完整性要求 <input type="ch

<a class="user-mention notranslate" data-hovercard-type="user" data-hover

Vision 的自动 splice 大概率不支持套这么多 dialerProxy <a class="user-mention notranslate" data-hove

tls: bad record MAC,about xtls/xray-core

Comments (14)

RPRX commented on June 5, 2024 1

我大体测了一下感觉 xtls 协议用在客户端的链式代理其实非常好用因为一般的链式是额外双层加密解密而 xtls 可以做到连接头双层加密后面跨两层裸奔同时两个服务器都是端口转发非常高效

对性能来说是这样，对“不想让观察者关联两个或多个连接”来说不合适，所以还是不适合 tor，~~虽然它就多加密几层还是能被关联~~

对于“不想让观察者关联两个或多个连接”的起夜级需求，我想了下还是只能空跑流量抹平时序特征，like v2ray/v2ray-core#2526 (comment) ，~~比 hysteria 的 brutal 更激进~~，不过这样的强特征又不适合过墙了，有点难取舍，~~好在我没有搞回国流量 ghs 的需求~~

from xray-core.

kingwilliam commented on June 5, 2024 1

@kingwilliam 麻烦再测一下 https://github.com/XTLS/Xray-core/actions/runs/9088697505

已测试 dialerProxy 运作正常
早前测试的inbound问题也没再出现.

from xray-core.

RPRX commented on June 5, 2024

Vision?

from xray-core.

kingwilliam commented on June 5, 2024

Vision?

3个outbound 都是
"flow" : "xtls-rprx-vision"

from xray-core.

RPRX commented on June 5, 2024

Vision 的自动 splice 大概率不支持套这么多 dialerProxy @yuhan6665

from xray-core.

yuhan6665 commented on June 5, 2024

我可以这周看下这个问题。。

from xray-core.

SQLimit commented on June 5, 2024

我也遇到了在使用REALITY dialerProxy时会出现的问题，不确定是否与此问题同源。
反向代理bridge (VLESS TCP) 通过dailerProxy由Reality代理时，外部访问内部网络会出现断连（bridge设备REALITY outbound断连，触发原因未知，触发随机，推测是连接数多，通常在连续使用一段时间后出现），断连后经过20分钟左右会自动恢复连接。
在之前版本（XTLS VISION）并没有这个问题，应该是在 1.8.0之后出现的问题。
确定1.8.6至1.8.11版本均有此问题。

client bridge (outbound VLESS TCP) --dialerProxy (through outbound REALITY)--> server (inbound REALITY) ----> server portal (inbound VLESS TCP)

环境为旁路由（bridge设备）透明代理
bridge 配置如下


    "outbounds": [
        {
            "tag": "proxy",
            "protocol": "vless",
            "settings": {
                "vnext": [
                    {
                       ...
                    }
                ]
            },
            "streamSettings": {
                "network": "tcp",
                "security": "reality",
                "realitySettings": {
                    "allowInsecure": false,
                    "fingerprint": "chrome",
                    "publicKey": "...",
                    "serverName": "...",
                    "shortId": "",
                    "show": false,
                    "spiderX": "/a"
                },
                "sockopt": {
                    "mark": 255
                }
            }
        },
        {
            "tag": "direct",
            "protocol": "freedom",
            "settings": {
                "domainStrategy": "UseIPv4v6"
            },
            "streamSettings": {
                "sockopt": {
                    "mark": 255
                }
            }
        },
        {
            "tag": "bridge-home1-in",
            "protocol": "vless",
            "settings": {
                "vnext": [
                    {
                       ...
                    }
                ]
            },
            "streamSettings": {
                "sockopt": {
                    "dialerProxy": "proxy"
                }
            }
        }
    ],
    "reverse": {
        "bridges": [
            {
                "tag": "bridge-home1",
                "domain": "home1.reverse.com"
            }
        ]
    },
    "routing": {
        "domainMatcher": "mph",
        "domainStrategy": "AsIs",
        "rules": [
            {
                "type": "field",
                "inboundTag": [
                    "bridge-home1"
                ],
                "domain": [
                    "full:home1.reverse.com"
                ],
                "outboundTag": "bridge-home1-in"
            },
            {
                "type": "field",
                "inboundTag": [
                    "bridge-home1"
                ],
                "outboundTag": "direct"
            }
        ]
    }

portal 配置如下


    "inbounds": [
        {
            "tag": "realityin",
            "port": 443,
            "protocol": "vless",
            "settings": {
                "clients": [
                    {
                       ...
                    }
                ],
                "decryption": "none"
            },
            "streamSettings": {
                "network": "tcp",
                "security": "reality",
                "realitySettings": {
                    "show": false,
                    "dest": "...:443",
                    "xver": 0,
                    "serverNames": [
                        "..."
                    ],
                    "privateKey": "...",
                    "shortIds": [
                        ""
                    ]
                }
            },
            "sniffing": {
                "enabled": true,
                "destOverride": [
                    "http",
                    "tls",
                    "quic"
                ],
                "domainsExcluded": [
                    "courier.push.apple.com"
                ]
            }
        },
        {
            "tag": "home1-in",
            "listen": "MY_VPS_IP",
            "port": 20002,
            "protocol": "vless",
            "settings": {
                "clients": [
                    {
                       ...
                    }
                ],
                "decryption": "none"
            },
            "sniffing": {
                "enabled": true,
                "destOverride": [
                    "http",
                    "tls",
                    "quic"
                ],
                "domainsExcluded": [
                    "courier.push.apple.com"
                ]
            }
        }
    ],
    "reverse": {
        "portals": [
            {
                "tag": "portal-home1",
                "domain": "home1.reverse.com"
            }
        ]
    },
    "routing": {
        "domainMatcher": "mph",
        "domainStrategy": "AsIs",
        "rules": [
            {
                "type": "field",
                "inboundTag": [
                    "home1-in"
                ],
                "outboundTag": "portal-home1"
            }
            {
                "type": "field",
                "inboundTag": [
                    "realityin"
                ],
                "ip": [
                    "INTERNAL_SERVER_IP"
                ],
                "outboundTag": "portal-home1"
            }
        ]
    }

出现断连时bridge日志出现如下报错
Xray_log.txt

同时在断连期间，bridge 设备ping VPS 的 IP 正常
portal VPS 端无此 bridge 连接日志，其他设备（不经过此bridge设备）连接VPS REALITY inbound 正常。

from xray-core.

ztmzzz commented on June 5, 2024

我也遇到相似问题。使用docker pull时不定期出现此报错，使用的xray服务端配置是最简单的代理。

from xray-core.

yuhan6665 commented on June 5, 2024

应该修好了麻烦测试一下最新的构建 https://github.com/XTLS/Xray-core/actions/runs/9072508584
我大体测了一下感觉 xtls 协议用在客户端的链式代理其实非常好用因为一般的链式是额外双层加密解密而 xtls 可以做到连接头双层加密后面跨两层裸奔同时两个服务器都是端口转发非常高效
CC @RPRX
@SQLimit 原问题是 100% 复现的你说的问题如果可以还稳定复现麻烦重开一个 issue

from xray-core.

kingwilliam commented on June 5, 2024

已用 https://github.com/XTLS/Xray-core/actions/runs/9072508584 测试
未知在那引发问题看似是由inbound 引发
未正式进行测试, 只更换了新xray, 就有一个v2rayng进入, 就引发了error

xtls error.log 最後讯息

11:00:54 [Info] [2390586618] proxy/vless/inbound: firstLen = 1186
11:00:54 [Info] [2390586618] proxy/vless/inbound: received request for tcp:voilatile-pa.googleapis.com:443
11:00:54 [Info] [2390586618] proxy: Xtls Unpadding new block, content 517 padding 803 command 0
11:00:54 [Info] [2390586618] proxy: XtlsFilterTls found tls client hello! 517
11:00:54 [Info] [2390586618] app/dispatcher: taking detour [out-AsIs-direct] for [tcp:voilatile-pa.googleapis.com:443]
11:00:54 [Info] [2390586618] transport/internet/tcp: dialing TCP to tcp:voilatile-pa.googleapis.com:443
11:00:54 [Info] [2390586618] proxy/freedom: connection opened to tcp:voilatile-pa.googleapis.com:443, local endpoint 192.168.7.252:39836, remote endpoint 142.250.66.106:443
11:00:54 [Info] [2390586618] proxy: CopyRawConn readv
11:00:54 [Info] [3095487748] proxy: XtlsFilterTls found tls 1.3! 4679 TLS_AES_128_GCM_SHA256

以下是 syslog 讯息

11:00:54 xray[5692]: panic: runtime error: index out of range [-1]
11:00:54 xray[5692]: goroutine 62 [running]:
11:00:54 xray[5692]: github.com/xtls/xray-core/proxy/vless/inbound.(*Handler).Process.func5()
11:00:54 xray[5692]: #011github.com/xtls/xray-core/proxy/vless/inbound/inbound.go:564 +0x89b
11:00:54 xray[5692]: github.com/xtls/xray-core/common/task.Run.func1(0xc003ed6ce0?)
11:00:54 xray[5692]: #011github.com/xtls/xray-core/common/task/task.go:28 +0x28
11:00:54 xray[5692]: created by github.com/xtls/xray-core/common/task.Run in goroutine 72
11:00:54 xray[5692]: #011github.com/xtls/xray-core/common/task/task.go:27 +0xdb
11:00:54 systemd[1]: xray.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
11:00:54 systemd[1]: xray.service: Failed with result 'exit-code'.
11:00:54 systemd[1]: xray.service: Scheduled restart job, restart counter is at 14.
11:00:54 systemd[1]: Stopped Xray Service.
11:00:54 systemd[1]: xray.service: Start request repeated too quickly.
11:00:54 systemd[1]: xray.service: Failed with result 'exit-code'.
11:00:54 systemd[1]: Failed to start Xray Service.

from xray-core.

yuhan6665 commented on June 5, 2024

@kingwilliam 我稍后修下

from xray-core.

yuhan6665 commented on June 5, 2024

@kingwilliam 麻烦再测一下 https://github.com/XTLS/Xray-core/actions/runs/9088697505

from xray-core.

kingwilliam commented on June 5, 2024

@kingwilliam 麻烦再测一下 https://github.com/XTLS/Xray-core/actions/runs/9088697505

长时间测试後(大约3小时) 先讲测试结果还是有问题
问题同样出在 dialerProxy tls: bad record MAC

但跟之前不同今次只是一些情况出现
如一般网页看网页是没问题但察看最後那个xray出口error.log 就会有tls: bad record MAC纪录
但如 linux apt http proxy 就一定会有问题

apt update

Hit:1 http://mirrors.ustc.edu.cn/debian bookworm InRelease
Hit:2 http://deb.debian.org/debian bookworm InRelease
Hit:3 http://haproxy.debian.net bookworm-backports-2.8 InRelease
Hit:4 http://archive.raspberrypi.com/debian bookworm InRelease
Hit:5 http://deb.debian.org/debian-security bookworm-security InRelease
Get:6 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
Err:6 http://deb.debian.org/debian bookworm-updates InRelease
  Splitting up /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bookworm-updates_InRelease into data and signature failed
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
N: Skipping acquire of configured file 'main/binary-armhf/Packages' as repository 'http://haproxy.debian.net bookworm-backports-2.8 InRelease' doesn't support architecture 'armhf'
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.debian.org/debian bookworm-updates InRelease: Splitting up /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bookworm-updates_InRelease into data and signature failed
W: Failed to fetch http://deb.debian.org/debian/dists/bookworm-updates/InRelease  Splitting up /var/lib/apt/lists/partial/deb.debian.org_debian_dists_bookworm-updates_InRelease into data and signature failed
W: Some index files failed to download. They have been ignored, or old ones used instead.

access.log

20:30:28 192.168.1.1:47954 accepted http://archive.raspberrypi.com/debian/dists/bookworm/InRelease [in-http -> out-xtls-tcp]
20:30:28 192.168.1.1:47938 accepted http://deb.debian.org/debian/dists/bookworm/InRelease [in-http -> out-xtls-tcp]
20:30:28 192.168.1.1:47966 accepted http://haproxy.debian.net/dists/bookworm-backports-2.8/InRelease [in-http -> out-xtls-tcp]
20:31:28 192.168.1.1:49146 accepted http://archive.raspberrypi.com/debian/dists/bookworm/InRelease [in-http -> out-xtls-tcp]
20:31:28 192.168.1.1:49168 accepted http://deb.debian.org/debian/dists/bookworm/InRelease [in-http -> out-xtls-tcp]
20:31:28 192.168.1.1:49144 accepted http://haproxy.debian.net/dists/bookworm-backports-2.8/InRelease [in-http -> out-xtls-tcp]
20:31:29 192.168.1.1:46242 accepted http://deb.debian.org/debian-security/dists/bookworm-security/InRelease [in-http -> out-xtls-tcp]
20:31:30 192.168.1.1:46254 accepted http://deb.debian.org/debian/dists/bookworm-updates/InRelease [in-http -> out-xtls-tcp]

error.log

20:30:28 [Info] [567602213] proxy/http: request to Method [GET] Host [haproxy.debian.net] with URL [http://haproxy.debian.net/dists/bookworm-backports-2.8/InRelease]
20:30:28 [Info] [2272979348] proxy/http: request to Method [GET] Host [archive.raspberrypi.com] with URL [http://archive.raspberrypi.com/debian/dists/bookworm/InRelease]
20:30:28 [Info] [2185294411] proxy/http: request to Method [GET] Host [deb.debian.org] with URL [http://deb.debian.org/debian/dists/bookworm/InRelease]
20:30:28 [Info] [2272979348] app/dispatcher: taking detour [out-xtls-tcp] for [tcp:archive.raspberrypi.com:80]
20:30:28 [Info] [2185294411] app/dispatcher: taking detour [out-xtls-tcp] for [tcp:deb.debian.org:80]
20:30:28 [Info] [2185294411] transport/internet/tcp: dialing TCP to tcp:www.xxx.yyy:777
20:30:28 [Info] [2272979348] transport/internet/tcp: dialing TCP to tcp:www.xxx.yyy:777
20:30:28 [Info] [2185294411] transport/internet: redirecting request tcp:www.xxx.yyy:777 to middle-xtls
20:30:28 [Info] [2272979348] transport/internet: redirecting request tcp:www.xxx.yyy:777 to middle-xtls
20:30:28 [Info] [2272979348] transport/internet/tcp: dialing TCP to tcp:aa.bb.cc:888
20:30:28 [Info] [567602213] app/dispatcher: taking detour [out-xtls-tcp] for [tcp:haproxy.debian.net:80]
20:30:28 [Info] [567602213] transport/internet/tcp: dialing TCP to tcp:www.xxx.yyy:777
20:30:28 [Info] [567602213] transport/internet: redirecting request tcp:www.xxx.yyy:777 to middle.xtls
20:30:28 [Info] [2185294411] transport/internet/tcp: dialing TCP to tcp:aa.bb.cc:888
20:30:28 [Info] [567602213] transport/internet/tcp: dialing TCP to tcp:aa.bb.cc:888

2024/05/15 20:40:29 [Info] [2272979348] proxy/vless/outbound: tunneling request to tcp:www.xxx.yyy:777 via aa.bb.cc:888
2024/05/15 20:40:29 [Info] [2272979348] proxy: XtlsFilterTls found tls client hello! 506
2024/05/15 20:40:29 [Info] [2272979348] proxy: XtlsPadding 506 660 0
2024/05/15 20:40:29 [Info] [2185294411] proxy/vless/outbound: tunneling request to tcp:www.xxx.yyy:777 via aa.bb.cc:888
2024/05/15 20:40:29 [Info] [2185294411] proxy: XtlsFilterTls found tls client hello! 538
2024/05/15 20:40:29 [Info] [2185294411] proxy: XtlsPadding 538 436 0
2024/05/15 20:40:29 [Info] [567602213] proxy/vless/outbound: tunneling request to tcp:www.xxx.yyy:777 via aa.bb.cc:888
2024/05/15 20:40:29 [Info] [567602213] proxy: XtlsFilterTls found tls client hello! 602
2024/05/15 20:40:29 [Info] [567602213] proxy: XtlsPadding 602 484 0
2024/05/15 20:40:29 [Info] [2272979348] proxy: Xtls Unpadding new block, content 1448 padding 50 command 0
2024/05/15 20:40:29 [Info] [2272979348] proxy: XtlsFilterTls found tls 1.3! 1163 TLS_CHACHA20_POLY1305_SHA256
2024/05/15 20:40:29 [Info] [2272979348] proxy: Xtls Unpadding new block, content 1886 padding 108 command 0
2024/05/15 20:40:29 [Info] [2272979348] proxy/vless/outbound: tunneling request to tcp:archive.raspberrypi.com:80 via www.xxx.yyy:777
2024/05/15 20:40:29 [Info] [2272979348] proxy: XtlsPadding 64 1227 0
2024/05/15 20:40:29 [Info] [2272979348] proxy: XtlsFilterTls stop filtering232
2024/05/15 20:40:29 [Info] [2272979348] proxy: XtlsFilterTls stop filtering232
2024/05/15 20:40:29 [Info] [2272979348] proxy: XtlsFilterTls stop filtering232
2024/05/15 20:40:29 [Info] [2272979348] proxy: XtlsFilterTls stop filtering232
2024/05/15 20:40:29 [Info] [2272979348] proxy: XtlsFilterTls stop filtering232
2024/05/15 20:40:29 [Info] [2272979348] proxy: XtlsFilterTls stop filtering232
2024/05/15 20:40:29 [Info] [2272979348] proxy: XtlsFilterTls stop filtering232
2024/05/15 20:40:29 [Info] [2272979348] proxy: XtlsFilterTls stop filtering232
2024/05/15 20:40:29 [Info] [2272979348] proxy: XtlsFilterTls stop filtering232
2024/05/15 20:40:29 [Info] [2272979348] proxy: XtlsFilterTls stop filtering232
2024/05/15 20:40:29 [Info] [2272979348] proxy: XtlsFilterTls stop filtering232
2024/05/15 20:40:29 [Info] [2272979348] proxy: XtlsFilterTls stop filtering232
2024/05/15 20:40:29 [Info] [2272979348] proxy: XtlsFilterTls stop filtering232
2024/05/15 20:40:29 [Info] [2272979348] proxy: XtlsPadding 47 36 1
2024/05/15 20:40:29 [Info] [2272979348] proxy: XtlsPadding 375 804 2

from xray-core.

kingwilliam commented on June 5, 2024

xtls 出口

error.log

20:30:31 [Info] [1525508074] app/proxyman/inbound: connection ends > proxy/vless/inbound: connection ends > proxy/vless/inbound: failed to transfer request payload > local error: tls: bad record MAC
20:31:29 [Info] [2403976906] app/proxyman/inbound: connection ends > proxy/vless/inbound: connection ends > proxy/vless/inbound: failed to transfer request payload > local error: tls: bad record MAC
20:31:29 [Info] [108597358] app/proxyman/inbound: connection ends > proxy/vless/inbound: connection ends > proxy/vless/inbound: failed to transfer request payload > local error: tls: bad record MAC
20:31:30 [Info] [2940157922] app/proxyman/inbound: connection ends > proxy/vless/inbound: connection ends > proxy/vless/inbound: failed to transfer request payload > local error: tls: bad record MAC



20:30:29 [Info] [1525508074] proxy/vless/inbound: firstLen = 353
20:30:29 [Info] [1525508074] proxy/vless/inbound: received request for tcp:archive.raspberrypi.com:80
20:30:29 [Info] [1525508074] app/dispatcher: taking detour [out-AsIs-direct] for [tcp:archive.raspberrypi.com:80]
20:30:29 [Info] [1525508074] transport/internet/tcp: dialing TCP to tcp:archive.raspberrypi.com:80
20:30:29 [Info] [1525508074] proxy: Xtls Unpadding new block, content 47 padding 36 command 1
20:30:30 [Info] [1525508074] proxy/freedom: connection opened to tcp:archive.raspberrypi.com:80, local endpoint 192.168.0.252:48858, remote endpoint 176.126.240.86:80
20:30:30 [Info] [1525508074] proxy: CopyRawConn readv
20:30:31 [Info] [1525508074] proxy: XtlsPadding 129 17 0
20:30:31 [Info] [1525508074] app/proxyman/inbound: connection ends > proxy/vless/inbound: connection ends > proxy/vless/inbound: failed to transfer request payload > local error: tls: bad record MAC



20:31:29 [Info] [2403976906] proxy/vless/inbound: firstLen = 386
20:31:29 [Info] [2403976906] proxy/vless/inbound: received request for tcp:deb.debian.org:80
20:31:29 [Info] [2403976906] app/dispatcher: taking detour [out-AsIs-direct] for [tcp:deb.debian.org:80]
20:31:29 [Info] [2403976906] transport/internet/tcp: dialing TCP to tcp:deb.debian.org:80
20:31:29 [Info] [2403976906] proxy: Xtls Unpadding new block, content 47 padding 87 command 1
20:31:29 [Info] [2403976906] proxy/freedom: connection opened to tcp:deb.debian.org:80, local endpoint 192.168.0.252:41556, remote endpoint 151.101.78.132:80
20:31:29 [Info] [2403976906] proxy: CopyRawConn readv
20:31:29 [Info] [2403976906] proxy: XtlsPadding 278 71 0
20:31:29 [Info] [2403976906] app/proxyman/inbound: connection ends > proxy/vless/inbound: connection ends > proxy/vless/inbound: failed to transfer request payload > local error: tls: bad record MAC

from xray-core.

tls: bad record MAC about xray-core HOT 14 OPEN

Comments (14)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent