "freedom",
"settings": {
"domainStrategy": "UseIPv4",
"redirect": ":443"
},
"streamSettings": {
"security": "tls",
"tlsSettings": {
"alpn": ["http/1.1"],
"serverName": "www.baidu.com",
"allowInsecure": false
}
}
}
好像是使用freedom通过tls连接服务器443端口,收发http1.1明文数据的时候出问题了?
Fangliding
commented
3 months ago 我自己之前也发现了 不过不知道184竟然是好的 能不能测一下中间哪个版本出的问题
liushengqi000
commented
3 months ago 我自己之前也发现了 不过不知道184竟然是好的 能不能测一下中间哪个版本出的问题
1.8.4正常,1.8.6开始就不行了
Fangliding
commented
3 months ago 这段时间freedom就这三个改动
好像改动了一些splice相关的 要不你试一下设置环境变量
XRAY_BUF_SPLICE=disable ?
@yuhan6665
liushengqi000
commented
3 months ago 这段时间freedom就这三个改动
好像改动了一些splice相关的 要不你试一下设置环境变量
XRAY_BUF_SPLICE=disable?@yuhan6665
XRAY_BUF_SPLICE="disable"
1.8.6之后 "protocol": "freedom"无法通过"security": "tls"获取明文数据,显示Received HTTP/0.9 when not allowed。
1.8.6
curl -vvl -k -x socks5://127.0.0.1:1080 http://www.baidu.com --resolve www.baidu.com:80:103.235.46.96
* Added www.baidu.com:80:103.235.46.96 to DNS cache
* Trying 127.0.0.1:1080...
* Hostname www.baidu.com was found in DNS cache
* SOCKS5 connect to IPv4 103.235.46.96:80 (locally resolved)
* SOCKS5 request granted.
* Connected to (nil) (127.0.0.1) port 1080 (#0)
> GET / HTTP/1.1
> Host: www.baidu.com
> User-Agent: curl/7.81.0
> Accept: */*
>
* Received HTTP/0.9 when not allowed
* Closing connection 0
curl: (1) Received HTTP/0.9 when not allowed
无隐私信息,可直接使用
{
"log":{
"access": "./log/access.log",
"error": "./log/error.log",
"loglevel": "debug"
},
"dns": {
"hosts": {
"domain:www.baidu.com":"103.235.46.96"
}
},
"inbounds": [{
"port": 1080,
"listen": "127.0.0.1",
"tag": "socks-proxy",
"protocol": "socks",
"settings": {
"auth": "noauth",
"udp": true,
"ip" : "127.0.0.1"
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
}
}],
"outbounds": [{
"tag": "modifySNI-www-out",
"protocol": "freedom",
"settings": {
"domainStrategy": "UseIPv4",
"redirect": ":443"
},
"streamSettings": {
"security": "tls",
"tlsSettings": {
"alpn": ["http/1.1"],
"serverName": "www.baidu.com",
"allowInsecure": true
}
}
}],
"routing": {
"domainStrategy": "AsIs",
"rules":[{
"type": "field",
"inboundTag": ["socks-proxy"],
"outboundTag": "modifySNI-www-out"
}]
}
}
1.8.6-error.log
2024/06/30 17:46:48 [Debug] app/log: Logger started
2024/06/30 17:46:48 [Info] app/dns: DNS: created localhost client
2024/06/30 17:46:48 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:1080
2024/06/30 17:46:48 [Info] transport/internet/tcp: listening TCP on 127.0.0.1:1080
2024/06/30 17:46:48 [Info] transport/internet/udp: listening UDP on 127.0.0.1:1080
2024/06/30 17:46:48 [Warning] core: Xray 1.8.16 started
2024/06/30 17:46:50 [Info] [2680402360] proxy/socks: TCP Connect request to tcp:103.235.46.96:80
