Xray-core: Bug: Clients using tls 1.2 by default!!???
I found a weird bug that the clients sometimes start the connection with tls1.2 I am using xray v1.8.0
I have added even minVersion in tls setting but it won’t change this behavior
Full client configuration
{
"log": {
"access": "",
"error": "",
"loglevel": "warning"
},
"inbounds": [
{
"tag": "socks",
"port": 10808,
"listen": "127.0.0.1",
"protocol": "socks",
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls"
],
"routeOnly": false
},
"settings": {
"auth": "noauth",
"udp": true,
"allowTransparent": false
}
},
{
"tag": "http",
"port": 10809,
"listen": "127.0.0.1",
"protocol": "http",
"sniffing": {
"enabled": true,
"destOverride": [
"http",
"tls"
],
"routeOnly": false
},
"settings": {
"auth": "noauth",
"udp": true,
"allowTransparent": false
}
}
],
"outbounds": [
{
"tag": "proxy",
"protocol": "vless",
"settings": {
"vnext": [
{
"address": "hiddify.com",
"port": 443,
"users": [
{
"id": "e28c1a7e-98a5-4b91-a0e0-96cacf4e1fae",
"alterId": 0,
"email": "t@t.tt",
"security": "auto",
"encryption": "none",
"flow": "xtls-rprx-vision"
}
]
}
]
},
"streamSettings": {
"network": "tcp",
"security": "tls",
"tlsSettings": {
"allowInsecure": false,
"serverName": "hiddify.com",
"alpn": [
"http/1.1"
],
"fingerprint": "chrome",
"show": false,
"minVersion": "1.3"
}
},
"mux": {
"enabled": false,
"concurrency": -1
}
},
{
"tag": "direct",
"protocol": "freedom",
"settings": {}
},
{
"tag": "block",
"protocol": "blackhole",
"settings": {
"response": {
"type": "http"
}
}
}
],
"routing": {
"domainStrategy": "AsIs",
"rules": [
{
"type": "field",
"inboundTag": [
"api"
],
"outboundTag": "api",
"enabled": true
},
{
"id": "4721901652305849247",
"type": "field",
"outboundTag": "direct",
"domain": [
"domain:example.com",
"domain:example2.com"
],
"enabled": true
},
{
"id": "4964923193273991424",
"type": "field",
"outboundTag": "block",
"domain": [
"geosite:category-ads-all"
],
"enabled": true
},
{
"id": "5462843772156832822",
"type": "field",
"outboundTag": "direct",
"domain": [
"geosite:private",
"geosite:apple@cn",
"geosite:google@cn",
"geosite:tld-cn",
"tld-ir"
],
"enabled": true
},
{
"id": "5632988166244046273",
"type": "field",
"outboundTag": "proxy",
"domain": [
"geoip:!ir"
],
"enabled": true
},
{
"id": "4874739823930549310",
"type": "field",
"outboundTag": "direct",
"ip": [
"geoip:private",
"geoip:cn",
"geoip:ir"
],
"enabled": true
},
{
"id": "5464678198089768952",
"type": "field",
"port": "0-65535",
"outboundTag": "proxy",
"enabled": true
}
],
"balancers": []
}
}
I think that this behavior may be used to identify proxy servers.
frontend https-in
bind :443,:::443 v4v6
bind :443,:::443 v4v6
mode tcp
option tcplog
option dontlognull
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
acl tls1_2 req.ssl_ver 3.3
acl tls1_3 req.ssl_ver 3.4
use_backend xray if tls1_3
use_backend xraydecoy if tls1_2
# tcp-request content reject if tls1_2
default_backend xraydecoy
About this issue
- Original URL
- State: open
- Created a year ago
- Reactions: 2
- Comments: 15 (15 by maintainers)
However, currently, we are facing with a problem in Iran. As you mentioned the problem is with utls and when we remove utls, it works but it is not a good way.
I do not know what is happening with utls, but i belive we have to be robust against this.
I think you miss understand my sentence. All xray servers are supporting tls 1.3 and it is okay. but if the GTW alter the version, the client should check whether it is altered or not. It is a hope that all implementations of TLS 1.3 protocol won’t forget to implement the measures against downgrade attacks (checking DOWNGRD).
Thanks for your response. So this is the reason that several users in Iran has issues with utls but do not have issue without it and the only solution was to force TLS 1.3 in cloudflare.
How can we fix it to be able to show our traffic similar to chrome but only have connection with tls 1.3 (in client)? and when GTW send a request with tls 1.2 our server acts as a decoy server and if the GTW alter the connection to force client connect with tls 1.2 it refuse connection. Is it possible?
No using chrome works perfectly for browsing all the websites
We do not count local websites at all 😁
Great thanks for your response
but i can not understand why? The utls is coming to hide the proxy traffic as chrome browser so how chrome works fine but utls chrome doesn’t work
I will continue the conversation with utls team however please take it in to consideration for reality which needs fingerprinting 😉