Comments (4)
发现问题了,加密套件和证书是相关的,当使用了证书不支持的加密套件就会出问题,导致minVersion参数无效。
LE的RSA证书使用如下配置即可
extra.tls_cipherSuites = ["TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"]
虽然是我加密套件没写对,但是感觉VS的处理逻辑也有点问题,如果不支持某种加密的话忽略它就行了,而不是直接不支持TLS1.2了。所以这个issue我暂时先不关了,编辑一下标题,看看能不能修复一下处理逻辑。
另外,那两台表现与其他不同的机器,也是很让人疑惑,因为配置里有个它不支持的加密"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",但是它的TLS1.2竟然没掉,有人知道原理吗??
from v2ray_simple.
具体1.2支不支持某个套件是不太好判断的,不知道有没有相应的函数去判断?
from v2ray_simple.
经过继续试验,得出了一些新的结论:
首先,go的TLS1.3不支持指定加密套件,因此相关套件(TLS_AES和TLS_CHACHA20那些)可以都删除了,写了也没用
至于TLS1.2加密套件,取决于证书,RSA证书用的是 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" 这三个;ECC证书是 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"
至于我那两台没掉TLS1.2的VPS,证书是RSA的,虽然写了一个ECC用的套件但是也没事,其他机器都是ECC证书,写了RSA的加密套件就出了问题,原因未知。
经测试,兼容性方面并没有那么严格,下边的写法在RSA和ECC证书的机器上测试都正常:
extra.tls_cipherSuites = ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"]
因此建议把example里有这项的模板都改成上边的写法。至于掉TLS1.2的问题,暂时不知道能不能修,所以我先把issue关了,要是能修一下更好~~
from v2ray_simple.
好的
from v2ray_simple.
Related Issues (20)
- [Bug] v1.2.5 设置参数alpn和path 不能回落到grpc HOT 8
- [Bug] nginx识别不到sni 不能分流 HOT 4
- [Bug] 1.2.5beta2开始不给出-c参数时vs不会查找默认配置文件 HOT 6
- [Bug]url模式中,ws的path若不给出,则连不上 HOT 1
- [Feature Request] 无法使用gRPC流量过CFT,因为报文是POST而不是GET HOT 6
- [Bug] RaspberryPi 2B client panic HOT 2
- acme自动延期的证书vs可以自动重载吗? HOT 1
- [Bug] gRPC回落到nginx无法正确处理POST请求 HOT 1
- [Bug] 单独配置的[[fallback]]无法正确回落 HOT 1
- [Feature Request]能否考虑支持shadow-tls v3的协议版本
- [Bug] panic: send on closed channel HOT 2
- [Bug] too many open streams HOT 4
- [Bug] Listen内存在fallback时,UDS形式无法和Dial里的sendthrough共存 HOT 2
- [Feature Request] TLS证书的OCSP Stapling HOT 2
- http代理协议入站和pip不兼容?[Bug] HOT 2
- v2ray_simple作为服务端在vmess及vless协议下不支持客户端EarlyData的设置及sing-box作为客户端不能连接到vs的服务端 HOT 3
- [Feature Request] 增加dokodemo的用法
- [Feature Request] Listen内的Fallback增加xver字段 HOT 1
- [Bug] 域名在路由中不会被解析为ip,导致服务器本地网络可以通过代理访问
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from v2ray_simple.