2024/06/30 17:46:50 [Info] [2680402360] app/dispatcher: sniffed domain: www.baidu.com
2024/06/30 17:46:50 [Info] [2680402360] app/dispatcher: taking detour [modifySNI-www-out] for [tcp:www.baidu.com:80]
2024/06/30 17:46:50 [Info] app/dns: returning 1 IP(s) for domain www.baidu.com -> [103.235.46.96]
2024/06/30 17:46:50 [Info] [2680402360] proxy/freedom: dialing to tcp:103.235.46.96:443
2024/06/30 17:46:50 [Info] [2680402360] transport/internet/tcp: dialing TCP to tcp:103.235.46.96:443
2024/06/30 17:46:50 [Debug] transport/internet: dialing to tcp:103.235.46.96:443
2024/06/30 17:46:52 [Info] [2680402360] proxy/freedom: connection opened to tcp:www.baidu.com:443, local endpoint 192.168.71.25:35308, remote endpoint 103.235.46.96:443
2024/06/30 17:46:53 [Info] [2680402360] app/proxyman/inbound: connection ends > proxy/socks: connection ends > context canceled
2024/06/30 17:46:54 [Debug] app/log: Logger closing
1.8.6-access.log
2024/06/30 17:46:50 tcp:127.0.0.1:52992 accepted tcp:103.235.46.96:80 [socks-proxy -> modifySNI-www-out]
这段时间freedom就这三个改动
好像改动了一些splice相关的 要不你试一下设置环境变量
XRAY_BUF_SPLICE=disable?@yuhan6665
1.8.6之后 关闭splice本地流量加密正常,打开splice本地流量加密返回wrong version number。
1.8.6
curl -vvl -k https://www.baidu.com:1090 --resolve www.baidu.com:1090:127.0.0.1
* Added www.baidu.com:1090:127.0.0.1 to DNS cache
* Hostname www.baidu.com was found in DNS cache
* Trying 127.0.0.1:1090...
* Connected to www.baidu.com (127.0.0.1) port 1090 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=www.baidu.com
* start date: Jun 30 09:23:17 2024 GMT
* expire date: Jun 30 11:23:17 2024 GMT
* issuer: C=CN; ST=a; L=a; O=a; CN=a
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/1.1
> Host: www.baidu.com:1090
> User-Agent: curl/7.81.0
> Accept: */*
>
* (5454) (IN), , Unknown (72):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS alert, protocol version (582):
* OpenSSL SSL_read: error:0A00010B:SSL routines::wrong version number, errno 0
* Closing connection 0
curl: (56) OpenSSL SSL_read: error:0A00010B:SSL routines::wrong version number, errno 0
仅出现在打开XRAY_BUF_SPLICE的1.8.6之后版本
无隐私信息,可直接使用
{
"log":{
"access": "./log/access.log",
"error": "./log/error.log",
"loglevel": "debug"
},
"dns": {
"hosts": {
"domain:www.baidu.com":"103.235.46.96"
}
},
"inbounds": [{
"port": 1090,
"listen": "127.0.0.1",
"tag": "modifySNI-in",
"protocol": "dokodemo-door",
"settings": {
"network": "tcp",
"address": "127.0.0.1",
"port": 80,
"followRedirect": true
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
},
"streamSettings": {
"security": "tls",
"tlsSettings": {
"alpn": ["http/1.1"],
"certificates": [
{
"usage": "issue",
"certificate": [
"-----BEGIN CERTIFICATE-----",
"MIICDDCCAXWgAwIBAgIUYtSxDhyshKRU0Xc/vevplUso6iYwDQYJKoZIhvcNAQEE",
"BQAwJjELMAkGA1UEAwwCYXExCjAIBgNVBAoMAWExCzAJBgNVBAYTAkNOMB4XDTI0",
"MDYwMzAwNDUwMFoXDTI0MDcwMTIxMjUwMFowPTELMAkGA1UEBhMCQ04xCjAIBgNV",
"BAgMAWExCjAIBgNVBAcMAWExCjAIBgNVBAoMAWExCjAIBgNVBAMMAWEwgZ8wDQYJ",
"KoZIhvcNAQEBBQADgY0AMIGJAoGBALcxIsrprF/zpYyD7xVB6nIjFOu7rNANGe4o",
"nM6rUOJGupaGdBc064NB9kU81lJnseXoRMa0C36/lZAFxWCvqrppWLCSVDvefJ44",
"HJV9EvI0clWssLrGeGTKn0LDN969sCHuqQ8qT3ysiFPvqyEFZfKMULO5wKpPfo+2",
"lNOUwqCLAgMBAAGjIDAeMAsGA1UdEQQEMAKCADAPBgNVHRMBAf8EBTADAQH/MA0G",
"CSqGSIb3DQEBBAUAA4GBAEsk97oG5P4kNn0hUj1/gvQbjOfYn3iX5LEOfQOCZ9tM",
"K7q61yCSYEafLFmrMU/lHHtdaaZExWNsIeor/6K0LUcWD66pgnhNQeXeIAV9EvLa",
"dItomoN54O+YRtahsEQ7PnBftu+XjZiLh7pvI1f3Ln2WNifIQf5M2hY3/VutnuQZ",
"-----END CERTIFICATE-----"
],
"key": [
"-----BEGIN PRIVATE KEY-----",
"MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALcxIsrprF/zpYyD",
"7xVB6nIjFOu7rNANGe4onM6rUOJGupaGdBc064NB9kU81lJnseXoRMa0C36/lZAF",
"xWCvqrppWLCSVDvefJ44HJV9EvI0clWssLrGeGTKn0LDN969sCHuqQ8qT3ysiFPv",
"qyEFZfKMULO5wKpPfo+2lNOUwqCLAgMBAAECgYByGKZk3xk/Qc8QL3QPN1i/8d2r",
"3N4LTr2huaXAiq7737WC3wcbFRjCTakHApcyB+ejHAEKCUVHkiei5hVC3OZl2fv4",
"cKpd9B76Kkx61OhBzrzlsQj3ov6uy7E9CLzICKZHKOZcqJzJIno6upxZEGtNNLI/",
"2FDIHS26U13WXksGoQJBAOMHwO19uSsWWUQEM7NHecL+NOVH9aclU1PtimVcmVRo",
"4pSzK1Hlf5YY/b9WC1hER7MSYz5nMDAXRQsOYYJLqRMCQQDOkVggjJztF/vRJSGx",
"5IPtQN9nGKNUmDv71J/IE2+fpwFxIZ6PxACUUBIcKxDnq29RNnVxpkP8OFHGeuhB",
"i1GpAkEAn+bjJKKLW+SmxLgs7dWm1gcTnHW9eJdahF9nPZMlz4T8KX20Qj9hSIeb",
"mTryTJ3y3hZSXi5xiz2ofGwJk6rUjwJAFRIUWDWfqDujDyFnf3rczi2o3B5SQsXI",
"kJaOudzprPJfHkgcoXOPz5EfV8o4zjjZgQI6Fp6sHqUsCj/tQwpQCQJBAInIooEo",
"OCWrhToy8LKByEO/LkR8+plVa0H3qa7GR1wWLnFTB3TLxK4DoxNInqI8okiEH/nV",
"4ar1qr/HrbxHoB4=",
"-----END PRIVATE KEY-----"
]
}
]
}
}
}],
"outbounds": [{
"tag": "modifySNI-www-out",
"protocol": "freedom",
"settings": {
"domainStrategy": "UseIPv4",
"redirect": ":80"
},
"streamSettings": {
"security": "none"
}
}],
"routing": {
"domainStrategy": "AsIs",
"rules":[{
"type": "field",
"inboundTag": ["modifySNI-in"],
"domain": [
"domain:www.baidu.com"
],
"outboundTag": "modifySNI-www-out"
}]
}
}
无需服务端
1.8.6-error.log
//declare -x XRAY_BUF_READV="disable"
//declare -x XRAY_BUF_SPLICE="disable"
//1.8.16
2024/06/30 18:22:49 [Debug] app/log: Logger started
2024/06/30 18:22:49 [Info] app/dns: DNS: created localhost client
2024/06/30 18:22:49 [Debug] app/router: MphDomainMatcher is enabled for 1 domain rule(s)
2024/06/30 18:22:49 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:1090
2024/06/30 18:22:49 [Info] transport/internet: failed to apply socket options to incoming connection > transport/internet: failed to set IP_TRANSPARENT > operation not permitted
2024/06/30 18:22:49 [Info] transport/internet/tcp: listening TCP on 127.0.0.1:1090
2024/06/30 18:22:49 [Warning] core: Xray 1.8.16 started
2024/06/30 18:22:52 [Info] [1215645068] app/proxyman/inbound: failed to get original destination > transport/internet/tcp: unable to get syscall.Conn
2024/06/30 18:22:52 [Debug] [1215645068] proxy/dokodemo: processing connection from: 127.0.0.1:55568
2024/06/30 18:22:52 [Info] transport/internet/tls: new certificate for www.baidu.com (expire on 2024-06-30T11:22:52Z) issued
2024/06/30 18:22:52 [Info] [1215645068] proxy/dokodemo: received request for 127.0.0.1:55568
2024/06/30 18:22:52 [Info] [1215645068] app/dispatcher: sniffed domain: www.baidu.com
2024/06/30 18:22:52 [Info] [1215645068] app/dispatcher: taking detour [modifySNI-www-out] for [tcp:www.baidu.com:80]
2024/06/30 18:22:52 [Info] app/dns: returning 1 IP(s) for domain www.baidu.com -> [103.235.46.96]
2024/06/30 18:22:52 [Info] [1215645068] proxy/freedom: dialing to tcp:103.235.46.96:80
2024/06/30 18:22:52 [Info] [1215645068] transport/internet/tcp: dialing TCP to tcp:103.235.46.96:80
2024/06/30 18:22:52 [Debug] transport/internet: dialing to tcp:103.235.46.96:80
2024/06/30 18:22:52 [Info] [1215645068] proxy/freedom: connection opened to tcp:www.baidu.com:80, local endpoint 192.168.71.25:42520, remote endpoint 103.235.46.96:80
2024/06/30 18:22:52 [Info] [1215645068] proxy: CopyRawConn readv
2024/06/30 18:22:53 [Info] [1215645068] app/proxyman/inbound: connection ends > proxy/dokodemo: connection ends > context canceled
2024/06/30 18:22:55 [Debug] app/log: Logger closing
//1.8.4
2024/06/30 18:23:02 [Debug] app/log: Logger started
2024/06/30 18:23:02 [Info] app/dns: DNS: created localhost client
2024/06/30 18:23:02 [Debug] app/router: MphDomainMatcher is enabled for 1 domain rule(s)
2024/06/30 18:23:02 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:1090
2024/06/30 18:23:02 [Info] transport/internet: failed to apply socket options to incoming connection > transport/internet: failed to set IP_TRANSPARENT > operation not permitted
2024/06/30 18:23:02 [Info] transport/internet/tcp: listening TCP on 127.0.0.1:1090
2024/06/30 18:23:02 [Warning] core: Xray 1.8.4 started
2024/06/30 18:23:05 [Info] [1084142729] app/proxyman/inbound: failed to get original destination > transport/internet/tcp: unable to get syscall.Conn
2024/06/30 18:23:05 [Debug] [1084142729] proxy/dokodemo: processing connection from: 127.0.0.1:59206
2024/06/30 18:23:05 [Info] transport/internet/tls: new certificate for www.baidu.com (expire on 2024-06-30T11:23:05Z) issued
2024/06/30 18:23:05 [Info] [1084142729] proxy/dokodemo: received request for 127.0.0.1:59206
