Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

xtls-rprx-vision 仍未能妥善处理好 浏览器 TLS-in-TLS 的特征? #1503

Closed
Yiffyi opened this issue Jan 8, 2023 · 13 comments
Closed

xtls-rprx-vision 仍未能妥善处理好 浏览器 TLS-in-TLS 的特征? #1503

Yiffyi opened this issue Jan 8, 2023 · 13 comments

Comments

@Yiffyi
Copy link

Yiffyi commented Jan 8, 2023

本人与近期在 DMIT.io 购入一台 PVM.HKG.Lite.TINY 主机。经 TCP 路由跟踪测试,实际线路为去程绕东京NTT,回程移动CMI。
经反复测试,在该条线路上,Xray (含 xtls-rprx-vision)/trojan-go 等 TLS-in-TLS 代理工具均被稳定识别阻断。
有较大可能性 xtls-rprx-vision 仍未能妥善处理好 浏览器 TLS-in-TLS 的特征。

如有疑问,请先看结尾的分析猜想部分。

双端配置

服务端使用 Xray(v1.7.2, xtls-rprx-vision) + Caddy(fallback)

客户端使用 Xray(v1.7.2, xtls-rprx-vision) + Vivaldi(Chrome 108)/Firefox 浏览器 (以下实验使用 Vivaldi 浏览器,但 Firefox/Edge 等其他浏览器也能稳定复现)

测试

测试流程:

  1. 启动本地及服务器 Xray
  2. 启动 tcpdump 和 wireshark
  3. 使用浏览器连接 scholar.google.com (其他 https 网站较多次访问后也可复现,但因未知原因 Google 系网站接近 100% 被识别阻断)
  4. 依次关闭 浏览器, Xray, tcpdump 和 wireshark

所有测试期间未发现主动探测。

脱敏后的 IP 地址解释:

192.168.1.2 = 本地计算机
124.91.0.1 = 本地出口
103.135.0.1 = PVM.HKG.Lite.TINY 主机
45.77.0.1 = SGP 中转机

第一轮:本地 Xray 直连 PVM.HKG.Lite.TINY

结果:无法连接 (ERR_CONNECTION_TIMED_OUT)

注:浏览器连接超时后自动重试了三次

客户端配置

{
    "log": {
        "access": "a.log",
        "error": "e.log",
        "loglevel": "debug"
    },
    "inbounds": [
        {
            "port": 18080,
            "listen": "127.0.0.1",
            "protocol": "http"
        }
    ],
    "outbounds": [
        {
            "protocol": "vless",
            "settings": {
                "vnext": [
                    {
                        "address": "103.135.0.1",
                        "port": 443,
                        "users": [
                            {
                                "id": "c123321   ",
                                "flow": "xtls-rprx-vision",
                                "encryption": "none"
                            }
                        ]
                    }
                ]
            },
            "streamSettings": {
                "network": "tcp",
                "security": "tls",
                "tlsSettings": {
                    "serverName": "cross.yif.fyi",
                    "fingerprint": "firefox",
                    "alpn": ["h2", "http/1.1"]
                }
            },
            "mux": {
                "enabled": false,
                "concurrency": 16
            }
        }
    ],
    "routing": {}
}

服务端配置

{
    "log": {
        "access": "/etc/xray/a.log",
        "error": "/etc/xray/e.log",
        "loglevel": "debug"
    },
    "inbounds": [
        {
            "listen": "0.0.0.0",
            "port": 443,
            "protocol": "vless",
            "settings": {
                "clients": [
                    {
                        "id": "c123321   ",
                        "flow": "xtls-rprx-vision"
                    }
                ],
                "decryption": "none"
            },
            "streamSettings": {
                "network": "tcp",
                "security": "tls",
                "tlsSettings": {
                    "serverName": "cross.yif.fyi",
                    "alpn": [
                        "h2",
                        "http/1.1"
                    ],
                    "certificates": [
                        {
                            "certificateFile": "/caddy/certificates/acme-v02.api.letsencrypt.org-directory/cross.yif.fyi/cross.yif.fyi.crt",
                            "keyFile": "/caddy/certificates/acme-v02.api.letsencrypt.org-directory/cross.yif.fyi/cross.yif.fyi.key"
                        }
                    ]
                }
            }
        }
    ],
    "outbounds": [
        {
            "protocol": "freedom"
        }
    ],
    "routing": {}
}

客户端 access.log

2023/01/08 21:05:05 127.0.0.1:54279 accepted //scholar.google.com:443
2023/01/08 21:05:26 127.0.0.1:54288 accepted //scholar.google.com:443
2023/01/08 21:05:51 127.0.0.1:54292 accepted //scholar.google.com:443

客户端 error.log

2023/01/08 21:05:00 [Debug] app/log: Logger started
2023/01/08 21:05:00 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:18080
2023/01/08 21:05:00 [Info] transport/internet/tcp: listening TCP on 127.0.0.1:18080
2023/01/08 21:05:00 [Warning] core: Xray 1.7.2 started
2023/01/08 21:05:05 [Info] [2822591811] proxy/http: request to Method [CONNECT] Host [scholar.google.com:443] with URL [//scholar.google.com:443]
2023/01/08 21:05:05 [Info] [2822591811] app/dispatcher: default route for tcp:scholar.google.com:443
2023/01/08 21:05:05 [Info] [2822591811] transport/internet/tcp: dialing TCP to tcp:103.135.0.1:443
2023/01/08 21:05:05 [Debug] transport/internet: dialing to tcp:103.135.0.1:443
2023/01/08 21:05:05 [Info] [2822591811] proxy/vless/outbound: tunneling request to tcp:scholar.google.com:443 via 103.135.0.1:443
2023/01/08 21:05:05 [Info] [2822591811] proxy/vless/encoding: XtlsFilterTls found tls client hello! 773
2023/01/08 21:05:05 [Info] [2822591811] proxy/vless/encoding: XtlsPadding 773 366 0
2023/01/08 21:05:05 [Info] [2822591811] proxy/vless/encoding: Xtls Unpadding new block0 16 content 379 padding 808 0
2023/01/08 21:05:05 [Info] [2822591811] proxy/vless/encoding: XtlsFilterTls found tls 1.3! 379 TLS_AES_128_GCM_SHA256
2023/01/08 21:05:05 [Info] [2822591811] proxy/vless/encoding: XtlsPadding 74 1036 0
2023/01/08 21:05:05 [Info] [2822591811] proxy/vless/encoding: XtlsPadding 98 1250 2
2023/01/08 21:05:05 [Info] [2822591811] proxy/vless/encoding: XtlsWrite writeV 0 1353 0
2023/01/08 21:05:05 [Info] [2822591811] proxy/vless/encoding: Xtls Unpadding new block0 0 content 964 padding 0 2
2023/01/08 21:05:05 [Info] [2822591811] proxy/vless/encoding: XtlsRead readV
2023/01/08 21:05:25 [Info] [2822591811] app/proxyman/outbound: failed to process outbound traffic > proxy/vless/outbound: connection ends > proxy/vless/outbound: failed to transfer response payload > read tcp 192.168.1.2:54280->103.135.0.1:443: wsarecv: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
2023/01/08 21:05:25 [Info] [2822591811] app/proxyman/inbound: connection ends > proxy/http: connection ends > io: read/write on closed pipe
2023/01/08 21:05:26 [Info] [4098146324] proxy/http: request to Method [CONNECT] Host [scholar.google.com:443] with URL [//scholar.google.com:443]
2023/01/08 21:05:26 [Info] [4098146324] app/dispatcher: default route for tcp:scholar.google.com:443
2023/01/08 21:05:26 [Info] [4098146324] transport/internet/tcp: dialing TCP to tcp:103.135.0.1:443
2023/01/08 21:05:26 [Debug] transport/internet: dialing to tcp:103.135.0.1:443
2023/01/08 21:05:26 [Info] [4098146324] proxy/vless/outbound: tunneling request to tcp:scholar.google.com:443 via 103.135.0.1:443
2023/01/08 21:05:26 [Info] [4098146324] proxy/vless/encoding: XtlsFilterTls found tls client hello! 773
2023/01/08 21:05:26 [Info] [4098146324] proxy/vless/encoding: XtlsPadding 773 521 0
2023/01/08 21:05:26 [Info] [4098146324] proxy/vless/encoding: Xtls Unpadding new block0 16 content 379 padding 988 0
2023/01/08 21:05:26 [Info] [4098146324] proxy/vless/encoding: XtlsFilterTls found tls 1.3! 379 TLS_AES_128_GCM_SHA256
2023/01/08 21:05:26 [Info] [4098146324] proxy/vless/encoding: XtlsPadding 74 1178 0
2023/01/08 21:05:26 [Info] [4098146324] proxy/vless/encoding: XtlsPadding 98 1279 2
2023/01/08 21:05:26 [Info] [4098146324] proxy/vless/encoding: XtlsWrite writeV 0 1382 0
2023/01/08 21:05:26 [Info] [4098146324] proxy/vless/encoding: Xtls Unpadding new block0 0 content 995 padding 0 2
2023/01/08 21:05:26 [Info] [4098146324] proxy/vless/encoding: XtlsRead readV
2023/01/08 21:05:45 [Info] [4098146324] app/proxyman/outbound: failed to process outbound traffic > proxy/vless/outbound: connection ends > proxy/vless/outbound: failed to transfer response payload > read tcp 192.168.1.2:54289->103.135.0.1:443: wsarecv: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
2023/01/08 21:05:45 [Info] [4098146324] app/proxyman/inbound: connection ends > proxy/http: connection ends > io: read/write on closed pipe
2023/01/08 21:05:51 [Info] [233712089] proxy/http: request to Method [CONNECT] Host [scholar.google.com:443] with URL [//scholar.google.com:443]
2023/01/08 21:05:51 [Info] [233712089] app/dispatcher: default route for tcp:scholar.google.com:443
2023/01/08 21:05:51 [Info] [233712089] transport/internet/tcp: dialing TCP to tcp:103.135.0.1:443
2023/01/08 21:05:51 [Debug] transport/internet: dialing to tcp:103.135.0.1:443
2023/01/08 21:05:51 [Info] [233712089] proxy/vless/outbound: tunneling request to tcp:scholar.google.com:443 via 103.135.0.1:443
2023/01/08 21:05:51 [Info] [233712089] proxy/vless/encoding: XtlsFilterTls found tls client hello! 773
2023/01/08 21:05:51 [Info] [233712089] proxy/vless/encoding: XtlsPadding 773 534 0
2023/01/08 21:05:51 [Info] [233712089] proxy/vless/encoding: Xtls Unpadding new block0 16 content 379 padding 810 0
2023/01/08 21:05:51 [Info] [233712089] proxy/vless/encoding: XtlsFilterTls found tls 1.3! 379 TLS_AES_128_GCM_SHA256
2023/01/08 21:05:51 [Info] [233712089] proxy/vless/encoding: XtlsPadding 74 1109 0
2023/01/08 21:05:51 [Info] [233712089] proxy/vless/encoding: XtlsPadding 98 1153 2
2023/01/08 21:05:51 [Info] [233712089] proxy/vless/encoding: XtlsWrite writeV 0 1256 0
2023/01/08 21:05:51 [Info] [233712089] proxy/vless/encoding: Xtls Unpadding new block0 0 content 964 padding 0 2
2023/01/08 21:05:51 [Info] [233712089] proxy/vless/encoding: XtlsRead readV
2023/01/08 21:06:10 [Info] [233712089] app/proxyman/outbound: failed to process outbound traffic > proxy/vless/outbound: connection ends > proxy/vless/outbound: failed to transfer response payload > read tcp 192.168.1.2:54293->103.135.0.1:443: wsarecv: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
2023/01/08 21:06:10 [Info] [233712089] app/proxyman/inbound: connection ends > proxy/http: connection ends > io: read/write on closed pipe
2023/01/08 21:06:42 [Debug] app/log: Logger closing

