New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vmess+ws+tls works on windows/mac, but NOT in Android #139
Comments
@wkrp |
It is possible it has something to do with the processor type. OONI reported something similar once. (However, I don't know how this kind of hardware dependence might interact with uTLS.)
There was also a report in another thread that snowflake-client worked on macOS and Windows desktop, but not in Orbot on Android or iOS. It will help if you can get a packet capture of the the TLS Client Hello under both conditions, in order to check whether there are any differences. On desktop, you can use tcpdump or Wireshark. The tcpdump command will be something like this (replace
On Android, I have had luck using PCAPdroid. You can select a specific app to capture traffic from and save to a pcap file. You can then upload the pcap files to https://tlsfingerprint.io/pcap and see if they have the same fingerprint. To see what's inside each Client Hello record, you can open the pcap files in Wireshark, select the "Client Hello" packet, right-click "Secure Sockets Layer" in the tree view, select "Expand Subtrees", then right-click again and "Copy → All Visible Selected Tree Items". Then paste it into a file. Or you can use the tshark command like so:
Don't post the raw pcap files here, because they may contain IP addresses you do not want to reveal. |
@wkrp Thanks for your reply. I have run the experiments. I used PCAPdroid on Android and tcpdump on other platforms. The results are summarized in the table below.
Both servers S1 and S2 are working for linux/mac/windows. None of them are working for Raspberry Pi or Android device (with V2rayNG). It's interesting that:
I suspect that the |
You could try a VLESS+TCP+TLS config (e.g. using ProxySU) and then set the uTLS fingerprint to "Chrome" in V2rayNG (new release). Also Trojan configs seem to work well with custom uTLS fingerprints. Or you could use a client like Sagetnet/Matsuri and try setting "browser forwarding" in the server's options. |
It's all about interfering on TLS handshake by government. even I can not login to Gmail today by getting this msg (The server cannot process the request because it is malformed. It should not be retried.) blocking and manipulating on port 443 and TLS caused all of these problems. |
@ea0fdb thank you, that is super helpful. It looks to me like uTLS support is not working—it may be a bug in xray or possibly in uTLS.
This all gives us a good hypothesis as to the features used in recent TLS blocking, in Iran at least. It includes the fingerprints of go1.17+ crypto/tls without AES acceleration, which are likely the most commonly occurring fingerprints among Go-based tools running on mobile platforms. These fingerprints include at least 750e3f0f585283bd and adfe55afa6f23950. |
I am not aware of any problem that would cause the fingerprint parroting silently fail on ARM in uTLS. I just ran a test on my Raspberry Pi (armv7 running armv6 go), uTLS worked fine and parrots both Chrome and Firefox fingerprints correctly. While being not very familiar with the code base of xray, I couldn't answer the question of what causes uTLS not functioning with xray. |
Great analysis, @ea0fdb! We have not been able to trigger the blocking with
In all three cases, we cannot trigger the blocking immediately. Note that this does not necessarily mean that the censor does not consider TLS fingerprint when making a blocking decision, rather, it just says the TLS fingerprint is not a sufficient condition to trigger the blocking. There may be other factors the censor considers together with the fingerprint, for example:
In any case, since 750e3f0f585283bd is a very unique fingerprint, we should consider changing it. BTW, we have received some reports that support the TLS fingerprint blocking hypothesis. In particular, the person setup two open ports on the same server, for one port, people used the trojan-go with latest uTLS, which is not blocked; for the other port, people used an android client, which was blocked. //cc @2dust |
Hi everyone. Thanks for your replies.
@wkrp For Now my concern is why doesn't uTLS change the TLS Fingerprint for It seems that the issue is not necessarily about ARM devices, as I suspect that it's about effectiveness of uTLS with xray when using websocket. Note that I'm changing this key in the json configuration to use uTLS with xray 1.6.0. {
"outbounds": [
{
"streamSettings": {
"tlsSettings": {
"fingerprint": "chrome",
...
}, ...
}, ...
},
], ...
} |
Nice catch. This reminds me that there's no H2 support for websocket libraries in Go(unfortunately). So possibly xray had to override ALPN with only http1.1. |
From #136 (comment), I found the recent commit XTLS/Xray-core@93c7ebe in xray, with commit message "Added utls to http2 transport". Maybe it helps? |
uTLS should verify on its own its fingerprint on the wire and report error if not so, instead of relying on user tcpdumping. Though I don't know if this is technically doable. |
Definitely possible, we have (Assuming all Extensions/FakeExtensions are implemented correctly, of course) |
Hello P.S: As a workaround you can try specifying something like |
This is a small script that we've been using to get the TLS fingerprint IDs from pcap files, which you may find handy: |
@0xLem0nade I tried installing your .apk but it fails to install on my phone. |
@0xLem0nade I uninstalled the PS version first and then I tried installing each and every file in the assets. Non of them could be installed unfortunately. It just says App not installed. |
Hi, The problem still there, same as before, no problem with other Xray clients on Android, but v2rayNG 1.7.22 still not connecting . |
Hi, With the new pre-release of v2rayNG 1.7.23, uTLS is now working fine and the issue is resolved. Thanks everyone for your time and supports. |
Still uTLS is not wotking for TCP+XTLS. For VLESS+TCP+XTLS & Trojan+TCP+XTLS the fingerprint remains the same for any browser option as not using uTLS. |
Blog post expanding on the @0xLem0nade config file for v2rayNG + HTTP/2 + TLS from the other thread is at https://freejohn123.github.io/2022/10/23/v2rayNG-http2-tls.html |
Hi and thank you, but still have problem with this config, even try to change everything and testing ... "TLS handshake error from MY_IP: read tcp SERVER_IP:443->MY_IP: i/o timeout" |
As a side note, you might want to use firefox instead of chrome when using the fingerprint option. Iran blocks chrome traffic to some IP addresses. For example my own server is from hetzner and I do have the exact problem; So I simply use firefox's fingerprint. |
This is also happened to me. @HirbodBehnam Changing fingerprint to Firefox is not working. |
Hi, apparently, free domain was blocked. I moved to new domain and now it is working. |
You have done a good job.
תודה אתה
…----------------------------------------
*From: *free-the-internet ***@***.***>
*To: *net4people/bbs ***@***.***>
*CC: *Subscribed ***@***.***>
*Date: *Oct 25, 2022 06:08:31
*Subject: *Re: [net4people/bbs] vmess+ws+tls works on windows/mac, but
NOT in Android (Issue #139)
Blog post expanding on the @0xLem0nade[https://github.com/0xLem0nade]
config file for v2rayNG + HTTP/2 + TLS from the other thread is at
https://freejohn123.github.io/2022/10/23/v2rayNG-http2-tls.html
Hi and thank you, but still have problem with this config, even try to
change everything and testing ... The time is correct for both server
and client.
"TLS handshake error from MY_IP: read tcp SERVER_IP:443->MY_IP: i/o
timeout"
This is also happened to me.
@HirbodBehnam[https://github.com/HirbodBehnam] Changing fingerprint to
Firefox is not working.
Hi, apparently, free domain was blocked. I moved to new domain and now
it is working.
—
Reply to this email directly, view it on
GitHub[#139 (comment)],
or
unsubscribe[https://github.com/notifications/unsubscribe-auth/AKGBAYFASGTPSWNYIME25BLWE4CF5ANCNFSM6AAAAAARGNNA3M].
You are receiving this because you are subscribed to this
thread.[Tracking
image][https://github.com/notifications/beacon/AKGBAYEBV7LZ4CLZDDDVPKDWE4CF5A5CNFSM6AAAAAARGNNA3OWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTSM34A7Q.gif]Message
ID: ***@***.***>
|
Hi, I didn't really follow the discussion here but here is some added info: |
I think this issue is about configuration importing affairs, not about blocking |
We have run two servers a while ago. All of the client was working fine until a week ago. Now computer clients are working fine, but android clients don't work in any of the servers. We have tested v2rayNG with both versions 1.7.20 and 1.7.21 (uTLS fingerprint).
It doesn't work on Raspberry Pi either. Maybe related to arm processors.
Server/Protocol: vmess+ws+tls with v2fly-core and nginx
Working Clients: Windows / Linux / Mac, with v2fly-core. iOS is working too with Shadowrocket.
Not Working Clients: Almost any android client, including v2rayNG. Raspberry Pi Linux with v2fly-core.
Country: Iran
Related Issue & server logs: 2dust/v2rayNG#1685
Please share any idea you have about this situation.
Maybe this was happened in China before.
Thanks.
The text was updated successfully, but these errors were encountered: