In the past, when user open xtls vision on the server side, plain vless+tls can connect.
Pure tls is known to have certain tls in tls characters.
Now server need to specify "xtls-rprx-vision,none" for it be able usable on the same port.
* Add XTLS RPRX's Vision
* Add helpful warning when security is wrong
* Add XTLS padding (draft)
* Fix number of packet to filter
* Xtls padding version 1.0 and unpadding logic
* Fix UDP destination override
* Fix code style
* Fix fakedns object init
Do type convertion at runtime in case if user don't use fakedns in config.
Since dispatcher now depend on fakedns object, move the injection order of
fakedns to top (As a temporary solution)
* Amend logic for handing fakedns client
A map is used by server side when client turn on fakedns
Client will send domain address in the buffer.UDP.Address, server record all possible target IP addrs.
When target replies, server will restore the domain and send back to client.
Co-authored-by: hmol233 <82594500+hmol233@users.noreply.github.com>
* Increase some tls test timeout
* Fix TestUserValidator
* Change all tests to VMessAEAD
Old VMess MD5 tests will be rejected and fail in 2022
* Chore: auto format code
Add `enableConcurrency` option, false by default.
If it's set as `true`, start probing outbounds concurrently in every
circle of observation. Wait `probeInterval` between observation circles.
* verify peer cert function for better man in the middle prevention
* publish cert chain hash generation algorithm
* added calculation of certificate hash as separate command and tlsping, use base64 to represent fingerprint to align with jsonPb
* apply coding style
* added test case for pinned certificates
* refactored cert pin
* pinned cert test
* added json loading of the PinnedPeerCertificateChainSha256
* removed tool to prepare for v5
* Add server cert pinning for Xtls
Change command "xray tls certChainHash" to xray style
Co-authored-by: Shelikhoo <xiaokangwang@outlook.com>
* use shadowsocket's bloomring for shadowsocket's replay protection
* added shadowsockets iv check for tcp socket
* Rename to shadowsockets iv check
* shadowsocks iv check config file
* iv check should proceed after decryption
* use shadowsocket's bloomring for shadowsocket's replay protection
* Chore: format code (#842)
Co-authored-by: Shelikhoo <xiaokangwang@outlook.com>
Co-authored-by: Loyalsoldier <10487845+Loyalsoldier@users.noreply.github.com>
* DNS: add clientip for specific nameserver
* Refactoring: DNS App
* DNS: add DNS over QUIC support
* Feat: add disableCache option for DNS
* Feat: add queryStrategy option for DNS
* Feat: add disableFallback & skipFallback option for DNS
* Feat: DNS hosts support multiple addresses
* Feat: DNS transport over TCP
* DNS: fix typo & refine code
* DNS: refine code
* Add disableFallbackIfMatch dns option
* Feat: routing and freedom outbound ignore Fake DNS
Turn off fake DNS for request sent from Routing and Freedom outbound.
Fake DNS now only apply to DNS outbound.
This is important for Android, where VPN service take over all system DNS
traffic and pass it to core. "UseIp" option can be used in Freedom outbound
to avoid getting fake IP and fail connection.
* Fix test
* Fix dns return
* Fix local dns return empty
* Apply timeout to dns outbound
* Update app/dns/config.go
Co-authored-by: Loyalsoldier <10487845+loyalsoldier@users.noreply.github.com>
Co-authored-by: Ye Zhihao <vigilans@foxmail.com>
Co-authored-by: maskedeken <52683904+maskedeken@users.noreply.github.com>
Co-authored-by: V2Fly Team <51714622+vcptr@users.noreply.github.com>
Co-authored-by: CalmLong <37164399+calmlong@users.noreply.github.com>
Co-authored-by: Shelikhoo <xiaokangwang@outlook.com>
Co-authored-by: 秋のかえで <autmaple@protonmail.com>
Co-authored-by: 朱聖黎 <digglife@gmail.com>
Co-authored-by: rurirei <72071920+rurirei@users.noreply.github.com>
Co-authored-by: yuhan6665 <1588741+yuhan6665@users.noreply.github.com>
Co-authored-by: Arthur Morgan <4637240+badO1a5A90@users.noreply.github.com>
