search

chika0801 / sing-box-examples

sing-box 配置示例
https://github.com/SagerNet/sing-box
1.61k stars 270 forks source link

ShadowTLS hmac mismatch #101

Closed hawshemi closed 5 months ago

hawshemi commented 5 months ago

Hello. I have this sing-box / ShadowTLSv3 server/client.

Previously the server was a Reality server with SNI: www.ctrip.com and it was working fine (no blockage).

Recently I rebuilt the server installed sing-box and setup shadowtlsv3. but when I connect to the server, on the server log it says:

WARN[1837] [1544878752 1ms] inbound/shadowtls[0]: client hello verify failed: hmac mismatch

Client:

{
  "dns": {
    "independent_cache": true,
    "rules": [
      {
        "domain": [
          "dns.google"
        ],
        "server": "dns-direct"
      }
    ],
    "servers": [
      {
        "address": "https://dns.google/dns-query",
        "address_resolver": "dns-direct",
        "strategy": "prefer_ipv4",
        "tag": "dns-remote"
      },
      {
        "address": "local",
        "address_resolver": "dns-local",
        "detour": "direct",
        "strategy": "prefer_ipv4",
        "tag": "dns-direct"
      },
      {
        "address": "local",
        "detour": "direct",
        "tag": "dns-local"
      },
      {
        "address": "rcode://success",
        "tag": "dns-block"
      }
    ]
  },
  "inbounds": [
    {
      "listen": "127.0.0.1",
      "listen_port": 6450,
      "override_address": "8.8.8.8",
      "override_port": 53,
      "tag": "dns-in",
      "type": "direct"
    },
    {
      "domain_strategy": "",
      "endpoint_independent_nat": true,
      "inet4_address": [
        "172.19.0.1/28"
      ],
      "inet6_address": [
        "fdfe:dcba:9876::1/126"
      ],
      "mtu": 9000,
      "sniff": true,
      "sniff_override_destination": false,
      "stack": "mixed",
      "tag": "tun-in",
      "type": "tun"
    },
    {
      "domain_strategy": "",
      "listen": "127.0.0.1",
      "listen_port": 2080,
      "sniff": true,
      "sniff_override_destination": false,
      "tag": "mixed-in",
      "type": "mixed"
    }
  ],
  "log": {
    "level": "debug"
  },
  "outbounds": [
    {
      "password": "XXXX",
      "server": "X.X.X.X",
      "server_port": 443,
      "tls": {
        "enabled": true,
        "insecure": false,
        "server_name": "www.ctrip.com",
        "utls": {
          "enabled": true,
          "fingerprint": "chrome"
        }
      },
      "version": 3,
      "type": "shadowtls",
      "domain_strategy": "",
      "tag": "proxy"
    },
    {
      "tag": "direct",
      "type": "direct"
    },
    {
      "tag": "bypass",
      "type": "direct"
    },
    {
      "tag": "block",
      "type": "block"
    },
    {
      "tag": "dns-out",
      "type": "dns"
    }
  ],
  "route": {
    "auto_detect_interface": true,
    "rules": [
      {
        "outbound": "dns-out",
        "port": [
          53
        ]
      },
      {
        "inbound": [
          "dns-in"
        ],
        "outbound": "dns-out"
      },
      {
        "ip_cidr": [
          "224.0.0.0/3",
          "ff00::/8"
        ],
        "outbound": "block",
        "source_ip_cidr": [
          "224.0.0.0/3",
          "ff00::/8"
        ]
      }
    ]
  }
}

Server:

{
    "inbounds": [
        {
            "type": "shadowtls",
            "listen": "::",
            "listen_port": 443,
            "detour": "shadowsocks-in",
            "version": 3,
            "users": [
                {
                    "password": ""
                }
            ],
            "handshake": {
                "server": "www.ctrip.com",
                "server_port": 443
            },
            "strict_mode": true
        },
        {
            "type": "shadowsocks",
            "tag": "shadowsocks-in",
            "listen": "127.0.0.1",
            "method": "2022-blake3-aes-128-gcm",
            "password": "XXXX",
            "multiplex": {
                "enabled": true
            }
        }
    ],
    "outbounds": [
        {
            "type": "direct"
        }
    ]
}

NekoBox: image

chika0801 commented 5 months ago

www.ctrip.com

ShadowTLSv3 要求目标网站的TLS证书是1.3版本,我看了你用的 www.ctrip.com 它的SSL证书是1.2版本。

你可以查看sing-box文档中关于ShadowTLS部分当入站服务端时,各参数的详细要求。或看 ShadowTLS 的博客文章介绍,了解更多知识。

我猜测可能是这个原因,你可以换其它网址试一试。

chika0801 commented 5 months ago

另外如果你在中国大陆地区,选择的 目标网址,我也建议你不要选择你在中国大陆地区ping网址得到的是CN IP的网站。这一个原则 。

hawshemi commented 5 months ago

Are you sure? www.ctrip.com supports TLS 1.3 . Also, I tested with www.speedtest.net and it didn't work either.

(I'm not in China)

chika0801 commented 5 months ago

www.ctrip.com

1

1 - 副本

chika0801 commented 5 months ago 
    {
      "password": "XXXX",
      "server": "X.X.X.X",
      "server_port": 443,
      "tls": {
        "enabled": true,
        "insecure": false,
        "server_name": "www.ctrip.com",
        "utls": {
          "enabled": true,
          "fingerprint": "chrome"
        }
      },
      "version": 3,
      "type": "shadowtls",
      "domain_strategy": "",
      "tag": "proxy"
    },

https://github.com/chika0801/sing-box-examples/blob/main/ShadowTLS/config_client.json#L10-L34

Your client's outbound configuration, there is no SS section, you check?

hawshemi commented 5 months ago

The problem was my VPS IP was completely blocked by ISPs.