tls

package
v1.8.16 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 13, 2025 License: MPL-2.0 Imports: 45 Imported by: 0

Documentation

Index

Constants

View Source 
const ExtensionEncryptedClientHello = 0xfe0d
View Source 
const KDF_HKDF_SHA384 = 0x0002
View Source 
const KDF_HKDF_SHA512 = 0x0003

Variables

View Source 
var (
	Certificate_Usage_name = map[int32]string{
		0: "ENCIPHERMENT",
		1: "AUTHORITY_VERIFY",
		2: "AUTHORITY_ISSUE",
	}
	Certificate_Usage_value = map[string]int32{
		"ENCIPHERMENT":     0,
		"AUTHORITY_VERIFY": 1,
		"AUTHORITY_ISSUE":  2,
	}
)

Enum value maps for Certificate_Usage.

View Source 
var ErrInvalidLen = errors.New("goech: invalid length")
View Source 
var File_transport_internet_tls_config_proto protoreflect.FileDescriptor
View Source 
var (
	// The keys for both maps must be generated by ECHCacheKey().
	GlobalECHConfigCache = utils.NewTypedSyncMap[string, *ECHConfigCache]()
)
View Source 
var ModernFingerprints = map[string]*utls.ClientHelloID{

	"hellofirefox_99":         &utls.HelloFirefox_99,
	"hellofirefox_102":        &utls.HelloFirefox_102,
	"hellofirefox_105":        &utls.HelloFirefox_105,
	"hellofirefox_120":        &utls.HelloFirefox_120,
	"hellochrome_83":          &utls.HelloChrome_83,
	"hellochrome_87":          &utls.HelloChrome_87,
	"hellochrome_96":          &utls.HelloChrome_96,
	"hellochrome_100":         &utls.HelloChrome_100,
	"hellochrome_102":         &utls.HelloChrome_102,
	"hellochrome_106_shuffle": &utls.HelloChrome_106_Shuffle,
	"hellochrome_120":         &utls.HelloChrome_120,
	"hellochrome_131":         &utls.HelloChrome_131,
	"helloios_13":             &utls.HelloIOS_13,
	"helloios_14":             &utls.HelloIOS_14,
	"helloedge_85":            &utls.HelloEdge_85,
	"helloedge_106":           &utls.HelloEdge_106,
	"hellosafari_16_0":        &utls.HelloSafari_16_0,
	"hello360_11_0":           &utls.Hello360_11_0,
	"helloqq_11_1":            &utls.HelloQQ_11_1,
}
View Source 
var OtherFingerprints = map[string]*utls.ClientHelloID{

	"hellogolang":            &utls.HelloGolang,
	"hellorandomized":        &utls.HelloRandomized,
	"hellorandomizedalpn":    &utls.HelloRandomizedALPN,
	"hellorandomizednoalpn":  &utls.HelloRandomizedNoALPN,
	"hellofirefox_auto":      &utls.HelloFirefox_Auto,
	"hellofirefox_55":        &utls.HelloFirefox_55,
	"hellofirefox_56":        &utls.HelloFirefox_56,
	"hellofirefox_63":        &utls.HelloFirefox_63,
	"hellofirefox_65":        &utls.HelloFirefox_65,
	"hellochrome_auto":       &utls.HelloChrome_Auto,
	"hellochrome_58":         &utls.HelloChrome_58,
	"hellochrome_62":         &utls.HelloChrome_62,
	"hellochrome_70":         &utls.HelloChrome_70,
	"hellochrome_72":         &utls.HelloChrome_72,
	"helloios_auto":          &utls.HelloIOS_Auto,
	"helloios_11_1":          &utls.HelloIOS_11_1,
	"helloios_12_1":          &utls.HelloIOS_12_1,
	"helloandroid_11_okhttp": &utls.HelloAndroid_11_OkHttp,
	"helloedge_auto":         &utls.HelloEdge_Auto,
	"hellosafari_auto":       &utls.HelloSafari_Auto,
	"hello360_auto":          &utls.Hello360_Auto,
	"hello360_7_5":           &utls.Hello360_7_5,
	"helloqq_auto":           &utls.HelloQQ_Auto,

	"hellochrome_100_psk":              &utls.HelloChrome_100_PSK,
	"hellochrome_112_psk_shuf":         &utls.HelloChrome_112_PSK_Shuf,
	"hellochrome_114_padding_psk_shuf": &utls.HelloChrome_114_Padding_PSK_Shuf,
	"hellochrome_115_pq":               &utls.HelloChrome_115_PQ,
	"hellochrome_115_pq_psk":           &utls.HelloChrome_115_PQ_PSK,
	"hellochrome_120_pq":               &utls.HelloChrome_120_PQ,
}
View Source 
var PresetFingerprints = map[string]*utls.ClientHelloID{

	"chrome":           &utls.HelloChrome_Auto,
	"firefox":          &utls.HelloFirefox_Auto,
	"safari":           &utls.HelloSafari_Auto,
	"ios":              &utls.HelloIOS_Auto,
	"android":          &utls.HelloAndroid_11_OkHttp,
	"edge":             &utls.HelloEdge_Auto,
	"360":              &utls.Hello360_Auto,
	"qq":               &utls.HelloQQ_Auto,
	"random":           nil,
	"randomized":       nil,
	"randomizednoalpn": nil,
	"unsafe":           nil,
}

Functions

func ApplyECH added in v1.8.16 

func ApplyECH(c *Config, config *tls.Config) error

func CalculatePEMCertChainSHA256Hash 

func CalculatePEMCertChainSHA256Hash(certContent []byte) string

func Client 

func Client(c net.Conn, config *tls.Config) net.Conn

Client initiates a TLS client handshake on the given connection.

func ConvertToGoECHKeys added in v1.8.16 

func ConvertToGoECHKeys(data []byte) ([]tls.EncryptedClientHelloKey, error)

func ECHCacheKey added in v1.8.16 

func ECHCacheKey(server, domain string, sockopt *internet.SocketConfig) string

sockopt can be nil if not specified. if for clientForECHDOH, domain can be empty.

func GenerateCertChainHash 

func GenerateCertChainHash(rawCerts [][]byte) []byte

func GenerateCertPublicKeyHash 

func GenerateCertPublicKeyHash(cert *x509.Certificate) []byte

func GenerateECHKeySet added in v1.8.16 

func GenerateECHKeySet(configID uint8, domain string, kem uint16) (reality.EchConfig, []byte, error)

func GetFingerprint 

func GetFingerprint(name string) (fingerprint *utls.ClientHelloID)

func IsFromMitm added in v1.8.16 

func IsFromMitm(str string) bool

func MarshalBinary added in v1.8.16 

func MarshalBinary(ech reality.EchConfig) ([]byte, error)

reference github.com/OmarTariq612/goech

func NewGrpcUtls 

func NewGrpcUtls(c *gotls.Config, fingerprint *utls.ClientHelloID) credentials.TransportCredentials

NewGrpcUtls uses c to construct a TransportCredentials based on uTLS.

func ParseCurveName added in v1.8.14 

func ParseCurveName(curveNames []string) []tls.CurveID

func QueryRecord added in v1.8.16 

func QueryRecord(domain string, server string, forceQuery string, sockopt *internet.SocketConfig) ([]byte, error)

QueryRecord returns the ECH config for given domain. If the record is not in cache or expired, it will query the DNS server and update the cache.

func Server 

func Server(c net.Conn, config *tls.Config) net.Conn

Server initiates a TLS server handshake on the given connection.

func UClient 

func UClient(c net.Conn, config *tls.Config, fingerprint *utls.ClientHelloID) net.Conn

Types

type Certificate 

type Certificate struct {

	// TLS certificate in x509 format.
	Certificate []byte `protobuf:"bytes,1,opt,name=certificate,proto3" json:"certificate,omitempty"`
	// TLS key in x509 format.
	Key          []byte            `protobuf:"bytes,2,opt,name=key,proto3" json:"key,omitempty"`
	Usage        Certificate_Usage `protobuf:"varint,3,opt,name=usage,proto3,enum=xray.transport.internet.tls.Certificate_Usage" json:"usage,omitempty"`
	OcspStapling uint64            `protobuf:"varint,4,opt,name=ocsp_stapling,json=ocspStapling,proto3" json:"ocsp_stapling,omitempty"`
	// TLS certificate path
	CertificatePath string `protobuf:"bytes,5,opt,name=certificate_path,json=certificatePath,proto3" json:"certificate_path,omitempty"`
	// TLS Key path
	KeyPath string `protobuf:"bytes,6,opt,name=key_path,json=keyPath,proto3" json:"key_path,omitempty"`
	// If true, one-Time Loading
	OneTimeLoading bool `protobuf:"varint,7,opt,name=One_time_loading,json=OneTimeLoading,proto3" json:"One_time_loading,omitempty"`
	BuildChain     bool `protobuf:"varint,8,opt,name=build_chain,json=buildChain,proto3" json:"build_chain,omitempty"`
	// contains filtered or unexported fields
}

func ParseCertificate 

func ParseCertificate(c *cert.Certificate) *Certificate

ParseCertificate converts a cert.Certificate to Certificate.

func (*Certificate) Descriptor deprecated 

func (*Certificate) Descriptor() ([]byte, []int)

Deprecated: Use Certificate.ProtoReflect.Descriptor instead.

func (*Certificate) GetBuildChain added in v1.8.14 

func (x *Certificate) GetBuildChain() bool

func (*Certificate) GetCertificate 

func (x *Certificate) GetCertificate() []byte

func (*Certificate) GetCertificatePath 

func (x *Certificate) GetCertificatePath() string

func (*Certificate) GetKey 

func (x *Certificate) GetKey() []byte

func (*Certificate) GetKeyPath 

func (x *Certificate) GetKeyPath() string

func (*Certificate) GetOcspStapling 

func (x *Certificate) GetOcspStapling() uint64

func (*Certificate) GetOneTimeLoading 

func (x *Certificate) GetOneTimeLoading() bool

func (*Certificate) GetUsage 

func (x *Certificate) GetUsage() Certificate_Usage

func (*Certificate) ProtoMessage 

func (*Certificate) ProtoMessage()

func (*Certificate) ProtoReflect 

func (x *Certificate) ProtoReflect() protoreflect.Message

func (*Certificate) Reset 

func (x *Certificate) Reset()

func (*Certificate) String 

func (x *Certificate) String() string

type Certificate_Usage 

type Certificate_Usage int32
const (
	Certificate_ENCIPHERMENT     Certificate_Usage = 0
	Certificate_AUTHORITY_VERIFY Certificate_Usage = 1
	Certificate_AUTHORITY_ISSUE  Certificate_Usage = 2
)

func (Certificate_Usage) Descriptor 

func (Certificate_Usage) Descriptor() protoreflect.EnumDescriptor

func (Certificate_Usage) Enum 

func (x Certificate_Usage) Enum() *Certificate_Usage

func (Certificate_Usage) EnumDescriptor deprecated 

func (Certificate_Usage) EnumDescriptor() ([]byte, []int)

Deprecated: Use Certificate_Usage.Descriptor instead.

