Integrity requirements <li class="task-list-item

<div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clip

<div class="snippet-clipboard-content notranslate position-relative overflow-auto" data

ERR_SSL_Protocol_error in 1.8.11 with Vless-tls about xray-core HOT 15 CLOSED

sky-chen commented on September 26, 2024

ERR_SSL_Protocol_error in 1.8.11 with Vless-tls

from xray-core.

Comments (15)

Fangliding commented on September 26, 2024

Can it access http website?

from xray-core.

sky-chen commented on September 26, 2024

yes. Both http and https works fine

from xray-core.

Fangliding commented on September 26, 2024

I mean use this node to access http website(since it will get ssl err when accessing https)
btw pls provide the config, even you are flowing tutorial

from xray-core.

sky-chen commented on September 26, 2024

can't access http sites, a download popup but can't finish the download due to network issue.

yep sure here's the client config (for the sake of completeness, full config provided)

// REFERENCE: // https://github.com/XTLS/Xray-examples // https://xtls.github.io/config/ // 常用的config文件，不论服务器端还是客户端，都有5个部分。外加小小白解读： // ┌─ 1_log 日志设置 - 日志写什么，写哪里（出错时有据可查） // ├─ 2_dns DNS-设置 - DNS怎么查（防DNS污染、防偷窥、避免国内外站匹配到国外服务器等） // ├─ 3_routing 分流设置 - 流量怎么分类处理（是否过滤广告、是否国内外分流） // ├─ 4_inbounds 入站设置 - 什么流量可以流入Xray // └─ 5_outbounds 出站设置 - 流出Xray的流量往哪里去 { // 1_日志设置 // 注意，本例中我默认注释掉了日志文件，因为windows, macOS, Linux 需要写不同的路径，请自行配置 "log": { // "access": "/home/local/xray_log/access.log", // 访问记录 // "error": "/home/local/xray_log/error.log", // 错误记录 "loglevel": "debug" // 内容从少到多: "none", "error", "warning", "info", "debug" }, // 2_DNS设置 "dns": { "servers": [ // 2.1 国外域名使用国外DNS查询 { "address": "1.1.1.1", "domains": ["geosite:geolocation-!cn"] }, // 2.2 国内域名使用国内DNS查询，并期待返回国内的IP，若不是国内IP则舍弃，用下一个查询 { "address": "223.5.5.5", "domains": ["geosite:cn"], "expectIPs": ["geoip:cn"] }, // 2.3 作为2.2的备份，对国内网站进行二次查询 { "address": "114.114.114.114", "domains": ["geosite:cn"] }, // 2.4 最后的备份，上面全部失败时，用本机DNS查询 "localhost" ] }, // 3_分流设置 // 所谓分流，就是将符合否个条件的流量，用指定tag的出站协议去处理（对应配置的5.x内容） "routing": { "domainStrategy": "IPIfNonMatch", "rules": [ // 3.1 广告域名屏蔽 { "type": "field", "domain": ["geosite:category-ads-all"], "outboundTag": "block" }, // 3.2 国内域名直连 { "type": "field", "domain": ["geosite:cn"], "outboundTag": "direct" }, // 3.3 国内IP直连 { "type": "field", "ip": ["geoip:cn", "geoip:private"], "outboundTag": "direct" }, // 3.4 国外域名代理 { "type": "field", "domain": ["geosite:geolocation-!cn"], "outboundTag": "proxy" }, // 3.5 默认规则 // 在Xray中，任何不符合上述路由规则的流量，都会默认使用【第一个outbound（5.1）】的设置，所以一定要把转发VPS的outbound放第一个 // 3.6 走国内"223.5.5.5"的DNS查询流量分流走direct出站 { "type": "field", "ip": ["223.5.5.5"], "outboundTag": "direct" } ] }, // 4_入站设置 "inbounds": [ // 4.1 一般都默认使用socks5协议作本地转发 { "tag": "socks-in", "protocol": "socks", "listen": "127.0.0.1", // 这个是通过socks5协议做本地转发的地址 "port": 1080, // 这个是通过socks5协议做本地转发的端口 "settings": { "udp": true } } ],

// 5_出站设置 "outbounds": [ // 5.1 默认转发VPS // 一定放在第一个，在routing 3.5 里面已经说明了，这等于是默认规则，所有不符合任何规则的流量都走这个 { "tag": "proxy", "protocol": "vless", "settings": { "vnext": [ { "address": "www.foobar.com", // 替换成你的真实域名 "port": 443, "users": [ { "id": "36304791-f66f-xxx", "flow": "xtls-rprx-vision", "encryption": "none" } ] } ] }, "streamSettings": { "network": "tcp", "security": "tls", "tlsSettings": { "serverName": "www.foobar.com", // 替换成你的真实域名 "allowInsecure": false, // 禁止不安全证书 "fingerprint": "chrome", // 通过 uTLS 库模拟 Chrome / Firefox / Safari 或随机生成的指纹 "minVersion": "1.2" } } }, // 5.2 用freedom协议直连出站，即当routing中指定'direct'流出时，调用这个协议做处理 { "tag": "direct", "protocol": "freedom" }, // 5.3 用blackhole协议屏蔽流量，即当routing中指定'block'时，调用这个协议做处理 { "tag": "block", "protocol": "blackhole" } ] }

and server config


// REFERENCE:
// https://github.com/XTLS/Xray-examples
// https://xtls.github.io/config/
// 常用的 config 文件，不论服务器端还是客户端，都有 5 个部分。外加小小白解读：
// ┌─ 1*log 日志设置 - 日志写什么，写哪里（出错时有据可查）
// ├─ 2_dns DNS-设置 - DNS 怎么查（防 DNS 污染、防偷窥、避免国内外站匹配到国外服务器等）
// ├─ 3_routing 分流设置 - 流量怎么分类处理（是否过滤广告、是否国内外分流）
// ├─ 4_inbounds 入站设置 - 什么流量可以流入 Xray
// └─ 5_outbounds 出站设置 - 流出 Xray 的流量往哪里去
{
  // 1\_日志设置
  "log": {
    "loglevel": "debug", // 内容从少到多: "none", "error", "warning", "info", "debug"
    "access": "/home/my/xray_log/access.log", // 访问记录
    "error": "/home/my/xray_log/error.log" // 错误记录
  },
  // 2_DNS 设置
  "dns": {
    "servers": [
      "https+local://1.1.1.1/dns-query", // 首选 1.1.1.1 的 DoH 查询，牺牲速度但可防止 ISP 偷窥
      "localhost"
    ]
  },
  // 3*分流设置
  "routing": {
    "domainStrategy": "IPIfNonMatch",
    "rules": [
      // 3.1 防止服务器本地流转问题：如内网被攻击或滥用、错误的本地回环等
      {
        "type": "field",
        "ip": [
          "geoip:private" // 分流条件：geoip 文件内，名为"private"的规则（本地）
        ],
        "outboundTag": "block" // 分流策略：交给出站"block"处理（黑洞屏蔽）
      },
      {
        // 3.2 防止服务器直连国内
        "type": "field",
        "ip": ["geoip:cn"],
        "outboundTag": "block"
      },
      // 3.3 屏蔽广告
      {
        "type": "field",
        "domain": [
          "geosite:category-ads-all" // 分流条件：geosite 文件内，名为"category-ads-all"的规则（各种广告域名）
        ],
        "outboundTag": "block" // 分流策略：交给出站"block"处理（黑洞屏蔽）
      }
    ]
  },
  // 4*入站设置
  // 4.1 这里只写了一个最简单的 vless+xtls 的入站，因为这是 Xray 最强大的模式。如有其他需要，请根据模版自行添加。
  "inbounds": [
    {
      "port": 443,
      "protocol": "vless",
      "settings": {
        "clients": [
          {
            "id": "36304791-f66f-xxx", // 填写你的 UUID
            "flow": "xtls-rprx-vision",
            "level": 0,
            "email": "[email protected]"
          }
        ],
        "decryption": "none",
        "fallbacks": [
          {
            "dest": 80 // 默认回落到防探测的代理
          }
        ]
      },
      "streamSettings": {
        "network": "tcp",
        "security": "tls",
        "tlsSettings": {
          "alpn": "http/1.1",
          "certificates": [
            {
              "certificateFile": "/home/my/xray_cert/xray.crt",
              "keyFile": "/home/my/xray_cert/xray.key"
            }
          ],
	  "minVersion": "1.2"
        }
      }
    }
  ],
  // 5*出站设置
  "outbounds": [
    // 5.1 第一个出站是默认规则，freedom 就是对外直连（vps 已经是外网，所以直连）
    {
      "tag": "direct",
      "protocol": "freedom"
    },
    // 5.2 屏蔽规则，blackhole 协议就是把流量导入到黑洞里（屏蔽）
    {
      "tag": "block",
      "protocol": "blackhole"
    }
  ]
}

from xray-core.

kingwilliam commented on September 26, 2024

          "certificates": [
            {
              "certificateFile": "/home/my/xray_cert/xray.crt",
              "keyFile": "/home/my/xray_cert/xray.key"
            }
          ],

your xray.crt is self signed cert or real cert?

from xray-core.

sky-chen commented on September 26, 2024

          "certificates": [
            {
              "certificateFile": "/home/my/xray_cert/xray.crt",
              "keyFile": "/home/my/xray_cert/xray.key"
            }
          ],

your xray.crt is self signed cert or real cert?

Cert from let's encrypt. It should be set up correctly cuz my site https is working, also I can see from the browser that my site cert is valid.

from xray-core.

Fangliding commented on September 26, 2024

server log？

from xray-core.

sky-chen commented on September 26, 2024

server log？

I restart xray, try tunnel (tried visiting both http, https sites). there is no log for tunnel part, only initial log for restart. here's error log, access log is always empty even though I set log level = "debug"


2024/05/18 08:36:20 [Debug] app/log: Logger started
2024/05/18 08:36:20 [Info] app/dns: DNS: created Local DOH client for https://1.1.1.1/dns-query
2024/05/18 08:36:20 [Info] app/dns: DNS: created localhost client
2024/05/18 08:36:20 [Debug] app/router: MphDomainMatcher is enabled for 719 domain rule(s)
2024/05/18 08:36:20 [Debug] app/proxyman/inbound: creating stream worker on 0.0.0.0:443
2024/05/18 08:36:20 [Info] transport/internet/tcp: listening TCP on 0.0.0.0:443
2024/05/18 08:36:20 [Warning] core: Xray 1.8.11 started
2024/05/18 08:36:24 [Info] [4069969794] proxy/vless/inbound: firstLen = 0
2024/05/18 08:36:24 [Info] [4069969794] proxy/vless/inbound: fallback starts > proxy/vless/inbound: fallback directly
2024/05/18 08:36:24 [Info] [4069969794] proxy/vless/inbound: realName = 
2024/05/18 08:36:24 [Info] [4069969794] proxy/vless/inbound: realAlpn = 
2024/05/18 08:36:25 [Info] [4069969794] app/proxyman/inbound: connection ends > proxy/vless/inbound: fallback ends > context canceled

Interestingly I check browser response and see http/0.9 200 ok, which lead me to a so page that include this

I've found that I get the same 'HTTP/0.9 200 OK' response if I try to connect to the SSL port (443) but specifying 'http' as the protocol.

I wonder that could shed light on the cause, perhaps client - server, or server - target_site is communicating with incorrect protocol?

from xray-core.

Fangliding commented on September 26, 2024

"www.foobar.com"
Is this your site?

from xray-core.

sky-chen commented on September 26, 2024

"www.foobar.com" Is this your site?

no. I made it up

from xray-core.

ax003 commented on September 26, 2024

好像甲骨文的都完蛋了

from xray-core.

WordsWorthLess commented on September 26, 2024

I think the 'alpn' object in the server config should be an array.

"alpn": "http/1.1",

I am surprised that xray service is up and running despite of the incorrect alpn setting.

from xray-core.

sky-chen commented on September 26, 2024

solved. I use cloudflare to manage domain, which automatically setup proxy for my site, so tunnel traffic actually route to cloudflare proxy rather to my VPS. Just a head up for people with cloudflare

from xray-core.

Fangliding commented on September 26, 2024

damn cloudflare problem

from xray-core.

yuhan6665 commented on September 26, 2024

Love it when capable user can resolve issues by themselves :)

from xray-core.

ERR_SSL_Protocol_error in 1.8.11 with Vless-tls about xray-core HOT 15 CLOSED

Comments (15)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent