Xray-core
Xray-core copied to clipboard
XTLS
请问 xray 的 tls部份是否还在 work in progress?
haproxy : 2.2 v2fly : 4.36.2 xray : 1.4.2
我的旧设定是 v2fly -(internet)-> haproxy -> v2fly 准备转到 xray -(internet)-> haproxy -> xray 即 client and server 都转到 xray
在搬迁过程 先保留原先设定 vless-ws-tls 在v2fly运作正常
但转移到xray後 haproxy就出现
[11/Apr/2021:13:26:40.856] in-02/1: SSL handshake failure
xray client error.log
2021/04/11 13:26:40 [Info] [2884941005] transport/internet/websocket: creating connection to tcp:{fqdn}:443
2021/04/11 13:26:40 [Debug] transport/internet: dialing to tcp:{fqdn}:443
harpoxy
global
# modern configuration
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets
frontend in-02
mode http
bind :443 ssl crt crt.pem alpn h2,http/1.1
client.json
{
"tag": "out.vl_ws",
"protocol": "vless",
"settings": {
"vnext": [{
"address": "{fqdn}",
"port": 443,
"users": [{
"id": "{UUID}",
"encryption": "none"
}
]
}
]
},
"streamSettings": {
"sockopt": {
"mark": 255
},
"network": "ws",
"wsSettings": {
"path": "/ws/"
},
"security": "tls",
"tlssettings": {
"allowInsecure": true
}
}
},
已测试降低haproxy设定 (还是失败)
global
# intermediate configuration
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
我的电子证书是 ecdsa , 也转回 RSA 2048测试 (还是失败)
===== 2021.04.13 07:20 更新 ===== 已收窄范围在 xray tls client cert
===== 2021.04.13 20:35 更新 ===== 可以测试的都已测试
===== 2021.04.14 20:24 更新 ===== 相信已找到问题所在, 可以确定是在xray tls部份.
@kingwilliam please use tcp port forwarding instead,and here is my configure file source:
global daemon default mode tcp retries 3 timeout connect 5s timeout client 24h timeout server 24h frontend v2ray-in mode tcp bind 0.0.0.0:80 default_backend v2ray backend v2ray mode tcp option tcp-check balance source //roundrobin for load balance but failed server 0 check inter 1000 rize 3 fall 2 weight 2 server 1 check inter 1000 rize 3 fall 2 weight 1
@kingwilliam please use tcp port forwarding instead,and here is my configure file source:
thank you for your advise, but this configuration is not my first choose, because i want decrypt the certificate at haproxy, and use the different path to different backend.
@kingwilliam I guess you should use nginx or caddy instead,i use haproxy as its name
已收窄范围在 xray tls client cert
- 是我对haproxy不够理解, systemctl restart haproxy, 不等同 stop再start
- 问题还在 tls 部份.
- 如haproxy 没有"verify required ca-file CA.pem" 所有对接完全正常, 但当加入verify 就会出现SSL handshake failure
- 在v2fly是运作正常的
haproxy.cfg
frontend in-02
mode http
bind :443 ssl crt crt.pem verify required ca-file CA.pem
config.json outbound
"streamSettings": {
"sockopt": {
"mark": 255
},
"network": "ws",
"wsSettings": {
"path": "/ws/"
},
"security": "tls",
"tlsSettings": {
"certificates": [{
"usage": "encipherment", // <- 有或没有 都没分别
"certificateFile": "client_crt.pem",
"keyFile": "client_key.pem"
}
]
}
}
可以测试的都已测试
只要在 bind 加入"verify required ca-file CA.pem" 就会 SSL handshake failure 只能等待开发团队找找问题在那
openssl verify -CAfile CA.pem client_crt.pem
client_crt.pem: OK
相信已找到问题所在, 可以确定是在xray tls部份.
伺服器方用gost做listening
# gost -L="socks5+tls://:3080?cert=crt.pem&key=key.pem&secure=true&ca=ca.pem"
v2fly xray用同一组config.json
outbounds
{
"tag": "out.s5",
"protocol": "socks",
"settings": {
"servers": [
{
"address": "127.0.0.1",
"port": 3080
}
]
},
"streamSettings": {
"sockopt": {
"mark": 255
},
"network": "tcp",
"security": "tls",
"tlsSettings": {
"allowInsecure": true,
"certificates": [
{
"certificateFile": "client.crt",
"keyFile": "client.key"
}
]
}
}
}
测试用browser到www.myip.com
如用 v2fly 是会正常运作, gost 会有以下log
2021/04/14 20:04:15 route.go:650: socks5+tls://:3080 on [::]:3080
2021/04/14 20:04:17 socks.go:888: [socks5] 127.0.0.1:44922 -> socks5+tls://:3080 -> ajax.googleapis.com:443
2021/04/14 20:04:17 socks.go:940: [route] 127.0.0.1:44922 -> socks5+tls://:3080 -> ajax.googleapis.com:443
2021/04/14 20:04:17 socks.go:888: [socks5] 127.0.0.1:44918 -> socks5+tls://:3080 -> www.myip.com:443
2021/04/14 20:04:17 socks.go:940: [route] 127.0.0.1:44918 -> socks5+tls://:3080 -> www.myip.com:443
2021/04/14 20:04:17 socks.go:975: [socks5] 127.0.0.1:44922 <-> ajax.googleapis.com:443
2021/04/14 20:04:17 socks.go:888: [socks5] 127.0.0.1:44920 -> socks5+tls://:3080 -> maxcdn.bootstrapcdn.com:443
2021/04/14 20:04:17 socks.go:940: [route] 127.0.0.1:44920 -> socks5+tls://:3080 -> maxcdn.bootstrapcdn.com:443
2021/04/14 20:04:17 socks.go:975: [socks5] 127.0.0.1:44920 <-> maxcdn.bootstrapcdn.com:443
2021/04/14 20:04:17 socks.go:888: [socks5] 127.0.0.1:44916 -> socks5+tls://:3080 -> www.gstatic.com:443
2021/04/14 20:04:17 socks.go:940: [route] 127.0.0.1:44916 -> socks5+tls://:3080 -> www.gstatic.com:443
2021/04/14 20:04:17 socks.go:975: [socks5] 127.0.0.1:44918 <-> www.myip.com:443
2021/04/14 20:04:17 socks.go:975: [socks5] 127.0.0.1:44916 <-> www.gstatic.com:443
但用xray, gost 会有以下log
2021/04/14 20:03:53 route.go:650: socks5+tls://:3080 on [::]:3080
2021/04/14 20:03:58 socks.go:854: [socks5] 127.0.0.1:44908 -> 127.0.0.1:3080 : tls: client didn't provide a certificate
2021/04/14 20:03:58 socks.go:854: [socks5] 127.0.0.1:44910 -> 127.0.0.1:3080 : tls: client didn't provide a certificate
2021/04/14 20:03:58 socks.go:854: [socks5] 127.0.0.1:44912 -> 127.0.0.1:3080 : tls: client didn't provide a certificate
2021/04/14 20:03:58 socks.go:854: [socks5] 127.0.0.1:44914 -> 127.0.0.1:3080 : tls: client didn't provide a certificate
2021.04.11测试 xray 1.4.2, 当时在 https://t.me/projectXray 回覆是 "没有这工能"
到今天 再测试 xray v1.6.1 haproxy request client cert时, xray 还是没给出client cert.
请问 tls client cert 是否还没在xray出现? (因当年至今 https://xtls.github.io/config/transport.html#tlsobject 是显示有的)
@kingwilliam
"tlsSettings": {
"certificates": [
{
"certificate": [
"-----BEGIN CERTIFICATE-----",
...
"XBrzr1xVqKdHqKjKB2oaFXfOrtybKGyEzDzYMYa/crCbh/yb2SRnicrVbgZxwb",
"JKEgWDPrizES/NzYN688\u003d",
"-----END CERTIFICATE-----"
],
"usage": "verify"
}
Configure as this could use.
我是在 client side 提供 client cert, 以下 cert and key file 不能吗?
"tlsSettings": {
"certificates": [
"usage": "encipherment",
"certificateFile": "/path/to/certificate.crt",
"keyFile": "/path/to/key.key"
]
}
Don't know why provide key file in client... We just add CA.crt and xray could run with setting /allowinsecure: False./
From: kingwilliam @.> To: XTLS/Xray-core @.> CC: Nanyu @.>; Comment @.**> *Date: *Nov 12, 2022 12:55:33 *Subject: *Re: [XTLS/Xray-core] 请问 xray 的 tls部份是否还在 work in progress? (#499)
我是在 client side 提供 client cert, 以下 cert and key file 不能吗?
"tlsSettings": { "certificates": [ "usage": "encipherment", "certificateFile": "/path/to/certificate.crt", "keyFile": "/path/to/key.key" ] }
— Reply to this email directly, view it on GitHub[https://github.com/XTLS/Xray-core/issues/499#issuecomment-1312473104], or unsubscribe[https://github.com/notifications/unsubscribe-auth/AKGBAYG4KA2M3IZL5BNDBWLWH6HUJANCNFSM42XJHPJA]. You are receiving this because you commented.[Tracking image][https://github.com/notifications/beacon/AKGBAYFVGOICNKLAE64NEL3WH6HUJA5CNFSM42XJHPJKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOJY5MAEA.gif]Message ID: @.***>
因要在 haproxy 做分流
如有 client cert 才跳到 ray server 如没 就跳到 fallbacks web server
🙄 Don't know whether the process had finished.
From: kingwilliam @.> To: XTLS/Xray-core @.> CC: Nanyu @.>; Comment @.**> *Date: *Nov 12, 2022 13:10:06 *Subject: *Re: [XTLS/Xray-core] 请问 xray 的 tls部份是否还在 work in progress? (#499)
因要在 haproxy 做分流
如有 client cert 才跳到 ray server 如没 就跳到 fallbacks web server
— Reply to this email directly, view it on GitHub[https://github.com/XTLS/Xray-core/issues/499#issuecomment-1312475607], or unsubscribe[https://github.com/notifications/unsubscribe-auth/AKGBAYDEH5OPNBABX4A4WNLWH6JK3ANCNFSM42XJHPJA]. You are receiving this because you commented.[Tracking image][https://github.com/notifications/beacon/AKGBAYHKC4RDO47WXA55YNLWH6JK3A5CNFSM42XJHPJKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOJY5MTVY.gif]Message ID: @.***>