Xray-core: Bug: Clients using tls 1.2 by default!!???

I found a weird bug that the clients sometimes start the connection with tls1.2 I am using xray v1.8.0

image

I have added even minVersion in tls setting but it won’t change this behavior

Full client configuration
{
  "log": {
    "access": "",
    "error": "",
    "loglevel": "warning"
  },
  "inbounds": [
    {
      "tag": "socks",
      "port": 10808,
      "listen": "127.0.0.1",
      "protocol": "socks",
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls"
        ],
        "routeOnly": false
      },
      "settings": {
        "auth": "noauth",
        "udp": true,
        "allowTransparent": false
      }
    },
    {
      "tag": "http",
      "port": 10809,
      "listen": "127.0.0.1",
      "protocol": "http",
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls"
        ],
        "routeOnly": false
      },
      "settings": {
        "auth": "noauth",
        "udp": true,
        "allowTransparent": false
      }
    }
  ],
  "outbounds": [
    {
      "tag": "proxy",
      "protocol": "vless",
      "settings": {
        "vnext": [
          {
            "address": "hiddify.com",
            "port": 443,
            "users": [
              {
                "id": "e28c1a7e-98a5-4b91-a0e0-96cacf4e1fae",
                "alterId": 0,
                "email": "t@t.tt",
                "security": "auto",
                "encryption": "none",
                "flow": "xtls-rprx-vision"
              }
            ]
          }
        ]
      },
      "streamSettings": {
        "network": "tcp",
        "security": "tls",
        "tlsSettings": {
          "allowInsecure": false,
          "serverName": "hiddify.com",
          "alpn": [
            "http/1.1"
          ],
          "fingerprint": "chrome",
          "show": false,
          "minVersion": "1.3"
        }
      },
      "mux": {
        "enabled": false,
        "concurrency": -1
      }
    },
    {
      "tag": "direct",
      "protocol": "freedom",
      "settings": {}
    },
    {
      "tag": "block",
      "protocol": "blackhole",
      "settings": {
        "response": {
          "type": "http"
        }
      }
    }
  ],
  "routing": {
    "domainStrategy": "AsIs",
    "rules": [
      {
        "type": "field",
        "inboundTag": [
          "api"
        ],
        "outboundTag": "api",
        "enabled": true
      },
      {
        "id": "4721901652305849247",
        "type": "field",
        "outboundTag": "direct",
        "domain": [
          "domain:example.com",
          "domain:example2.com"
        ],
        "enabled": true
      },
      {
        "id": "4964923193273991424",
        "type": "field",
        "outboundTag": "block",
        "domain": [
          "geosite:category-ads-all"
        ],
        "enabled": true
      },
      {
        "id": "5462843772156832822",
        "type": "field",
        "outboundTag": "direct",
        "domain": [
          "geosite:private",
          "geosite:apple@cn",
          "geosite:google@cn",
          "geosite:tld-cn",
          "tld-ir"
        ],
        "enabled": true
      },
      {
        "id": "5632988166244046273",
        "type": "field",
        "outboundTag": "proxy",
        "domain": [
          "geoip:!ir"
        ],
        "enabled": true
      },
      {
        "id": "4874739823930549310",
        "type": "field",
        "outboundTag": "direct",
        "ip": [
          "geoip:private",
          "geoip:cn",
          "geoip:ir"
        ],
        "enabled": true
      },
      {
        "id": "5464678198089768952",
        "type": "field",
        "port": "0-65535",
        "outboundTag": "proxy",
        "enabled": true
      }
    ],
    "balancers": []
  }
}
As you have suggested that setting a hard limit in the server side to accept only tls 1.3 is not good i have tried to use haproxy but it can not proxy tls 1.3 and 1.2 to different servers.

I think that this behavior may be used to identify proxy servers.

frontend https-in
    bind :443,:::443 v4v6
  bind :443,:::443 v4v6
    mode tcp
    option tcplog
    option dontlognull
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }
    acl tls1_2 req.ssl_ver 3.3
    acl tls1_3 req.ssl_ver 3.4

    use_backend xray if tls1_3
    use_backend xraydecoy if tls1_2
#    tcp-request content reject if tls1_2
    default_backend xraydecoy

About this issue

  • Original URL
  • State: open
  • Created a year ago
  • Reactions: 2
  • Comments: 15 (15 by maintainers)

Most upvoted comments

However, currently, we are facing with a problem in Iran. As you mentioned the problem is with utls and when we remove utls, it works but it is not a good way.

I do not know what is happening with utls, but i belive we have to be robust against this.

I think you miss understand my sentence. All xray servers are supporting tls 1.3 and it is okay. but if the GTW alter the version, the client should check whether it is altered or not. It is a hope that all implementations of TLS 1.3 protocol won’t forget to implement the measures against downgrade attacks (checking DOWNGRD).

Thanks for your response. So this is the reason that several users in Iran has issues with utls but do not have issue without it and the only solution was to force TLS 1.3 in cloudflare.

How can we fix it to be able to show our traffic similar to chrome but only have connection with tls 1.3 (in client)? and when GTW send a request with tls 1.2 our server acts as a decoy server and if the GTW alter the connection to force client connect with tls 1.2 it refuse connection. Is it possible?

No using chrome works perfectly for browsing all the websites

We do not count local websites at all 😁

Great thanks for your response

but i can not understand why? The utls is coming to hide the proxy traffic as chrome browser so how chrome works fine but utls chrome doesn’t work

I will continue the conversation with utls team however please take it in to consideration for reality which needs fingerprinting 😉