2024/06/30 18:23:05 [Info] [1084142729] app/dispatcher: sniffed domain: www.baidu.com
2024/06/30 18:23:05 [Info] [1084142729] app/dispatcher: taking detour [modifySNI-www-out] for [tcp:www.baidu.com:80]
2024/06/30 18:23:05 [Info] app/dns: returning 1 IP(s) for domain www.baidu.com -> [103.235.46.96]
2024/06/30 18:23:05 [Info] [1084142729] proxy/freedom: dialing to tcp:103.235.46.96:80
2024/06/30 18:23:05 [Info] [1084142729] transport/internet/tcp: dialing TCP to tcp:103.235.46.96:80
2024/06/30 18:23:05 [Debug] transport/internet: dialing to tcp:103.235.46.96:80
2024/06/30 18:23:05 [Info] [1084142729] proxy/freedom: connection opened to tcp:www.baidu.com:80, local endpoint 192.168.71.25:43410, remote endpoint 103.235.46.96:80
2024/06/30 18:23:06 [Info] [1084142729] app/proxyman/inbound: connection ends > proxy/dokodemo: connection ends > context canceled
2024/06/30 18:23:07 [Debug] app/log: Logger closing
//declare -x XRAY_BUF_READV="auto"
//declare -x XRAY_BUF_SPLICE="auto"
//1.8.16
2024/06/30 18:23:15 [Debug] app/log: Logger started
2024/06/30 18:23:15 [Info] app/dns: DNS: created localhost client
2024/06/30 18:23:15 [Debug] app/router: MphDomainMatcher is enabled for 1 domain rule(s)
2024/06/30 18:23:15 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:1090
2024/06/30 18:23:15 [Info] transport/internet: failed to apply socket options to incoming connection > transport/internet: failed to set IP_TRANSPARENT > operation not permitted
2024/06/30 18:23:15 [Info] transport/internet/tcp: listening TCP on 127.0.0.1:1090
2024/06/30 18:23:15 [Warning] core: Xray 1.8.16 started
2024/06/30 18:23:17 [Info] [2698919846] app/proxyman/inbound: failed to get original destination > transport/internet/tcp: unable to get syscall.Conn
2024/06/30 18:23:17 [Debug] [2698919846] proxy/dokodemo: processing connection from: 127.0.0.1:55860
2024/06/30 18:23:17 [Info] transport/internet/tls: new certificate for www.baidu.com (expire on 2024-06-30T11:23:17Z) issued
2024/06/30 18:23:17 [Info] [2698919846] proxy/dokodemo: received request for 127.0.0.1:55860
2024/06/30 18:23:17 [Info] [2698919846] app/dispatcher: sniffed domain: www.baidu.com
2024/06/30 18:23:17 [Info] [2698919846] app/dispatcher: taking detour [modifySNI-www-out] for [tcp:www.baidu.com:80]
2024/06/30 18:23:17 [Info] app/dns: returning 1 IP(s) for domain www.baidu.com -> [103.235.46.96]
2024/06/30 18:23:17 [Info] [2698919846] proxy/freedom: dialing to tcp:103.235.46.96:80
2024/06/30 18:23:17 [Info] [2698919846] transport/internet/tcp: dialing TCP to tcp:103.235.46.96:80
2024/06/30 18:23:17 [Debug] transport/internet: dialing to tcp:103.235.46.96:80
2024/06/30 18:23:25 [Info] [2698919846] proxy/freedom: connection opened to tcp:www.baidu.com:80, local endpoint 192.168.71.25:42486, remote endpoint 103.235.46.96:80
2024/06/30 18:23:25 [Info] [2698919846] proxy: CopyRawConn splice
2024/06/30 18:23:25 [Info] [2698919846] app/proxyman/inbound: connection ends > proxy/dokodemo: connection ends > proxy/dokodemo: failed to transport request > remote error: tls: protocol version not supported
2024/06/30 18:23:27 [Debug] app/log: Logger closing
//1.8.4
2024/06/30 18:23:33 [Debug] app/log: Logger started
2024/06/30 18:23:33 [Info] app/dns: DNS: created localhost client
2024/06/30 18:23:33 [Debug] app/router: MphDomainMatcher is enabled for 1 domain rule(s)
2024/06/30 18:23:33 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:1090
2024/06/30 18:23:33 [Info] transport/internet: failed to apply socket options to incoming connection > transport/internet: failed to set IP_TRANSPARENT > operation not permitted
2024/06/30 18:23:33 [Info] transport/internet/tcp: listening TCP on 127.0.0.1:1090
2024/06/30 18:23:33 [Warning] core: Xray 1.8.4 started
2024/06/30 18:23:36 [Info] [2146429308] app/proxyman/inbound: failed to get original destination > transport/internet/tcp: unable to get syscall.Conn
2024/06/30 18:23:36 [Debug] [2146429308] proxy/dokodemo: processing connection from: 127.0.0.1:59830
2024/06/30 18:23:36 [Info] transport/internet/tls: new certificate for www.baidu.com (expire on 2024-06-30T11:23:36Z) issued
2024/06/30 18:23:36 [Info] [2146429308] proxy/dokodemo: received request for 127.0.0.1:59830
2024/06/30 18:23:36 [Info] [2146429308] app/dispatcher: sniffed domain: www.baidu.com
2024/06/30 18:23:36 [Info] [2146429308] app/dispatcher: taking detour [modifySNI-www-out] for [tcp:www.baidu.com:80]
2024/06/30 18:23:36 [Info] app/dns: returning 1 IP(s) for domain www.baidu.com -> [103.235.46.96]
2024/06/30 18:23:36 [Info] [2146429308] proxy/freedom: dialing to tcp:103.235.46.96:80
2024/06/30 18:23:36 [Info] [2146429308] transport/internet/tcp: dialing TCP to tcp:103.235.46.96:80
2024/06/30 18:23:36 [Debug] transport/internet: dialing to tcp:103.235.46.96:80
2024/06/30 18:23:36 [Info] [2146429308] proxy/freedom: connection opened to tcp:www.baidu.com:80, local endpoint 192.168.71.25:38012, remote endpoint 103.235.46.96:80
2024/06/30 18:23:37 [Info] [2146429308] app/proxyman/inbound: connection ends > proxy/dokodemo: connection ends > context canceled
2024/06/30 18:23:38 [Debug] app/log: Logger closing
1.8.6-access.log
2024/06/30 18:22:52 127.0.0.1:55568 accepted tcp:www.baidu.com:80 [modifySNI-in -> modifySNI-www-out]
2024/06/30 18:23:05 127.0.0.1:59206 accepted tcp:www.baidu.com:80 [modifySNI-in -> modifySNI-www-out]
2024/06/30 18:23:17 127.0.0.1:55860 accepted tcp:www.baidu.com:80 [modifySNI-in -> modifySNI-www-out]
2024/06/30 18:23:36 127.0.0.1:59830 accepted tcp:www.baidu.com:80 [modifySNI-in -> modifySNI-www-out]
无需服务端
这段时间freedom就这三个改动
XRAY_BUF_SPLICE=disable?@yuhan6665
1.8.16 关闭splice本地流量加密正常,打开splice本地流量加密返回wrong version number。 无论splice是否打开,"protocol": "freedom"都无法通过"security": "tls"获取明文数据,显示Received HTTP/0.9 when not allowed。
问题增殖了
yuhan6665
commented
3 months ago 你用 xray 做客户端 TLS 加密 所以不能裸奔 我认为对于这种特殊用法你应该继续使用环境变量 如果没有异议我之后会关掉 issue
Fangliding
commented
3 months ago 我记得我之前只是单纯用任意门这个终结tls也会boom
liushengqi000
commented
3 months ago 你用 xray 做客户端 TLS 加密 所以不能裸奔 我认为对于这种特殊用法你应该继续使用环境变量 如果没有异议我之后会关掉 issue
{
"tag": "modifySNI-www-out",
"protocol": "freedom",
"settings": {
"domainStrategy": "UseIPv4",
"redirect": ":443"
},
"streamSettings": {
"security": "tls",
"tlsSettings": {
"alpn": ["http/1.1"],
"serverName": "www.baidu.com",
"allowInsecure": false
}
}
}
使用freedom+security.tls直连网站服务器,为啥1.8.6及其之后版本无法获得明文数据。
liushengqi000
commented
3 months ago 你用 xray 做客户端 TLS 加密 所以不能裸奔 我认为对于这种特殊用法你应该继续使用环境变量 如果没有异议我之后会关掉 issue
XRAY_BUF_SPLICE=disable 只能解决dokodemo-door+security.tls的本地加密问题 而不能解决freedom+security.tls直连网站服务器,无法获取明文数据的问题
liushengqi000
commented
3 months ago 第一个bug,明文http连接中发tls serverHello数据包
无隐私信息,可直接使用
{
"log":{
"access": "./log/access.log",
"error": "./log/error.log",
"loglevel": "debug"
},
"dns": {
"hosts": {
"domain:www.baidu.com":"103.235.46.96"
}
},
"inbounds": [{
"port": 1080,
"listen": "127.0.0.1",
"tag": "socks-proxy",
"protocol": "socks",
"settings": {
"auth": "noauth",
"udp": true,
"ip" : "127.0.0.1"
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
}
}],
"outbounds": [{
"tag": "modifySNI-www-out",
"protocol": "freedom",
"settings": {
"domainStrategy": "UseIPv4",
"redirect": ":443"
},
"streamSettings": {
"security": "tls",
"tlsSettings": {
"alpn": ["http/1.1"],
"serverName": "www.baidu.com",
"allowInsecure": true
}
}
}],
"routing": {
"domainStrategy": "AsIs",
"rules":[{
"type": "field",
"inboundTag": ["socks-proxy"],
"outboundTag": "modifySNI-www-out"
}]
}
}
@yuhan6665 有异议。通过wireshark可以看到,freedom+security.tls在和服务器握手过程中,把服务器返回的server hello也发给了客户端。请把bug标签加回去。
第二个bug,tls连接中发明文数据包。
无隐私信息,可直接使用
{
"log":{
"access": "./log/access.log",
"error": "./log/error.log",
"loglevel": "none"
},
"dns": {
"hosts": {
"domain:www.baidu.com":"103.235.46.96"
}
},
"inbounds": [{
"port": 2080,
"listen": "127.0.0.1",
"tag": "modifySNI-in",
"protocol": "dokodemo-door",
"settings": {
"network": "tcp",
"address": "127.0.0.1",
"port": 80,
"followRedirect": true
},
"sniffing": {
"enabled": true,
"destOverride": ["http", "tls"]
},
"streamSettings": {
"security": "tls",
"tlsSettings": {
"alpn": ["http/1.1"],
"certificates": [
{
"usage": "issue",
"certificate": [
"-----BEGIN CERTIFICATE-----",
"MIICDDCCAXWgAwIBAgIUYtSxDhyshKRU0Xc/vevplUso6iYwDQYJKoZIhvcNAQEE",
"BQAwJjELMAkGA1UEAwwCYXExCjAIBgNVBAoMAWExCzAJBgNVBAYTAkNOMB4XDTI0",
"MDYwMzAwNDUwMFoXDTI0MDcwMTIxMjUwMFowPTELMAkGA1UEBhMCQ04xCjAIBgNV",
"BAgMAWExCjAIBgNVBAcMAWExCjAIBgNVBAoMAWExCjAIBgNVBAMMAWEwgZ8wDQYJ",
"KoZIhvcNAQEBBQADgY0AMIGJAoGBALcxIsrprF/zpYyD7xVB6nIjFOu7rNANGe4o",
"nM6rUOJGupaGdBc064NB9kU81lJnseXoRMa0C36/lZAFxWCvqrppWLCSVDvefJ44",
"HJV9EvI0clWssLrGeGTKn0LDN969sCHuqQ8qT3ysiFPvqyEFZfKMULO5wKpPfo+2",
"lNOUwqCLAgMBAAGjIDAeMAsGA1UdEQQEMAKCADAPBgNVHRMBAf8EBTADAQH/MA0G",
"CSqGSIb3DQEBBAUAA4GBAEsk97oG5P4kNn0hUj1/gvQbjOfYn3iX5LEOfQOCZ9tM",
"K7q61yCSYEafLFmrMU/lHHtdaaZExWNsIeor/6K0LUcWD66pgnhNQeXeIAV9EvLa",
"dItomoN54O+YRtahsEQ7PnBftu+XjZiLh7pvI1f3Ln2WNifIQf5M2hY3/VutnuQZ",
"-----END CERTIFICATE-----"
],
"key": [
"-----BEGIN PRIVATE KEY-----",
"MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBALcxIsrprF/zpYyD",
"7xVB6nIjFOu7rNANGe4onM6rUOJGupaGdBc064NB9kU81lJnseXoRMa0C36/lZAF",
"xWCvqrppWLCSVDvefJ44HJV9EvI0clWssLrGeGTKn0LDN969sCHuqQ8qT3ysiFPv",
"qyEFZfKMULO5wKpPfo+2lNOUwqCLAgMBAAECgYByGKZk3xk/Qc8QL3QPN1i/8d2r",
"3N4LTr2huaXAiq7737WC3wcbFRjCTakHApcyB+ejHAEKCUVHkiei5hVC3OZl2fv4",
"cKpd9B76Kkx61OhBzrzlsQj3ov6uy7E9CLzICKZHKOZcqJzJIno6upxZEGtNNLI/",
"2FDIHS26U13WXksGoQJBAOMHwO19uSsWWUQEM7NHecL+NOVH9aclU1PtimVcmVRo",
"4pSzK1Hlf5YY/b9WC1hER7MSYz5nMDAXRQsOYYJLqRMCQQDOkVggjJztF/vRJSGx",
"5IPtQN9nGKNUmDv71J/IE2+fpwFxIZ6PxACUUBIcKxDnq29RNnVxpkP8OFHGeuhB",
"i1GpAkEAn+bjJKKLW+SmxLgs7dWm1gcTnHW9eJdahF9nPZMlz4T8KX20Qj9hSIeb",
"mTryTJ3y3hZSXi5xiz2ofGwJk6rUjwJAFRIUWDWfqDujDyFnf3rczi2o3B5SQsXI",
"kJaOudzprPJfHkgcoXOPz5EfV8o4zjjZgQI6Fp6sHqUsCj/tQwpQCQJBAInIooEo",
"OCWrhToy8LKByEO/LkR8+plVa0H3qa7GR1wWLnFTB3TLxK4DoxNInqI8okiEH/nV",
"4ar1qr/HrbxHoB4=",
"-----END PRIVATE KEY-----"
]
}
]
}
}
}],
"outbounds": [{
"tag": "modifySNI-www-out",
"protocol": "freedom",
"settings": {
"domainStrategy": "UseIPv4",
"redirect": ":80"
},
"streamSettings": {
"security": "none"
}
}],
"routing": {
"domainStrategy": "AsIs",
"rules":[{
"type": "field",
"inboundTag": ["modifySNI-in"],
"domain": [
"domain:www.baidu.com"
],
"outboundTag": "modifySNI-www-out"
}]
}
}
XRAY_BUF_SPLICE未设定时,通过wireshark可以看到,dokodemo-door+security.tls在和客户端通信过程中,无视security.tls设定,在tls连接中将明文数据包发回给了客户端。
Fangliding
commented
3 months ago 哦对 想起来 我之前也是抓包发现了回包没加密
liushengqi000
commented
2 months ago ???有人没,到底算不算bug吖
完整性要求
版本
1.8.16
描述
实现一个本地tls重加密功能,同样配置文件在xray 1.8.4下工作正常,1.8.13报告remote error: tls: unexpected message。
1.8.4
1.8.13
重现方式
1.8.4工作正常,1.8.13稳定报错
客户端配置
无隐私信息,可直接使用
服务端配置
客户端日志
1.8.13-error.log
1.8.13-access.log
服务端日志