Skip to content

[Bug] Hysteria2 出站使用自签证书配合 pinnedPeerCertSha256 连接失败 #5655

New issue
New issue
Closed
Closed
[Bug] Hysteria2 出站使用自签证书配合 pinnedPeerCertSha256 连接失败#5655
@Radar5404

Description

@Radar5404
Radar5404
opened on Feb 5, 2026

完整性要求

  • 我读完了 issue 模板中的所有注释,确保填写符合要求。
  • 我保证阅读了文档,了解所有我编写的配置文件项的含义,而不是大量堆砌看似有用的选项或默认值。
  • 我提供了完整的配置文件和日志,而不是出于自己的判断只给出截取的部分。
  • 我搜索了 issues, 没有发现已提出的类似问题。
  • 问题在 Release 最新的版本上可以成功复现

描述

在使用 自签证书 的 Hysteria2 服务端环境下,当 Xray-core 配置了 pinnedPeerCertSha256 时,无法建立连接。

在相同的网络环境和证书设置下:

  1. v2rayN 使用原生 Hysteria2 内核:连接成功(使用 insecure: true 配合 pinSHA256 进行验证)。
  2. v2rayN 使用 Xray-core:连接失败。

我尝试过在 tlsSettings 中将 allowInsecure 设置为 truefalse 或完全移除该字段,但连接始终失败。

版本信息

  • Xray-core: v26.2.4
  • Hysteria2: v2.7.0

连接测试矩阵

我测试了不同的服务端证书与客户端内核组合,结果如下:

服务端证书类型 客户端内核 配置方式 结果
自签证书 (Self-signed) Hysteria2 原生 insecure: true + pinSHA256 成功
自签证书 (Self-signed) Xray-core pinnedPeerCertSha256 失败
CA 签名证书 (ACME) Hysteria2 原生 pinSHA256 ✅ 成功
CA 签名证书 (ACME) Xray-core pinnedPeerCertSha256 ✅ 成功

重现方式

  1. 在服务端使用 OpenSSL 生成自签证书:
openssl req -x509 -nodes -newkey ec:<(openssl ecparam -name prime256v1) -keyout /etc/hysteria/server.key -out /etc/hysteria/server.crt -subj "/CN=bing.com" -days 36500
  1. 使用该证书配置 Hysteria2 服务端。
  2. 配置 Xray-core 客户端 hysteria2 出站,设置 serverName 以及对应的 pinnedPeerCertSha256
  3. 发起连接。

服务端配置 (Hysteria2)

listen: :443

tls:
  cert: /etc/hysteria/server.crt
  key: /etc/hysteria/server.key

auth:
  type: password
  password: mypassword

masquerade:
  type: proxy
  proxy:
    url: https://bing.com
    rewriteHost: true
    insecure: true

客户端配置 (Xray-core)

{
  "outbounds": [
    {
      "tag": "myproxy",
      "protocol": "hysteria",
      "settings": {
        "address": "123.123.123.123",
        "port": 443,
        "version": 2
      },
      "streamSettings": {
        "network": "hysteria",
        "security": "tls",
        "tlsSettings": {
          "allowInsecure": false, 
          "serverName": "bing.com",
          "fingerprint": "chrome",
          "pinnedPeerCertSha256": "8376722bfd791a07f52a548708b775db551eb88151ed9cee1801e27c090459ca"
        },
        "hysteriaSettings": {
          "version": 2,
          "auth": "mypassword"
        }
      }
    }
  ]
}

(注:无论 allowInsecure 设置为 true 还是移除,问题依旧存在。)

对照组:可用的客户端配置 (原生 Hysteria2)

server: "123.123.123.123:443"
auth: "mypassword"

tls:
  sni: bing.com
  insecure: true
  pinSHA256: 8376722bfd791a07f52a548708b775db551eb88151ed9cee1801e27c090459ca

socks5:
  listen: 127.0.0.1:40606

客户端配置

如上

服务端配置

如上

客户端日志

2026/02/05 15:27:36.752012 [Debug] app/log: Logger started
2026/02/05 15:27:36.798721 [Info] app/dns: DNS: created UDP client initialized for 1.1.1.1:53
2026/02/05 15:27:36.812735 [Info] app/dns: DNS: created UDP client initialized for 223.5.5.5:53
2026/02/05 15:27:36.853175 [Info] app/dns: DNS: created UDP client initialized for 8.8.8.8:53
2026/02/05 15:27:36.949892 [Debug] app/router: MphDomainMatcher is enabled for 152285 domain rule(s)
2026/02/05 15:27:36.985799 [Debug] app/router: MphDomainMatcher is enabled for 11 domain rule(s)
2026/02/05 15:27:37.003811 [Debug] app/router: MphDomainMatcher is enabled for 4 domain rule(s)
2026/02/05 15:27:37.022478 [Debug] app/router: MphDomainMatcher is enabled for 691 domain rule(s)
2026/02/05 15:27:37.044009 [Debug] app/router: MphDomainMatcher is enabled for 1114 domain rule(s)
2026/02/05 15:27:37.114913 [Debug] app/router: MphDomainMatcher is enabled for 115506 domain rule(s)
2026/02/05 15:27:37.130494 [Debug] app/router: MphDomainMatcher is enabled for 33131 domain rule(s)
2026/02/05 15:27:37.151806 [Debug] app/proxyman/inbound: creating stream worker on 0.0.0.0:40808
2026/02/05 15:27:37.151806 [Debug] app/proxyman/inbound: creating stream worker on 127.0.0.1:40812
2026/02/05 15:27:37.151806 [Debug] app/stats: create new counter outbound>>>proxy>>>traffic>>>uplink
2026/02/05 15:27:37.151806 [Debug] app/stats: create new counter outbound>>>proxy>>>traffic>>>downlink
2026/02/05 15:27:37.151806 [Debug] app/stats: create new counter outbound>>>direct>>>traffic>>>uplink
2026/02/05 15:27:37.151806 [Debug] app/stats: create new counter outbound>>>direct>>>traffic>>>downlink
2026/02/05 15:27:37.151806 [Debug] app/stats: create new counter outbound>>>block>>>traffic>>>uplink
2026/02/05 15:27:37.151806 [Debug] app/stats: create new counter outbound>>>block>>>traffic>>>downlink
2026/02/05 15:27:37.151806 [Debug] app/stats: create new counter outbound>>>myproxy>>>traffic>>>uplink
2026/02/05 15:27:37.151806 [Debug] app/stats: create new counter outbound>>>myproxy>>>traffic>>>downlink
2026/02/05 15:27:37.151806 [Debug] app/stats: create new counter outbound>>>mydirect>>>traffic>>>uplink
2026/02/05 15:27:37.151806 [Debug] app/stats: create new counter outbound>>>mydirect>>>traffic>>>downlink
2026/02/05 15:27:37.151806 [Debug] app/stats: create new counter outbound>>>myblock>>>traffic>>>uplink
2026/02/05 15:27:37.151806 [Debug] app/stats: create new counter outbound>>>myblock>>>traffic>>>downlink
2026/02/05 15:27:37.152806 [Info] transport/internet/tcp: listening TCP on 0.0.0.0:40808
2026/02/05 15:27:37.152806 [Info] transport/internet/udp: listening UDP on 0.0.0.0:40808
2026/02/05 15:27:37.152806 [Info] transport/internet/tcp: listening TCP on 127.0.0.1:40812
2026/02/05 15:27:37.152806 [Warning] core: Xray 26.2.4 started
2026/02/05 15:27:37.468119 [Debug] [1277161244] proxy/dokodemo: processing connection from: 127.0.0.1:59155
2026/02/05 15:27:37.468119 [Info] [1277161244] proxy/dokodemo: received request for 127.0.0.1:59155
2026/02/05 15:27:37.468119 [Info] [1277161244] app/dispatcher: taking detour [api] for [tcp:127.0.0.1:40812]
2026/02/05 15:27:37.673180 [Info] [2534246187] proxy/socks: TCP Connect request to tcp:www.google.com:443
2026/02/05 15:27:37.674689 [Info] [2534246187] app/dispatcher: sniffed domain: www.google.com
2026/02/05 15:27:37.674689 [Info] app/dns: UDP:1.1.1.1:53 querying DNS for: www.google.com.
2026/02/05 15:27:37.674689 [Debug] transport/internet/udp: dispatch request to: udp:1.1.1.1:53
2026/02/05 15:27:37.674689 [Info] transport/internet/udp: establishing new connection for udp:1.1.1.1:53
2026/02/05 15:27:37.674689 [Debug] transport/internet/udp: dispatch request to: udp:1.1.1.1:53
2026/02/05 15:27:37.675591 [Info] app/dispatcher: taking detour [myproxy] for [udp:1.1.1.1:53]
2026/02/05 15:27:37.675591 [Debug] transport/internet: dialing to udp:123.123.123.123:443
2026/02/05 15:27:37.899366 [Info] app/proxyman/outbound: app/proxyman/outbound: failed to process outbound traffic > proxy/hysteria: failed to find an available destination > transport/internet/hysteria: RoundTrip err > CRYPTO_ERROR 0x12a (local): transport/internet/tls: peer cert is invalid (against pinned CA and serverName)
2026/02/05 15:27:37.899366 [Info] transport/internet/udp: failed to handle UDP input > io: read/write on closed pipe
2026/02/05 15:27:41.675250 [Info] app/dns: failed to lookup ip for domain www.google.com at server UDP:1.1.1.1:53 in serial query mode > app/dns: record not found
2026/02/05 15:27:41.675250 [Info] features/routing/dns: resolve ip for www.google.com > app/dns: returning nil for domain www.google.com > app/dns: record not found
2026/02/05 15:27:41.675250 [Info] [2534246187] app/dispatcher: taking detour [myproxy] for [tcp:www.google.com:443]
2026/02/05 15:27:41.675250 [Debug] [2534246187] transport/internet: dialing to udp:123.123.123.123:443
2026/02/05 15:27:41.908874 [Info] [2534246187] app/proxyman/outbound: app/proxyman/outbound: failed to process outbound traffic > proxy/hysteria: failed to find an available destination > transport/internet/hysteria: RoundTrip err > CRYPTO_ERROR 0x12a (local): transport/internet/tls: peer cert is invalid (against pinned CA and serverName)
2026/02/05 15:27:42.422738 [Info] [3260842725] proxy/socks: TCP Connect request to tcp:www.google.com:443
2026/02/05 15:27:42.424092 [Info] [3260842725] app/dispatcher: sniffed domain: www.google.com
2026/02/05 15:27:42.424092 [Info] app/dns: UDP:1.1.1.1:53 querying DNS for: www.google.com.
2026/02/05 15:27:42.424092 [Debug] transport/internet/udp: dispatch request to: udp:1.1.1.1:53
2026/02/05 15:27:42.424092 [Info] transport/internet/udp: establishing new connection for udp:1.1.1.1:53
2026/02/05 15:27:42.424092 [Debug] transport/internet/udp: dispatch request to: udp:1.1.1.1:53
2026/02/05 15:27:42.424092 [Info] app/dispatcher: taking detour [myproxy] for [udp:1.1.1.1:53]
2026/02/05 15:27:42.424092 [Debug] transport/internet: dialing to udp:123.123.123.123:443
2026/02/05 15:27:42.631300 [Info] app/proxyman/outbound: app/proxyman/outbound: failed to process outbound traffic > proxy/hysteria: failed to find an available destination > transport/internet/hysteria: RoundTrip err > CRYPTO_ERROR 0x12a (local): transport/internet/tls: peer cert is invalid (against pinned CA and serverName)
2026/02/05 15:27:42.631300 [Info] transport/internet/udp: failed to handle UDP input > io: read/write on closed pipe

服务端日志

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions