Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tls use crypto std cipher suites #2510

Merged
merged 1 commit into from May 31, 2020
Merged

tls use crypto std cipher suites #2510

merged 1 commit into from May 31, 2020

Conversation

vcptr
Copy link
Contributor

@vcptr vcptr commented May 30, 2020

No description provided.

@nicholascw nicholascw merged commit 3dfee90 into v2ray:master May 31, 2020
1 check failed
tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
// use tls cipher suites from cryto/tls

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

这里应该简单地传入nil,让TLS库使用defaultCipherSuites()初始化CipherSuites列表,而不是把tls支持的所有CipherSuites传入。go的tls库默认情况下并不会使用所有的CipherSuites,这样做等于引入了新的特征码。

Copy link

@ArArgon ArArgon May 31, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

默认的 CipherSuites 会不会也成特征?要不要从最流行的 Hello Cipher Suites里面挑/随机选?

Copy link

@ghost ghost May 31, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ghost
Copy link

ghost commented May 31, 2020

经过最新 master 分支抓包实验,这个 PR 确实规避了15个硬编码 Ciphers 的问题
不过概率性引入其它问题:

V2ray 流量

image

OwnCloud 流量

image

微信内置网页浏览器流量

image

百度家族流量

image

Tim 流量

image

如图所示,patch 过后的 V2ray-Core 使用了 19 个 Ciphers,这些 Ciphers 对比当前 Firefox/Chrome/Edge 的 TLS 流量,Ciphers 顺序有肉眼可见的排序特征

此外,经过简单统计,Owncloud(Qt),Firefox,Chromium 不会将 RSA 系列加密套件放到椭圆曲线之前

@h0cheung
Copy link

h0cheung commented May 31, 2020

@Qv2ray-dev 这是不同 TLS 库的差异,如果要以此为特征进行封锁,会误伤大量用 golang 编写的正常应用吧。

@ghost
Copy link

ghost commented May 31, 2020

@h0cheung 实测出来 golang 程序 yay 是不会出现这样特征的握手包,

不过最新 master 合并的 #2512 解决了这个问题

从而导致 AllowInsecureCiphers 选项失效

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

5 participants