服务器 access.log

2023/01/08 21:05:05 124.91.0.1:54280 accepted tcp:scholar.google.com:443
2023/01/08 21:05:26 124.91.0.1:54289 accepted tcp:scholar.google.com:443
2023/01/08 21:05:51 124.91.0.1:54293 accepted tcp:scholar.google.com:443

服务器 error.log

2023/01/08 21:04:47 [Debug] app/log: Logger started
2023/01/08 21:04:47 [Debug] app/proxyman/inbound: creating stream worker on 0.0.0.0:443
2023/01/08 21:04:47 [Info] transport/internet/tcp: listening TCP on 0.0.0.0:443
2023/01/08 21:04:47 [Warning] core: Xray 1.7.2 started
2023/01/08 21:05:05 [Info] [513723113] proxy/vless/inbound: firstLen = 1186
2023/01/08 21:05:05 [Info] [513723113] proxy/vless/inbound: received request for tcp:scholar.google.com:443
2023/01/08 21:05:05 [Info] [513723113] app/dispatcher: default route for tcp:scholar.google.com:443
2023/01/08 21:05:05 [Info] [513723113] proxy/freedom: opening connection to tcp:scholar.google.com:443
2023/01/08 21:05:05 [Info] [513723113] transport/internet/tcp: dialing TCP to tcp:scholar.google.com:443
2023/01/08 21:05:05 [Debug] transport/internet: dialing to tcp:scholar.google.com:443
2023/01/08 21:05:05 [Info] [513723113] proxy/vless/encoding: Xtls Unpadding new block0 16 content 773 padding 366 0
2023/01/08 21:05:05 [Info] [513723113] proxy/vless/encoding: XtlsFilterTls found tls client hello! 773
2023/01/08 21:05:05 [Info] [513723113] proxy/vless/encoding: XtlsFilterTls found tls 1.3! 379 TLS_AES_128_GCM_SHA256
2023/01/08 21:05:05 [Info] [513723113] proxy/vless/encoding: XtlsPadding 379 808 0
2023/01/08 21:05:05 [Info] [513723113] proxy/vless/encoding: Xtls Unpadding new block0 0 content 74 padding 1036 0
2023/01/08 21:05:05 [Info] [513723113] proxy/vless/encoding: XtlsPadding 964 0 2
2023/01/08 21:05:05 [Info] [513723113] proxy/vless/encoding: XtlsWrite writeV 0 969 0
2023/01/08 21:05:05 [Info] [513723113] proxy/vless/encoding: Xtls Unpadding new block0 0 content 98 padding 1250 2
2023/01/08 21:05:05 [Info] [513723113] proxy/vless/encoding: XtlsRead readV
2023/01/08 21:05:25 [Info] [513723113] app/proxyman/inbound: connection ends > proxy/vless/inbound: connection ends > proxy/vless/inbound: failed to transfer request payload > read tcp 103.135.0.1:443->124.91.0.1:54280: read: connection reset by peer
2023/01/08 21:05:26 [Info] [1898714411] proxy/vless/inbound: firstLen = 1186
2023/01/08 21:05:26 [Info] [1898714411] proxy/vless/inbound: received request for tcp:scholar.google.com:443
2023/01/08 21:05:26 [Info] [1898714411] app/dispatcher: default route for tcp:scholar.google.com:443
2023/01/08 21:05:26 [Info] [1898714411] proxy/freedom: opening connection to tcp:scholar.google.com:443
2023/01/08 21:05:26 [Info] [1898714411] transport/internet/tcp: dialing TCP to tcp:scholar.google.com:443
2023/01/08 21:05:26 [Debug] transport/internet: dialing to tcp:scholar.google.com:443
2023/01/08 21:05:26 [Info] [1898714411] proxy/vless/encoding: Xtls Unpadding new block0 16 content 773 padding 521 0
2023/01/08 21:05:26 [Info] [1898714411] proxy/vless/encoding: XtlsFilterTls found tls client hello! 773
2023/01/08 21:05:26 [Info] [1898714411] proxy/vless/encoding: XtlsFilterTls found tls 1.3! 379 TLS_AES_128_GCM_SHA256
2023/01/08 21:05:26 [Info] [1898714411] proxy/vless/encoding: XtlsPadding 379 988 0
2023/01/08 21:05:26 [Info] [1898714411] proxy/vless/encoding: Xtls Unpadding new block0 0 content 74 padding 1178 0
2023/01/08 21:05:26 [Info] [1898714411] proxy/vless/encoding: Xtls Unpadding new block0 0 content 98 padding 1279 2
2023/01/08 21:05:26 [Info] [1898714411] proxy/vless/encoding: XtlsRead readV
2023/01/08 21:05:26 [Info] [1898714411] proxy/vless/encoding: XtlsPadding 995 0 2
2023/01/08 21:05:26 [Info] [1898714411] proxy/vless/encoding: XtlsWrite writeV 0 1000 0
2023/01/08 21:05:45 [Info] [1898714411] app/proxyman/inbound: connection ends > proxy/vless/inbound: connection ends > proxy/vless/inbound: failed to transfer request payload > read tcp 103.135.0.1:443->124.91.0.1:54289: read: connection reset by peer
2023/01/08 21:05:51 [Info] [1397549088] proxy/vless/inbound: firstLen = 1186
2023/01/08 21:05:51 [Info] [1397549088] proxy/vless/inbound: received request for tcp:scholar.google.com:443
2023/01/08 21:05:51 [Info] [1397549088] app/dispatcher: default route for tcp:scholar.google.com:443
2023/01/08 21:05:51 [Info] [1397549088] proxy/freedom: opening connection to tcp:scholar.google.com:443
2023/01/08 21:05:51 [Info] [1397549088] transport/internet/tcp: dialing TCP to tcp:scholar.google.com:443
2023/01/08 21:05:51 [Debug] transport/internet: dialing to tcp:scholar.google.com:443
2023/01/08 21:05:51 [Info] [1397549088] proxy/vless/encoding: Xtls Unpadding new block0 16 content 773 padding 534 0
2023/01/08 21:05:51 [Info] [1397549088] proxy/vless/encoding: XtlsFilterTls found tls client hello! 773
2023/01/08 21:05:51 [Info] [1397549088] proxy/vless/encoding: XtlsFilterTls found tls 1.3! 379 TLS_AES_128_GCM_SHA256
2023/01/08 21:05:51 [Info] [1397549088] proxy/vless/encoding: XtlsPadding 379 810 0
2023/01/08 21:05:51 [Info] [1397549088] proxy/vless/encoding: Xtls Unpadding new block0 0 content 74 padding 1109 0
2023/01/08 21:05:51 [Info] [1397549088] proxy/vless/encoding: Xtls Unpadding new block0 0 content 98 padding 1153 2
2023/01/08 21:05:51 [Info] [1397549088] proxy/vless/encoding: XtlsRead readV
2023/01/08 21:05:51 [Info] [1397549088] proxy/vless/encoding: XtlsPadding 964 0 2
2023/01/08 21:05:51 [Info] [1397549088] proxy/vless/encoding: XtlsWrite writeV 0 969 0
2023/01/08 21:06:10 [Info] [1397549088] app/proxyman/inbound: connection ends > proxy/vless/inbound: connection ends > proxy/vless/inbound: failed to transfer request payload > read tcp 103.135.0.1:443->124.91.0.1:54293: read: connection reset by peer

此处附上双端 pcap。
r1-client-443.zip
r1-server-443.zip

第二轮测试:中转连接 PVM.HKG.Lite.TINY

通过 SSH 隧道(SGP 中转)将 PVM.HKG.Lite.TINY 的 443 端口映射至本地 localhost:443,并配置 Xray 连接

结果:正常连接

JSON 配置就不贴了,只是改了个地址

客户端 access.log

2023/01/08 21:12:15 127.0.0.1:54366 accepted //scholar.google.com:443

客户端 error.log

2023/01/08 21:11:59 [Debug] app/log: Logger started
2023/01/08 21:11:59 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:18080
2023/01/08 21:11:59 [Info] transport/internet/tcp: listening TCP on 127.0.0.1:18080
2023/01/08 21:11:59 [Warning] core: Xray 1.7.2 started
2023/01/08 21:12:15 [Info] [2412398155] proxy/http: request to Method [CONNECT] Host [scholar.google.com:443] with URL [//scholar.google.com:443]
2023/01/08 21:12:15 [Info] [2412398155] app/dispatcher: default route for tcp:scholar.google.com:443
2023/01/08 21:12:15 [Info] [2412398155] transport/internet/tcp: dialing TCP to tcp:localhost:443
2023/01/08 21:12:15 [Debug] transport/internet: dialing to tcp:localhost:443
2023/01/08 21:12:16 [Info] [2412398155] proxy/vless/outbound: tunneling request to tcp:scholar.google.com:443 via localhost:443
2023/01/08 21:12:16 [Info] [2412398155] proxy/vless/encoding: XtlsFilterTls found tls client hello! 773
2023/01/08 21:12:16 [Info] [2412398155] proxy/vless/encoding: XtlsPadding 773 408 0
2023/01/08 21:12:16 [Info] [2412398155] proxy/vless/encoding: Xtls Unpadding new block0 16 content 379 padding 961 0
2023/01/08 21:12:16 [Info] [2412398155] proxy/vless/encoding: XtlsFilterTls found tls 1.3! 379 TLS_AES_128_GCM_SHA256
2023/01/08 21:12:16 [Info] [2412398155] proxy/vless/encoding: XtlsPadding 74 846 0
2023/01/08 21:12:16 [Info] [2412398155] proxy/vless/encoding: XtlsPadding 98 983 2
2023/01/08 21:12:16 [Info] [2412398155] proxy/vless/encoding: XtlsWrite writeV 0 1086 0
2023/01/08 21:12:16 [Info] [2412398155] proxy/vless/encoding: Xtls Unpadding new block0 0 content 995 padding 0 2
2023/01/08 21:12:16 [Info] [2412398155] proxy/vless/encoding: XtlsRead readV
2023/01/08 21:12:53 [Debug] app/log: Logger closing

服务端 access.log

2023/01/08 21:12:16 45.77.0.1:54278 accepted tcp:scholar.google.com:443

服务端 error.log

2023/01/08 21:11:51 [Debug] app/log: Logger started
2023/01/08 21:11:51 [Debug] app/proxyman/inbound: creating stream worker on 0.0.0.0:443
2023/01/08 21:11:51 [Info] transport/internet/tcp: listening TCP on 0.0.0.0:443
2023/01/08 21:11:52 [Warning] core: Xray 1.7.2 started
2023/01/08 21:12:16 [Info] [2622049850] proxy/vless/inbound: firstLen = 1186
2023/01/08 21:12:16 [Info] [2622049850] proxy/vless/inbound: received request for tcp:scholar.google.com:443
2023/01/08 21:12:16 [Info] [2622049850] app/dispatcher: default route for tcp:scholar.google.com:443
2023/01/08 21:12:16 [Info] [2622049850] proxy/freedom: opening connection to tcp:scholar.google.com:443
2023/01/08 21:12:16 [Info] [2622049850] transport/internet/tcp: dialing TCP to tcp:scholar.google.com:443
2023/01/08 21:12:16 [Debug] transport/internet: dialing to tcp:scholar.google.com:443
2023/01/08 21:12:16 [Info] [2622049850] proxy/vless/encoding: Xtls Unpadding new block0 16 content 773 padding 408 0
2023/01/08 21:12:16 [Info] [2622049850] proxy/vless/encoding: XtlsFilterTls found tls client hello! 773
2023/01/08 21:12:16 [Info] [2622049850] proxy/vless/encoding: XtlsFilterTls found tls 1.3! 379 TLS_AES_128_GCM_SHA256
2023/01/08 21:12:16 [Info] [2622049850] proxy/vless/encoding: XtlsPadding 379 961 0
2023/01/08 21:12:16 [Info] [2622049850] proxy/vless/encoding: Xtls Unpadding new block0 0 content 74 padding 846 0
2023/01/08 21:12:16 [Info] [2622049850] proxy/vless/encoding: Xtls Unpadding new block0 0 content 98 padding 983 2
2023/01/08 21:12:16 [Info] [2622049850] proxy/vless/encoding: XtlsRead readV
2023/01/08 21:12:16 [Info] [2622049850] proxy/vless/encoding: XtlsPadding 995 0 2
2023/01/08 21:12:16 [Info] [2622049850] proxy/vless/encoding: XtlsWrite writeV 0 1000 0

此处附上 pcap
r2-server-443.zip

分析猜想

是否是 Xray 实现出现了未知 bug?

使用 SSH 中转后问题消失。
关闭 flow 后继续被阻断,现象相似。
改用 trojan-go 被阻断,现象相似。
直接在 SGP 中转机上使用相同配置重建,连接未被阻断。

基本可以证明并非 Xray 实现问题。

为什么说是 TLS-in-TLS 被识别?

首先,访问 http 网站不会被阻断。
另外,在 Xray 配置 tlsSettings -> fingerprint 或者改换 cipherSuites 没有效果。
其次,使用 curl 代替浏览器访问不会被阻断(推测是特征不同)。
测试的 curl 版本是 curl 7.84.0 (i686-pc-cygwin) libcurl/7.84.0 OpenSSL/1.1.1q zlib/1.2.12 libssh2/1.10.0, 命令为 HTTPS_PROXY=http://localhost:18080 curl -o /dev/null -vv https://scholar.google.com
再者,即使是同一个服务器和端口,当一个特定的 Xray 连接被阻断时,其他 Xray 连接不受影响,且本地仍能正常发起新的 Xray 代理连接。

另外,直接在 SGP 中转机上使用相同配置重建,连接未被阻断,则很有可能该识别机制正在灰度测试,后续极有可能推广。
鉴于其可怕的精准度,非常危险。

不过,猜想仅供参考。如是其他问题,便是最好的事。
如开发组需要,可提供该台服务器访问方式。
@cross-hello
Copy link
Contributor

cross-hello commented Jan 8, 2023 via email

@cross-hello
Copy link
Contributor

cross-hello commented Jan 8, 2023 via email

@SQLimit
Copy link

SQLimit commented Jan 8, 2023

我和你的环境基本相同,也是 dmit hk lite,IP段看起来应该相近,不过我之前(大概1个月前)是 VLESS TCP TLS,经常访问谷歌及谷歌学术,两三天就被封了,我在这之前和之后使用 caddy 反代ws http/2 grpc 等等,可以稳定几个月没事,你可以试试反代,看到你这个现象结合我自己情况,我感觉起码在dmit hk lite 这个IP 段或者这个路线是服务器指纹问题占大头,而不是tls 特征识别。另外我现在也开始用vision,目前还好,后面再看。

@missyea
Copy link

missyea commented Jan 8, 2023

大概率是线路问题吧,别喜欢想弄个大新闻…

@cross-hello
Copy link
Contributor

This is the special characteristic of Google's websites.
image

You could repair if you change server outbound ip(we use cloudflare warp as google outbound, so each time we need to restart warp).
Then you can connect.
image

@Yiffyi
Copy link
Author

Yiffyi commented Jan 9, 2023

Thanks for joining the discussion.
@cross-hello This is not about the outbound ip. Please take a look at the test round 2. In this case, the outbound ip is the same.
Round 1: Xray -> HKG -> Google (Failed)
Round 2: Xray -> SGP(SSH Tunnel) -> HKG -> Google (OK)

@cross-hello About MUX:

  1. xtls cannot work with mux
  2. Actually, each time we open a website, the first connection goes alone.

If disable flow and enable mux:

  1. I tried other sites (github.com), it could work for a period of time.
  2. After accessing scholar.google.com with browser (curl won't trigger it like before), this mux link was completely blocked.
  3. After the mux link was blocked, other sites (like github.com) won't work.
  4. Restart Xray (establish a new mux link), other sites worked again.

@missyea @SQLimit 线路问题或服务器指纹无法解释为何使用浏览器和curl会产生不同的结果。

@RPRX
Copy link
Member

RPRX commented Jan 9, 2023

这个问题挺有趣的,根据你最新的报告,看起来基于任何代理协议,任何时候访问谷歌学术都会导致连接被掐(即使开了 mux)

其次,使用 curl 代替浏览器访问不会被阻断(推测是特征不同)。

若可以稳定访问,请用 wireshark 截取 curl 访问时代理的 TCP 流,并分析和浏览器访问时的不同之处

@RPRX
Copy link
Member

RPRX commented Jan 9, 2023

另外请测试开启 mux 时 curl 访问谷歌学术是否会最终导致 mux 的 TCP 被掐,多观察一段时间

@yuhan6665
Copy link
Member

挺有意思的 有没有可能跟 dmit 的出口有关?也就是说GFW用了检测代理回国流量的类似方法
我们进一步排查的方法是在dmit的出口加一个warp 或者转发另一个落地机

@Yiffyi
Copy link
Author

Yiffyi commented Jan 12, 2023
edited
Loading

Update:
在分析 pcap 之后发现只有客户端去程大包会被丢弃
sslkeylog 解密 TLS 后,发现了原因:
由于 Google 学术网站保存了大量 cookie, 使得去程 HTTP 第一个请求包较大 (~1500)
未知原因去程线路中存在 PMTU < 1500 的情况,且丢包不回复 ICMP (PMTU Blackhole),最后导致去程大包被丢弃。
使用 curl 访问时,不会发送 cookie,使得去程包一直较小

抱歉麻烦大家了(我也懵逼了一周

@Yiffyi Yiffyi closed this as completed Jan 12, 2023
@cross-hello
Copy link
Contributor

cross-hello commented Jan 12, 2023 via email

@Yiffyi
Copy link
Author

Yiffyi commented Jan 12, 2023 via email

@cross-hello
Copy link
Contributor

cross-hello commented Jan 12, 2023 via email

@RPRX RPRX mentioned this issue Jan 21, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@yuhan6665 @Yiffyi @missyea @cross-hello @RPRX @SQLimit