purgatory/Xray-core
1
0
Fork 0
mirror of https://github.com/XTLS/Xray-core.git synced 2025-02-07 01:59:24 +03:00
Code Issues Packages Projects Releases Wiki Activity

MITM: Report website that doesn't support current Domain Fronting config / returned unexpected ALPN http/1.1

Browse Source 
https://github.com/XTLS/Xray-core/issues/4348#issuecomment-2639965524

Needs `"verifyPeerCertInNames": ["fromMitm", ...]` / `"alpn": ["fromMitm"]`.
This commit is contained in:
RPRX 2025-02-06 14:45:20 +00:00 committed by GitHub
parent 07c35ed52a
commit 3b081d3161
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 24 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
transport/internet/tcp/dialer.go
View File

@ -33,7 +33,9 @@ func Dial(ctx context.Context, dest net.Destination, streamSettings *internet.Me
if IsFromMitm(tlsConfig.ServerName) { if IsFromMitm(tlsConfig.ServerName) {
tlsConfig.ServerName = mitmServerName tlsConfig.ServerName = mitmServerName
} }
if r, ok := tlsConfig.Rand.(*tls.RandCarrier); ok && len(r.VerifyPeerCertInNames) > 0 && IsFromMitm(r.VerifyPeerCertInNames[0]) { r, ok := tlsConfig.Rand.(*tls.RandCarrier)
isFromMitmVerify := ok && len(r.VerifyPeerCertInNames) > 0 && IsFromMitm(r.VerifyPeerCertInNames[0])
if isFromMitmVerify {
r.VerifyPeerCertInNames = r.VerifyPeerCertInNames[1:] r.VerifyPeerCertInNames = r.VerifyPeerCertInNames[1:]
after := mitmServerName after := mitmServerName
for { for {
@ -46,29 +48,34 @@ func Dial(ctx context.Context, dest net.Destination, streamSettings *internet.Me
} }
} }
} }
isFromMitmAlpn := len(tlsConfig.NextProtos) == 1 && IsFromMitm(tlsConfig.NextProtos[0])
if isFromMitmAlpn {
if mitmAlpn11 {
tlsConfig.NextProtos[0] = "http/1.1"
} else {
tlsConfig.NextProtos = nil
}
}
if fingerprint := tls.GetFingerprint(config.Fingerprint); fingerprint != nil { if fingerprint := tls.GetFingerprint(config.Fingerprint); fingerprint != nil {
conn = tls.UClient(conn, tlsConfig, fingerprint) conn = tls.UClient(conn, tlsConfig, fingerprint)
if len(tlsConfig.NextProtos) == 1 && (tlsConfig.NextProtos[0] == "http/1.1" || (IsFromMitm(tlsConfig.NextProtos[0]) && mitmAlpn11)) { if len(tlsConfig.NextProtos) == 1 && tlsConfig.NextProtos[0] == "http/1.1" { // allow manually specify
if err := conn.(*tls.UConn).WebsocketHandshakeContext(ctx); err != nil { err = conn.(*tls.UConn).WebsocketHandshakeContext(ctx)
return nil, err
}
} else { } else {
if err := conn.(*tls.UConn).HandshakeContext(ctx); err != nil { err = conn.(*tls.UConn).HandshakeContext(ctx)
return nil, err
}
} }
} else { } else {
if len(tlsConfig.NextProtos) == 1 && IsFromMitm(tlsConfig.NextProtos[0]) {
if mitmAlpn11 {
tlsConfig.NextProtos[0] = "http/1.1"
} else {
tlsConfig.NextProtos = nil
}
}
conn = tls.Client(conn, tlsConfig) conn = tls.Client(conn, tlsConfig)
if err := conn.(*tls.Conn).HandshakeContext(ctx); err != nil { err = conn.(*tls.Conn).HandshakeContext(ctx)
return nil, err }
if err != nil {
if isFromMitmVerify {
return nil, errors.New("MITM: failed to verify " + mitmServerName).Base(err).AtWarning()
} }
return nil, err
}
if isFromMitmAlpn && !mitmAlpn11 && conn.(tls.Interface).NegotiatedProtocol() == "http/1.1" {
conn.Close()
return nil, errors.New("MITM: received unexpected ALPN http/1.1 from " + mitmServerName).AtWarning()
} }
} else if config := reality.ConfigFromStreamSettings(streamSettings); config != nil { } else if config := reality.ConfigFromStreamSettings(streamSettings); config != nil {
if conn, err = reality.UClient(conn, config, ctx, dest); err != nil { if conn, err = reality.UClient(conn, config, ctx, dest); err != nil {