diff --git a/common/tls/utls_client.go b/common/tls/utls_client.go index 71ce8a4e..6364740f 100644 --- a/common/tls/utls_client.go +++ b/common/tls/utls_client.go @@ -217,18 +217,10 @@ func init() { func uTLSClientHelloID(name string) (utls.ClientHelloID, error) { switch name { + case "chrome_psk", "chrome_psk_shuffle", "chrome_padding_psk_shuffle", "chrome_pq": + fallthrough case "chrome", "": return utls.HelloChrome_Auto, nil - case "chrome_psk": - return utls.HelloChrome_100_PSK, nil - case "chrome_psk_shuffle": - return utls.HelloChrome_112_PSK_Shuf, nil - case "chrome_padding_psk_shuffle": - return utls.HelloChrome_114_Padding_PSK_Shuf, nil - case "chrome_pq": - return utls.HelloChrome_115_PQ, nil - case "chrome_pq_psk": - return utls.HelloChrome_115_PQ_PSK, nil case "firefox": return utls.HelloFirefox_Auto, nil case "edge": diff --git a/docs/configuration/inbound/trojan.md b/docs/configuration/inbound/trojan.md index bd6c73b3..e277236b 100644 --- a/docs/configuration/inbound/trojan.md +++ b/docs/configuration/inbound/trojan.md @@ -47,7 +47,7 @@ TLS configuration, see [TLS](/configuration/shared/tls/#inbound). #### fallback -!!! quote "" +!!! failure "" There is no evidence that GFW detects and blocks Trojan servers based on HTTP responses, and opening the standard http/s port on the server is a much bigger signature. diff --git a/docs/configuration/route/rule.md b/docs/configuration/route/rule.md index 91b432df..b5d17f21 100644 --- a/docs/configuration/route/rule.md +++ b/docs/configuration/route/rule.md @@ -4,7 +4,7 @@ icon: material/alert-decagram !!! quote "Changes in sing-box 1.10.0" - :material-plus: [client](#client) + :material-plus: [client](#client) :material-delete-clock: [rule_set_ipcidr_match_source](#rule_set_ipcidr_match_source) :material-plus: [rule_set_ip_cidr_match_source](#rule_set_ip_cidr_match_source) :material-plus: [process_path_regex](#process_path_regex) diff --git a/docs/configuration/shared/tls.md b/docs/configuration/shared/tls.md index 799aa0b0..40343e18 100644 --- a/docs/configuration/shared/tls.md +++ b/docs/configuration/shared/tls.md @@ -1,4 +1,8 @@ -!!! quote "Changes in sing-box 1.8.0" +--- +icon: material/alert-decagram +--- + +!!! quote "Changes in sing-box 1.10.0" :material-alert-decagram: [utls](#utls) @@ -210,28 +214,25 @@ The path to the server private key, in PEM format. ==Client only== -!!! note "" - - uTLS is poorly maintained and the effect may be unproven, use at your own risk. +!!! failure "" + + There is no evidence that GFW detects and blocks servers based on TLS client fingerprinting, and using an imperfect emulation that has not been security reviewed could pose security risks. uTLS is a fork of "crypto/tls", which provides ClientHello fingerprinting resistance. Available fingerprint values: -!!! question "Since sing-box 1.8.0" +!!! warning "Removed since sing-box 1.10.0" - :material-plus: chrome_psk - :material-plus: chrome_psk_shuffle - :material-plus: chrome_padding_psk_shuffle - :material-plus: chrome_pq - :material-plus: chrome_pq_psk + Some legacy chrome fingerprints have been removed and will fallback to chrome: + + :material-close: chrome_psk + :material-close: chrome_psk_shuffle + :material-close: chrome_padding_psk_shuffle + :material-close: chrome_pq + :material-close: chrome_pq_psk * chrome -* chrome_psk -* chrome_psk_shuffle -* chrome_padding_psk_shuffle -* chrome_pq -* chrome_pq_psk * firefox * edge * safari diff --git a/docs/configuration/shared/tls.zh.md b/docs/configuration/shared/tls.zh.md index 68de9845..b254e083 100644 --- a/docs/configuration/shared/tls.zh.md +++ b/docs/configuration/shared/tls.zh.md @@ -1,4 +1,8 @@ -!!! quote "sing-box 1.8.0 中的更改" +--- +icon: material/alert-decagram +--- + +!!! quote "sing-box 1.10.0 中的更改" :material-alert-decagram: [utls](#utls) @@ -44,8 +48,8 @@ "handshake": { "server": "google.com", "server_port": 443, - - ... // 拨号字段 + ... + // 拨号字段 }, "private_key": "UuMBgl7MXTPx9inmQp2UC7Jcnwc6XYbwDNebonM-FCc", "short_id": [ @@ -202,28 +206,25 @@ TLS 版本值: ==仅客户端== -!!! note "" +!!! failure "" - uTLS 维护不善且其效果可能未经证实,使用风险自负。 + 没有证据表明 GFW 根据 TLS 客户端指纹检测并阻止服务器,并且,使用一个未经安全审查的不完美模拟可能带来安全隐患。 uTLS 是 "crypto/tls" 的一个分支,它提供了 ClientHello 指纹识别阻力。 可用的指纹值: -!!! question "自 sing-box 1.8.0 起" +!!! warning "已在 sing-box 1.10.0 移除" - :material-plus: chrome_psk - :material-plus: chrome_psk_shuffle - :material-plus: chrome_padding_psk_shuffle - :material-plus: chrome_pq - :material-plus: chrome_pq_psk + 一些旧 chrome 指纹已被删除,并将会退到 chrome: + + :material-close: chrome_psk + :material-close: chrome_psk_shuffle + :material-close: chrome_padding_psk_shuffle + :material-close: chrome_pq + :material-close: chrome_pq_psk * chrome -* chrome_psk -* chrome_psk_shuffle -* chrome_padding_psk_shuffle -* chrome_pq -* chrome_pq_psk * firefox * edge * safari diff --git a/go.mod b/go.mod index 9bfdbebf..24a6181f 100644 --- a/go.mod +++ b/go.mod @@ -37,7 +37,7 @@ require ( github.com/sagernet/sing-tun v0.4.0-beta.16 github.com/sagernet/sing-vmess v0.1.12 github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 - github.com/sagernet/utls v1.5.4 + github.com/sagernet/utls v1.6.7 github.com/sagernet/wireguard-go v0.0.0-20231215174105-89dec3b2f3e8 github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854 github.com/spf13/cobra v1.8.0 @@ -61,7 +61,6 @@ require ( github.com/andybalholm/brotli v1.0.6 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect - github.com/gaukas/godicttls v0.0.4 // indirect github.com/go-ole/go-ole v1.3.0 // indirect github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect github.com/gobwas/httphead v0.1.0 // indirect diff --git a/go.sum b/go.sum index 21cd7047..19d8f918 100644 --- a/go.sum +++ b/go.sum @@ -17,8 +17,6 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= -github.com/gaukas/godicttls v0.0.4 h1:NlRaXb3J6hAnTmWdsEKb9bcSBD6BvcIjdGdeb0zfXbk= -github.com/gaukas/godicttls v0.0.4/go.mod h1:l6EenT4TLWgTdwslVb4sEMOCf7Bv0JAK67deKr9/NCI= github.com/go-chi/chi/v5 v5.0.12 h1:9euLV5sTrTNTRUU9POmDUvfxyj6LAABLUcEWO+JJb4s= github.com/go-chi/chi/v5 v5.0.12/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4= @@ -137,8 +135,8 @@ github.com/sagernet/sing-vmess v0.1.12 h1:2gFD8JJb+eTFMoa8FIVMnknEi+vCSfaiTXTfEY github.com/sagernet/sing-vmess v0.1.12/go.mod h1:luTSsfyBGAc9VhtCqwjR+dt1QgqBhuYBCONB/POhF8I= github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7 h1:DImB4lELfQhplLTxeq2z31Fpv8CQqqrUwTbrIRumZqQ= github.com/sagernet/smux v0.0.0-20231208180855-7041f6ea79e7/go.mod h1:FP9X2xjT/Az1EsG/orYYoC+5MojWnuI7hrffz8fGwwo= -github.com/sagernet/utls v1.5.4 h1:KmsEGbB2dKUtCNC+44NwAdNAqnqQ6GA4pTO0Yik56co= -github.com/sagernet/utls v1.5.4/go.mod h1:CTGxPWExIloRipK3XFpYv0OVyhO8kk3XCGW/ieyTh1s= +github.com/sagernet/utls v1.6.7 h1:Ep3+aJ8FUGGta+II2IEVNUc3EDhaRCZINWkj/LloIA8= +github.com/sagernet/utls v1.6.7/go.mod h1:Uua1TKO/FFuAhLr9rkaVnnrTmmiItzDjv1BUb2+ERwM= github.com/sagernet/wireguard-go v0.0.0-20231215174105-89dec3b2f3e8 h1:R0OMYAScomNAVpTfbHFpxqJpvwuhxSRi+g6z7gZhABs= github.com/sagernet/wireguard-go v0.0.0-20231215174105-89dec3b2f3e8/go.mod h1:K4J7/npM+VAMUeUmTa2JaA02JmyheP0GpRBOUvn3ecc= github.com/sagernet/ws v0.0.0-20231204124109-acfe8907c854 h1:6uUiZcDRnZSAegryaUGwPC/Fj13JSHwiTftrXhMmYOc=