func (Certificate_Usage) Number 

func (x Certificate_Usage) Number() protoreflect.EnumNumber

func (Certificate_Usage) String 

func (x Certificate_Usage) String() string

func (Certificate_Usage) Type 

func (Certificate_Usage) Type() protoreflect.EnumType

type Config 

type Config struct {

	// Whether or not to allow self-signed certificates.
	AllowInsecure bool `protobuf:"varint,1,opt,name=allow_insecure,json=allowInsecure,proto3" json:"allow_insecure,omitempty"`
	// List of certificates to be served on server.
	Certificate []*Certificate `protobuf:"bytes,2,rep,name=certificate,proto3" json:"certificate,omitempty"`
	// Override server name.
	ServerName string `protobuf:"bytes,3,opt,name=server_name,json=serverName,proto3" json:"server_name,omitempty"`
	// Lists of string as ALPN values.
	NextProtocol []string `protobuf:"bytes,4,rep,name=next_protocol,json=nextProtocol,proto3" json:"next_protocol,omitempty"`
	// Whether or not to enable session (ticket) resumption.
	EnableSessionResumption bool `` /* 133-byte string literal not displayed */
	// If true, root certificates on the system will not be loaded for
	// verification.
	DisableSystemRoot bool `protobuf:"varint,6,opt,name=disable_system_root,json=disableSystemRoot,proto3" json:"disable_system_root,omitempty"`
	// The minimum TLS version.
	MinVersion string `protobuf:"bytes,7,opt,name=min_version,json=minVersion,proto3" json:"min_version,omitempty"`
	// The maximum TLS version.
	MaxVersion string `protobuf:"bytes,8,opt,name=max_version,json=maxVersion,proto3" json:"max_version,omitempty"`
	// Specify cipher suites, except for TLS 1.3.
	CipherSuites string `protobuf:"bytes,9,opt,name=cipher_suites,json=cipherSuites,proto3" json:"cipher_suites,omitempty"`
	// TLS Client Hello fingerprint (uTLS).
	Fingerprint      string `protobuf:"bytes,11,opt,name=fingerprint,proto3" json:"fingerprint,omitempty"`
	RejectUnknownSni bool   `protobuf:"varint,12,opt,name=reject_unknown_sni,json=rejectUnknownSni,proto3" json:"reject_unknown_sni,omitempty"`
	// @Document Some certificate chain sha256 hashes.
	// @Document After normal validation or allow_insecure, if the server's cert chain hash does not match any of these values, the connection will be aborted.
	// @Critical
	PinnedPeerCertificateChainSha256 [][]byte `` /* 164-byte string literal not displayed */
	// @Document Some certificate public key sha256 hashes.
	// @Document After normal validation (required), if one of certs in verified chain matches one of these values, the connection will be eventually accepted.
	// @Critical
	PinnedPeerCertificatePublicKeySha256 [][]byte `` /* 178-byte string literal not displayed */
	MasterKeyLog                         string   `protobuf:"bytes,15,opt,name=master_key_log,json=masterKeyLog,proto3" json:"master_key_log,omitempty"`
	// Lists of string as CurvePreferences values.
	CurvePreferences []string `protobuf:"bytes,16,rep,name=curve_preferences,json=curvePreferences,proto3" json:"curve_preferences,omitempty"`
	// @Document Replaces server_name to verify the peer cert.
	// @Document After allow_insecure (automatically), if the server's cert can't be verified by any of these names, pinned_peer_certificate_chain_sha256 will be tried.
	// @Critical
	VerifyPeerCertInNames []string               `` /* 131-byte string literal not displayed */
	EchServerKeys         []byte                 `protobuf:"bytes,18,opt,name=ech_server_keys,json=echServerKeys,proto3" json:"ech_server_keys,omitempty"`
	EchConfigList         string                 `protobuf:"bytes,19,opt,name=ech_config_list,json=echConfigList,proto3" json:"ech_config_list,omitempty"`
	EchForceQuery         string                 `protobuf:"bytes,20,opt,name=ech_force_query,json=echForceQuery,proto3" json:"ech_force_query,omitempty"`
	EchSocketSettings     *internet.SocketConfig `protobuf:"bytes,21,opt,name=ech_socket_settings,json=echSocketSettings,proto3" json:"ech_socket_settings,omitempty"`
	// contains filtered or unexported fields
}

func ConfigFromStreamSettings 

func ConfigFromStreamSettings(settings *internet.MemoryStreamConfig) *Config

ConfigFromStreamSettings fetches Config from stream settings. Nil if not found.

func (*Config) BuildCertificates 

func (c *Config) BuildCertificates() []*tls.Certificate

BuildCertificates builds a list of TLS certificates from proto definition.

func (*Config) Descriptor deprecated 

func (*Config) Descriptor() ([]byte, []int)

Deprecated: Use Config.ProtoReflect.Descriptor instead.

func (*Config) GetAllowInsecure 

func (x *Config) GetAllowInsecure() bool

func (*Config) GetCertificate 

func (x *Config) GetCertificate() []*Certificate

func (*Config) GetCipherSuites 

func (x *Config) GetCipherSuites() string

func (*Config) GetCurvePreferences added in v1.8.14 

func (x *Config) GetCurvePreferences() []string

func (*Config) GetDisableSystemRoot 

func (x *Config) GetDisableSystemRoot() bool

func (*Config) GetEchConfigList added in v1.8.16 

func (x *Config) GetEchConfigList() string

func (*Config) GetEchForceQuery added in v1.8.16 

func (x *Config) GetEchForceQuery() string

func (*Config) GetEchServerKeys added in v1.8.16 

func (x *Config) GetEchServerKeys() []byte

func (*Config) GetEchSocketSettings added in v1.8.16 

func (x *Config) GetEchSocketSettings() *internet.SocketConfig

func (*Config) GetEnableSessionResumption 

func (x *Config) GetEnableSessionResumption() bool

func (*Config) GetFingerprint 

func (x *Config) GetFingerprint() string

func (*Config) GetMasterKeyLog 

func (x *Config) GetMasterKeyLog() string

func (*Config) GetMaxVersion 

func (x *Config) GetMaxVersion() string

func (*Config) GetMinVersion 

func (x *Config) GetMinVersion() string

func (*Config) GetNextProtocol 

func (x *Config) GetNextProtocol() []string

func (*Config) GetPinnedPeerCertificateChainSha256 

func (x *Config) GetPinnedPeerCertificateChainSha256() [][]byte

func (*Config) GetPinnedPeerCertificatePublicKeySha256 

func (x *Config) GetPinnedPeerCertificatePublicKeySha256() [][]byte

func (*Config) GetRejectUnknownSni 

func (x *Config) GetRejectUnknownSni() bool

func (*Config) GetServerName 

func (x *Config) GetServerName() string

func (*Config) GetTLSConfig 

func (c *Config) GetTLSConfig(opts ...Option) *tls.Config

GetTLSConfig converts this Config into tls.Config.

func (*Config) GetVerifyPeerCertInNames added in v1.8.14 

func (x *Config) GetVerifyPeerCertInNames() []string

func (*Config) ProtoMessage 

func (*Config) ProtoMessage()

func (*Config) ProtoReflect 

func (x *Config) ProtoReflect() protoreflect.Message

func (*Config) Reset 

func (x *Config) Reset()

func (*Config) String 

func (x *Config) String() string

type Conn 

type Conn struct {
	*tls.Conn
}

func (*Conn) Close 

func (c *Conn) Close() error

func (*Conn) HandshakeContextServerName added in v1.8.14 

func (c *Conn) HandshakeContextServerName(ctx context.Context) string

func (*Conn) NegotiatedProtocol 

func (c *Conn) NegotiatedProtocol() string

func (*Conn) WriteMultiBuffer 

func (c *Conn) WriteMultiBuffer(mb buf.MultiBuffer) error

type ECHConfigCache added in v1.8.16 

type ECHConfigCache struct {

	// updateLock is not for preventing concurrent read/write, but for preventing concurrent update
	UpdateLock sync.Mutex
	// contains filtered or unexported fields
}

func (*ECHConfigCache) Update added in v1.8.16 

func (c *ECHConfigCache) Update(domain string, server string, isLockedUpdate bool, forceQuery string, sockopt *internet.SocketConfig) ([]byte, error)

Update updates the ECH config for given domain and server. this method is concurrent safe, only one update request will be sent, others get the cache. if isLockedUpdate is true, it will not try to acquire the lock.

type Interface 

type Interface interface {
	net.Conn
	HandshakeContext(ctx context.Context) error
	VerifyHostname(host string) error
	HandshakeContextServerName(ctx context.Context) string
	NegotiatedProtocol() string
}

type Option 

type Option func(*tls.Config)

Option for building TLS config.

func WithDestination 

func WithDestination(dest net.Destination) Option

WithDestination sets the server name in TLS config. Due to the incorrect structure of GetTLSConfig(), the config.ServerName will always be empty. So the real logic for SNI is: set it to dest -> overwrite it with servername(if it's len>0).

func WithNextProto 

func WithNextProto(protocol ...string) Option

WithNextProto sets the ALPN values in TLS config.

func WithOverrideName added in v1.8.16 

func WithOverrideName(serverName string) Option

type RandCarrier added in v1.8.14 

type RandCarrier struct {
	RootCAs                              *x509.CertPool
	VerifyPeerCertInNames                []string
	PinnedPeerCertificateChainSha256     [][]byte
	PinnedPeerCertificatePublicKeySha256 [][]byte
}

func (*RandCarrier) Read added in v1.8.14 

func (r *RandCarrier) Read(p []byte) (n int, err error)

type UConn 

type UConn struct {
	*utls.UConn
}

func (*UConn) Close 

func (c *UConn) Close() error

func (*UConn) HandshakeContextServerName added in v1.8.14 

func (c *UConn) HandshakeContextServerName(ctx context.Context) string

func (*UConn) NegotiatedProtocol 

func (c *UConn) NegotiatedProtocol() string

func (*UConn) WebsocketHandshakeContext 

func (c *UConn) WebsocketHandshakeContext(ctx context.Context) error

WebsocketHandshake basically calls UConn.Handshake inside it but it will only send http/1.1 in its ALPN.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.