Bug: Clients using tls 1.2 by default!!???

[hiddify-com]

I found a weird bug that the clients sometimes start the connection with tls1.2
I am using xray v1.8.0

I have added even minVersion in tls setting but it won't change this behavior

Full client configuration

{
  "log": {
    "access": "",
    "error": "",
    "loglevel": "warning"
  },
  "inbounds": [
    {
      "tag": "socks",
      "port": 10808,
      "listen": "127.0.0.1",
      "protocol": "socks",
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls"
        ],
        "routeOnly": false
      },
      "settings": {
        "auth": "noauth",
        "udp": true,
        "allowTransparent": false
      }
    },
    {
      "tag": "http",
      "port": 10809,
      "listen": "127.0.0.1",
      "protocol": "http",
      "sniffing": {
        "enabled": true,
        "destOverride": [
          "http",
          "tls"
        ],
        "routeOnly": false
      },
      "settings": {
        "auth": "noauth",
        "udp": true,
        "allowTransparent": false
      }
    }
  ],
  "outbounds": [
    {
      "tag": "proxy",
      "protocol": "vless",
      "settings": {
        "vnext": [
          {
            "address": "hiddify.com",
            "port": 443,
            "users": [
              {
                "id": "e28c1a7e-98a5-4b91-a0e0-96cacf4e1fae",
                "alterId": 0,
                "email": "t@t.tt",
                "security": "auto",
                "encryption": "none",
                "flow": "xtls-rprx-vision"
              }
            ]
          }
        ]
      },
      "streamSettings": {
        "network": "tcp",
        "security": "tls",
        "tlsSettings": {
          "allowInsecure": false,
          "serverName": "hiddify.com",
          "alpn": [
            "http/1.1"
          ],
          "fingerprint": "chrome",
          "show": false,
          "minVersion": "1.3"
        }
      },
      "mux": {
        "enabled": false,
        "concurrency": -1
      }
    },
    {
      "tag": "direct",
      "protocol": "freedom",
      "settings": {}
    },
    {
      "tag": "block",
      "protocol": "blackhole",
      "settings": {
        "response": {
          "type": "http"
        }
      }
    }
  ],
  "routing": {
    "domainStrategy": "AsIs",
    "rules": [
      {
        "type": "field",
        "inboundTag": [
          "api"
        ],
        "outboundTag": "api",
        "enabled": true
      },
      {
        "id": "4721901652305849247",
        "type": "field",
        "outboundTag": "direct",
        "domain": [
          "domain:example.com",
          "domain:example2.com"
        ],
        "enabled": true
      },
      {
        "id": "4964923193273991424",
        "type": "field",
        "outboundTag": "block",
        "domain": [
          "geosite:category-ads-all"
        ],
        "enabled": true
      },
      {
        "id": "5462843772156832822",
        "type": "field",
        "outboundTag": "direct",
        "domain": [
          "geosite:private",
          "geosite:apple@cn",
          "geosite:google@cn",
          "geosite:tld-cn",
          "tld-ir"
        ],
        "enabled": true
      },
      {
        "id": "5632988166244046273",
        "type": "field",
        "outboundTag": "proxy",
        "domain": [
          "geoip:!ir"
        ],
        "enabled": true
      },
      {
        "id": "4874739823930549310",
        "type": "field",
        "outboundTag": "direct",
        "ip": [
          "geoip:private",
          "geoip:cn",
          "geoip:ir"
        ],
        "enabled": true
      },
      {
        "id": "5464678198089768952",
        "type": "field",
        "port": "0-65535",
        "outboundTag": "proxy",
        "enabled": true
      }
    ],
    "balancers": []
  }
}

As you have suggested that setting a hard limit in the server side to accept only tls 1.3 is not good i have tried to use haproxy but it can not proxy tls 1.3 and 1.2 to different servers.

I think that this behavior may be used to identify proxy servers.

frontend https-in
    bind :443,:::443 v4v6
  bind :443,:::443 v4v6
    mode tcp
    option tcplog
    option dontlognull
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }
    acl tls1_2 req.ssl_ver 3.3
    acl tls1_3 req.ssl_ver 3.4

    use_backend xray if tls1_3
    use_backend xraydecoy if tls1_2
#    tcp-request content reject if tls1_2
    default_backend xraydecoy

[RPRX]

I found a weird bug that the clients sometimes start the connection with tls1.2

指纹选 Chrome 时应该不会，确定是 Xray 发起的连接吗

I have added even minVersion in tls setting but it won't change this behavior

选了指纹时，Xray 会忽略能改变指纹的 TLS 设置

I think that this behavior may be used to identify proxy servers.

没看懂，请细说

[hiddify-com]

Thanks for your response. So this is the reason that several users in Iran has issues with utls but do not have issue without it and the only solution was to force TLS 1.3 in cloudflare.

How can we fix it to be able to show our traffic similar to chrome but only have connection with tls 1.3 (in client)? and when GTW send a request with tls 1.2 our server acts as a decoy server and if the GTW alter the connection to force client connect with tls 1.2 it refuse connection. Is it possible?

[RPRX]

我认为指纹选 Chrome 时应该不会发出不支持 TLSv1.3 的 Client Hello

[RPRX]

I believe Xray-core will not send a Client Hello that doesn't support TLSv1.3 when you select "chrome" as the fingerprint.

怕上一句反转过多被翻译错了，补个英文

[RPRX]

when GTW send a request with tls 1.2 our server acts as a decoy server

现在就是这样

if the GTW alter the connection to force client connect with tls 1.2 it refuse connection

这是“降级攻击”，TLS 已自带防护

[hiddify-com]

However, currently, we are facing with a problem in Iran. As you mentioned the problem is with utls and when we remove utls, it works but it is not a good way.

I do not know what is happening with utls, but i belive we have to be robust against this.

I think you miss understand my sentence.
All xray servers are supporting tls 1.3 and it is okay. but if the GTW alter the version, the client should check whether it is altered or not.
It is a hope that all implementations of TLS 1.3 protocol won’t forget to implement the measures against downgrade attacks (checking DOWNGRD).

[xqzr]

https://t.me/projectXray/1407143

[RPRX]

However, currently, we are facing with a problem in Iran. As you mentioned the problem is with utls and when we remove utls, it works but it is not a good way.

I do not know what is happening with utls, but i belive we have to be robust against this.

我对伊朗的印象是，它阻止 Chrome 指纹，比如 NaiveProxy 是基于 Chrome 的网络栈改的：

klzgrad/naiveproxy#391 (comment)
klzgrad/naiveproxy#404 (comment)

所以你应该尝试其它指纹，而不是 Chrome 指纹。

I think you miss understand my sentence. All xray servers are supporting tls 1.3 and it is okay. but if the GTW alter the version, the client should check whether it is altered or not. It is a hope that all implementations of TLS 1.3 protocol won’t forget to implement the measures against downgrade attacks (checking DOWNGRD).

我没有误解你的意思，我的意思是，正常的 TLSv1.3 客户端都已经带有对降级攻击的检查，比如 Golang TLS：（当然 uTLS 也有）

https://github.com/golang/go/blob/ee522e2cdad04a43bc9374776483b6249eb97ec9/src/crypto/tls/handshake_client.go#L203

[hiddify-com]

Great thanks for your response

but i can not understand why?
The utls is coming to hide the proxy traffic as chrome browser so how chrome works fine but utls chrome doesn't work

I will continue the conversation with utls team however please take it in to consideration for reality which needs fingerprinting 😉

[RPRX]

第一段是在你新的回复之前写的，可以忽略。

可能你对 TLS 的运行原理有误解。

首先，当你选择 Chrome 指纹时，Xray-core 肯定会发送带 TLSv1.3 的 Client Hello，即使中间人对它做手脚，你本地也抓不到包。

中间人修改 Client Hello，可以使服务端的 Server Hello 为 TLSv1.2，but Client's TLS lib ITSELF will detect the attack and drop it.

---

The utls is coming to hide the proxy traffic as chrome browser so how chrome works fine but utls chrome doesn't work

首先 uTLS 只是模仿了 Chrome 的 Client Hello，并不是 Chrome。NaiveProxy 是 Chrome 的网络栈，但它也被阻止。

So I doubt that "chrome works fine" in Iran. I guess that Iran blocks almost all "chrome -> foreign" traffic, from the very beginning.

[RPRX]

我的意思是，可能伊朗为了阻止你们用浏览器访问境外网站，出境处早就把 Chrome 指纹给拉黑了，早在你用 uTLS 之前就如此。

所以在这种情况下，还是别执着于 Chrome 指纹了，换个其它的。

[RPRX]

至于你说的 "chrome works fine"，我猜你指的是浏览伊朗国内网站，那不算数。

[hiddify-com]

No using chrome works perfectly for browsing all the websites

We do not count local websites at all 😁

[RPRX]

如果对于你自己的网站，Chrome 可以直接正常浏览，却不能用网站上的 XTLS Vision 或 NaiveProxy，这才是一个值得解决的问题

说实话，现在的这些代理和浏览器正常浏览网页行为产生的流量特征还是有挺大差别的，去年我写了个玩具，以后再放出来