Further strip unique signatures of tls handshake #2521
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1. allow users to disable session ticket 2. set default alpn to ["h2", "http/1.1"]
|
使用h2连接模式,当disableSessionResumption设置成true时,可得到与其他golang程序完全一样的TLS指纹:https://tlsfingerprint.io/id/a91c0644c199823d |
xiaokangwang
approved these changes
Jun 12, 2020
kslr
approved these changes
Jun 19, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
这个提交里面做了以下几个改动:
["h2", "http/1.1"]之前在GetTLSConfig里有个默认值
["http/1.1"],而在实际调用时,h2与tcp模式又显式设置成["h2"]。现在除了websocket不得不用["http/1.1"],其余地方统一使用新的默认值。h2链接过程新增通过server返回来协商后的alpn是否是h2来判断是否取消链接,而不是之前偷懒式的把client端alpn设置成只有h2。做此修改后,tcp模式与h2模式,以及其他使用tls建立连接的地方,alpn都与其他golang程序一致。设置这个参数的作用是使得ClientHello里没有session_ticket这个扩展。常见的go语言程序的ClientHello里都是没有用这个的,有兴趣的可以自行去查验。不用它的原因,现在h2已经是主流了,都在单个连接里多路复用,这种减少单次连接延迟的手段意义已不大,况且还有安全问题。之前在v2ray的代码里,本来是有这个选项的,然而在v2ctl这边却没有对应,造成实际上不可用。现在在v2ctl里也加上,让他真正生效。个人觉得这个的危险性不如alpn那么大,因此交由用户自己决定是否设置,不改默认值。
(解决 #2522 )