tls

package
v1.260327.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 27, 2026 License: MPL-2.0 Imports: 42 Imported by: 246

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	Certificate_Usage_name = map[int32]string{
		0: "ENCIPHERMENT",
		1: "AUTHORITY_VERIFY",
		2: "AUTHORITY_ISSUE",
	}
	Certificate_Usage_value = map[string]int32{
		"ENCIPHERMENT":     0,
		"AUTHORITY_VERIFY": 1,
		"AUTHORITY_ISSUE":  2,
	}
)

Enum value maps for Certificate_Usage.

View Source 
var ErrInvalidLen = errors.New("goech: invalid length")
View Source 
var File_transport_internet_tls_config_proto protoreflect.FileDescriptor
View Source 
var (
	// The keys for both maps must be generated by ECHCacheKey().
	GlobalECHConfigCache = utils.NewTypedSyncMap[string, *ECHConfigCache]()
)
View Source 
var ModernFingerprints = map[string]*utls.ClientHelloID{

	"hellofirefox_99":         &utls.HelloFirefox_99,
	"hellofirefox_102":        &utls.HelloFirefox_102,
	"hellofirefox_105":        &utls.HelloFirefox_105,
	"hellofirefox_120":        &utls.HelloFirefox_120,
	"hellochrome_83":          &utls.HelloChrome_83,
	"hellochrome_87":          &utls.HelloChrome_87,
	"hellochrome_96":          &utls.HelloChrome_96,
	"hellochrome_100":         &utls.HelloChrome_100,
	"hellochrome_102":         &utls.HelloChrome_102,
	"hellochrome_106_shuffle": &utls.HelloChrome_106_Shuffle,
	"hellochrome_120":         &utls.HelloChrome_120,
	"hellochrome_131":         &utls.HelloChrome_131,
	"helloios_13":             &utls.HelloIOS_13,
	"helloios_14":             &utls.HelloIOS_14,
	"helloedge_85":            &utls.HelloEdge_85,
	"helloedge_106":           &utls.HelloEdge_106,
	"hellosafari_16_0":        &utls.HelloSafari_16_0,
	"hello360_11_0":           &utls.Hello360_11_0,
	"helloqq_11_1":            &utls.HelloQQ_11_1,
}
View Source 
var OtherFingerprints = map[string]*utls.ClientHelloID{

	"hellogolang":            &utls.HelloGolang,
	"hellorandomized":        &utls.HelloRandomized,
	"hellorandomizedalpn":    &utls.HelloRandomizedALPN,
	"hellorandomizednoalpn":  &utls.HelloRandomizedNoALPN,
	"hellofirefox_auto":      &utls.HelloFirefox_Auto,
	"hellofirefox_55":        &utls.HelloFirefox_55,
	"hellofirefox_56":        &utls.HelloFirefox_56,
	"hellofirefox_63":        &utls.HelloFirefox_63,
	"hellofirefox_65":        &utls.HelloFirefox_65,
	"hellochrome_auto":       &utls.HelloChrome_Auto,
	"hellochrome_58":         &utls.HelloChrome_58,
	"hellochrome_62":         &utls.HelloChrome_62,
	"hellochrome_70":         &utls.HelloChrome_70,
	"hellochrome_72":         &utls.HelloChrome_72,
	"helloios_auto":          &utls.HelloIOS_Auto,
	"helloios_11_1":          &utls.HelloIOS_11_1,
	"helloios_12_1":          &utls.HelloIOS_12_1,
	"helloandroid_11_okhttp": &utls.HelloAndroid_11_OkHttp,
	"helloedge_auto":         &utls.HelloEdge_Auto,
	"hellosafari_auto":       &utls.HelloSafari_Auto,
	"hello360_auto":          &utls.Hello360_Auto,
	"hello360_7_5":           &utls.Hello360_7_5,
	"helloqq_auto":           &utls.HelloQQ_Auto,

	"hellochrome_100_psk":              &utls.HelloChrome_100_PSK,
	"hellochrome_112_psk_shuf":         &utls.HelloChrome_112_PSK_Shuf,
	"hellochrome_114_padding_psk_shuf": &utls.HelloChrome_114_Padding_PSK_Shuf,
	"hellochrome_115_pq":               &utls.HelloChrome_115_PQ,
	"hellochrome_115_pq_psk":           &utls.HelloChrome_115_PQ_PSK,
	"hellochrome_120_pq":               &utls.HelloChrome_120_PQ,
}
View Source 
var PresetFingerprints = map[string]*utls.ClientHelloID{

	"chrome":           &utls.HelloChrome_Auto,
	"firefox":          &utls.HelloFirefox_Auto,
	"safari":           &utls.HelloSafari_Auto,
	"ios":              &utls.HelloIOS_Auto,
	"android":          &utls.HelloAndroid_11_OkHttp,
	"edge":             &utls.HelloEdge_Auto,
	"360":              &utls.Hello360_Auto,
	"qq":               &utls.HelloQQ_Auto,
	"random":           nil,
	"randomized":       nil,
	"randomizednoalpn": nil,
	"unsafe":           nil,
}

Functions

func ApplyECH added in v1.250726.0 

func ApplyECH(c *Config, config *tls.Config) error

func Client 

func Client(c net.Conn, config *tls.Config) net.Conn

Client initiates a TLS client handshake on the given connection.

func ConvertToGoECHKeys added in v1.250726.0 

func ConvertToGoECHKeys(data []byte) ([]tls.EncryptedClientHelloKey, error)

func ECHCacheKey added in v1.250803.0 

func ECHCacheKey(server, domain string, sockopt *internet.SocketConfig) string

sockopt can be nil if not specified. if for clientForECHDOH, domain can be empty.

func GenerateCertHash added in v1.260113.0 

func GenerateCertHash[T *x509.Certificate | []byte](cert T) []byte

[]byte must be ASN.1 DER content

func GenerateCertHashHex added in v1.260206.0 

func GenerateCertHashHex[T *x509.Certificate | []byte](cert T) string

func GeneraticUClient added in v1.260204.0 

func GeneraticUClient(c net.Conn, config *tls.Config) *utls.UConn

func GetFingerprint added in v1.7.3 

func GetFingerprint(name string) (fingerprint *utls.ClientHelloID)

func IsFromMitm added in v1.250803.0 

func IsFromMitm(str string) bool

func NewGrpcUtls added in v1.6.1 

func NewGrpcUtls(c *gotls.Config, fingerprint *utls.ClientHelloID) credentials.TransportCredentials

NewGrpcUtls uses c to construct a TransportCredentials based on uTLS.

func ParseCurveName added in v1.250306.0 

func ParseCurveName(curveNames []string) []tls.CurveID

func QueryRecord added in v1.250726.0 

func QueryRecord(domain string, server string, forceQuery string, sockopt *internet.SocketConfig) ([]byte, error)

QueryRecord returns the ECH config for given domain. If the record is not in cache or expired, it will query the DNS server and update the cache.

func Server 

func Server(c net.Conn, config *tls.Config) net.Conn

Server initiates a TLS server handshake on the given connection.

func UClient added in v1.4.2 

func UClient(c net.Conn, config *tls.Config, fingerprint *utls.ClientHelloID) net.Conn

Types

type Certificate 

type Certificate struct {

	// TLS certificate in x509 format.
	Certificate []byte `protobuf:"bytes,1,opt,name=certificate,proto3" json:"certificate,omitempty"`
	// TLS key in x509 format.
	Key          []byte            `protobuf:"bytes,2,opt,name=key,proto3" json:"key,omitempty"`
	Usage        Certificate_Usage `protobuf:"varint,3,opt,name=usage,proto3,enum=xray.transport.internet.tls.Certificate_Usage" json:"usage,omitempty"`
	OcspStapling uint64            `protobuf:"varint,4,opt,name=ocsp_stapling,json=ocspStapling,proto3" json:"ocsp_stapling,omitempty"`
	// TLS certificate path
	CertificatePath string `protobuf:"bytes,5,opt,name=certificate_path,json=certificatePath,proto3" json:"certificate_path,omitempty"`
	// TLS Key path
	KeyPath string `protobuf:"bytes,6,opt,name=key_path,json=keyPath,proto3" json:"key_path,omitempty"`
	// If true, one-Time Loading
	OneTimeLoading bool `protobuf:"varint,7,opt,name=One_time_loading,json=OneTimeLoading,proto3" json:"One_time_loading,omitempty"`
	BuildChain     bool `protobuf:"varint,8,opt,name=build_chain,json=buildChain,proto3" json:"build_chain,omitempty"`
	// contains filtered or unexported fields
}

func ParseCertificate 

func ParseCertificate(c *cert.Certificate) *Certificate

ParseCertificate converts a cert.Certificate to Certificate.

func (*Certificate) Descriptor deprecated 

func (*Certificate) Descriptor() ([]byte, []int)

Deprecated: Use Certificate.ProtoReflect.Descriptor instead.

func (*Certificate) GetBuildChain added in v1.8.22 

func (x *Certificate) GetBuildChain() bool

func (*Certificate) GetCertificate 

func (x *Certificate) GetCertificate() []byte

func (*Certificate) GetCertificatePath added in v1.3.0 

func (x *Certificate) GetCertificatePath() string

func (*Certificate) GetKey 

func (x *Certificate) GetKey() []byte

func (*Certificate) GetKeyPath added in v1.3.0 

func (x *Certificate) GetKeyPath() string

func (*Certificate) GetOcspStapling added in v1.1.5 

func (x *Certificate) GetOcspStapling() uint64

func (*Certificate) GetOneTimeLoading added in v1.3.1 

func (x *Certificate) GetOneTimeLoading() bool

func (*Certificate) GetUsage 

func (x *Certificate) GetUsage() Certificate_Usage

func (*Certificate) ProtoMessage 

func (*Certificate) ProtoMessage()

func (*Certificate) ProtoReflect 

func (x *Certificate) ProtoReflect() protoreflect.Message

func (*Certificate) Reset 

func (x *Certificate) Reset()

func (*Certificate) String 

func (x *Certificate) String() string

type Certificate_Usage 

type Certificate_Usage int32
const (
	Certificate_ENCIPHERMENT     Certificate_Usage = 0
	Certificate_AUTHORITY_VERIFY Certificate_Usage = 1
	Certificate_AUTHORITY_ISSUE  Certificate_Usage = 2
)

func (Certificate_Usage) Descriptor 

func (Certificate_Usage) Descriptor() protoreflect.EnumDescriptor

func (Certificate_Usage) Enum 

func (x Certificate_Usage) Enum() *Certificate_Usage

func (Certificate_Usage) EnumDescriptor deprecated 

func (Certificate_Usage) EnumDescriptor() ([]byte, []int)

Deprecated: Use Certificate_Usage.Descriptor instead.

func (Certificate_Usage) Number 

func (x Certificate_Usage) Number() protoreflect.EnumNumber

func (Certificate_Usage) String 

func (x Certificate_Usage) String() string

func (Certificate_Usage) Type 

func (Certificate_Usage) Type() protoreflect.EnumType

type Config 

type Config struct {
	AllowInsecure bool `protobuf:"varint,1,opt,name=allow_insecure,json=allowInsecure,proto3" json:"allow_insecure,omitempty"`
	// List of certificates to be served on server.
	Certificate []*Certificate `protobuf:"bytes,2,rep,name=certificate,proto3" json:"certificate,omitempty"`
	// Override server name.
	ServerName string `protobuf:"bytes,3,opt,name=server_name,json=serverName,proto3" json:"server_name,omitempty"`
	// Lists of string as ALPN values.
	NextProtocol []string `protobuf:"bytes,4,rep,name=next_protocol,json=nextProtocol,proto3" json:"next_protocol,omitempty"`
	// Whether or not to enable session (ticket) resumption.
	EnableSessionResumption bool `` /* 133-byte string literal not displayed */
	// If true, root certificates on the system will not be loaded for
	// verification.
	DisableSystemRoot bool `protobuf:"varint,6,opt,name=disable_system_root,json=disableSystemRoot,proto3" json:"disable_system_root,omitempty"`
	// The minimum TLS version.
	MinVersion string `protobuf:"bytes,7,opt,name=min_version,json=minVersion,proto3" json:"min_version,omitempty"`
	// The maximum TLS version.
	MaxVersion string `protobuf:"bytes,8,opt,name=max_version,json=maxVersion,proto3" json:"max_version,omitempty"`
	// Specify cipher suites, except for TLS 1.3.
	CipherSuites string `protobuf:"bytes,9,opt,name=cipher_suites,json=cipherSuites,proto3" json:"cipher_suites,omitempty"`
	// TLS Client Hello fingerprint (uTLS).
	Fingerprint      string `protobuf:"bytes,11,opt,name=fingerprint,proto3" json:"fingerprint,omitempty"`
	RejectUnknownSni bool   `protobuf:"varint,12,opt,name=reject_unknown_sni,json=rejectUnknownSni,proto3" json:"reject_unknown_sni,omitempty"`
	MasterKeyLog     string `protobuf:"bytes,15,opt,name=master_key_log,json=masterKeyLog,proto3" json:"master_key_log,omitempty"`
	// Lists of string as CurvePreferences values.
	CurvePreferences     []string               `protobuf:"bytes,16,rep,name=curve_preferences,json=curvePreferences,proto3" json:"curve_preferences,omitempty"`
	VerifyPeerCertByName []string               `` /* 128-byte string literal not displayed */
	EchServerKeys        []byte                 `protobuf:"bytes,18,opt,name=ech_server_keys,json=echServerKeys,proto3" json:"ech_server_keys,omitempty"`
	EchConfigList        string                 `protobuf:"bytes,19,opt,name=ech_config_list,json=echConfigList,proto3" json:"ech_config_list,omitempty"`
	EchForceQuery        string                 `protobuf:"bytes,20,opt,name=ech_force_query,json=echForceQuery,proto3" json:"ech_force_query,omitempty"`
	EchSocketSettings    *internet.SocketConfig `protobuf:"bytes,21,opt,name=ech_socket_settings,json=echSocketSettings,proto3" json:"ech_socket_settings,omitempty"`
	PinnedPeerCertSha256 [][]byte               `` /* 126-byte string literal not displayed */
	// contains filtered or unexported fields
}

func ConfigFromStreamSettings 

func ConfigFromStreamSettings(settings *internet.MemoryStreamConfig) *Config

ConfigFromStreamSettings fetches Config from stream settings. Nil if not found.

func (*Config) BuildCertificates 

func (c *Config) BuildCertificates() []*tls.Certificate

BuildCertificates builds a list of TLS certificates from proto definition.

func (*Config) Descriptor deprecated 

func (*Config) Descriptor() ([]byte, []int)

Deprecated: Use Config.ProtoReflect.Descriptor instead.

func (*Config) GetAllowInsecure 

func (x *Config) GetAllowInsecure() bool

func (*Config) GetCertificate 

func (x *Config) GetCertificate() []*Certificate

func (*Config) GetCipherSuites added in v1.1.4 

func (x *Config) GetCipherSuites() string

func (*Config) GetCurvePreferences added in v1.250306.0 

func (x *Config) GetCurvePreferences() []string

func (*Config) GetDisableSystemRoot 

func (x *Config) GetDisableSystemRoot() bool

func (*Config) GetEchConfigList added in v1.250726.0 

func (x *Config) GetEchConfigList() string

func (*Config) GetEchForceQuery added in v1.250803.0 

func (x *Config) GetEchForceQuery() string

func (*Config) GetEchServerKeys added in v1.250726.0 

func (x *Config) GetEchServerKeys() []byte

func (*Config) GetEchSocketSettings added in v1.250803.0 

func (x *Config) GetEchSocketSettings() *internet.SocketConfig

func (*Config) GetEnableSessionResumption added in v1.2.0 

func (x *Config) GetEnableSessionResumption() bool

func (*Config) GetFingerprint added in v1.4.1 

func (x *Config) GetFingerprint() string

func (*Config) GetMasterKeyLog added in v1.8.7 

func (x *Config) GetMasterKeyLog() string

func (*Config) GetMaxVersion added in v1.1.4 

func (x *Config) GetMaxVersion() string

func (*Config) GetMinVersion added in v1.1.4 

func (x *Config) GetMinVersion() string

func (*Config) GetNextProtocol 

func (x *Config) GetNextProtocol() []string

func (*Config) GetPinnedPeerCertSha256 added in v1.260113.0 

func (x *Config) GetPinnedPeerCertSha256() [][]byte

func (*Config) GetRejectUnknownSni added in v1.4.3 

func (x *Config) GetRejectUnknownSni() bool

func (*Config) GetServerName 

func (x *Config) GetServerName() string

func (*Config) GetTLSConfig 

func (c *Config) GetTLSConfig(opts ...Option) *tls.Config

GetTLSConfig converts this Config into tls.Config.

func (*Config) GetVerifyPeerCertByName added in v1.260131.0 

func (x *Config) GetVerifyPeerCertByName() []string

func (*Config) ProtoMessage 

func (*Config) ProtoMessage()

func (*Config) ProtoReflect 

func (x *Config) ProtoReflect() protoreflect.Message

func (*Config) Reset 

func (x *Config) Reset()

func (*Config) String 

func (x *Config) String() string

type Conn 

type Conn struct {
	*tls.Conn
}

func (*Conn) Close added in v1.8.8 

func (c *Conn) Close() error

func (*Conn) HandshakeContextServerName added in v1.250306.0 

func (c *Conn) HandshakeContextServerName(ctx context.Context) string

func (*Conn) NegotiatedProtocol added in v1.6.1 

func (c *Conn) NegotiatedProtocol() string

func (*Conn) WriteMultiBuffer 

func (c *Conn) WriteMultiBuffer(mb buf.MultiBuffer) error

type ECHConfigCache added in v1.250726.0 

type ECHConfigCache struct {

	// updateLock is not for preventing concurrent read/write, but for preventing concurrent update
	UpdateLock sync.Mutex
	// contains filtered or unexported fields
}

func (*ECHConfigCache) Update added in v1.250726.0 

func (c *ECHConfigCache) Update(domain string, server string, isLockedUpdate bool, forceQuery string, sockopt *internet.SocketConfig) ([]byte, error)

Update updates the ECH config for given domain and server. this method is concurrent safe, only one update request will be sent, others get the cache. if isLockedUpdate is true, it will not try to acquire the lock.

type Interface added in v1.6.1 

type Interface interface {
	net.Conn
	HandshakeContext(ctx context.Context) error
	VerifyHostname(host string) error
	HandshakeContextServerName(ctx context.Context) string
	NegotiatedProtocol() string
}

type Option 

type Option func(*tls.Config)

Option for building TLS config.

func WithDestination 

func WithDestination(dest net.Destination) Option

WithDestination sets the server name in TLS config. Due to the incorrect structure of GetTLSConfig(), the config.ServerName will always be empty. So the real logic for SNI is: set it to dest -> overwrite it with servername(if it's len>0).

func WithNextProto 

func WithNextProto(protocol ...string) Option

WithNextProto sets the ALPN values in TLS config.

func WithOverrideName added in v1.250803.0 

func WithOverrideName(serverName string) Option

type RandCarrier added in v1.250306.0 

type RandCarrier struct {
	Config               *tls.Config
	RootCAs              *x509.CertPool
	VerifyPeerCertByName []string
	PinnedPeerCertSha256 [][]byte
}

func (*RandCarrier) Read added in v1.250306.0 

func (r *RandCarrier) Read(p []byte) (n int, err error)

type UConn added in v1.4.2 

type UConn struct {
	*utls.UConn
}

func (*UConn) Close added in v1.8.8 

func (c *UConn) Close() error

func (*UConn) HandshakeContextServerName added in v1.250306.0 

func (c *UConn) HandshakeContextServerName(ctx context.Context) string

func (*UConn) NegotiatedProtocol added in v1.6.1 

func (c *UConn) NegotiatedProtocol() string

func (*UConn) WebsocketHandshakeContext added in v1.8.8 

func (c *UConn) WebsocketHandshakeContext(ctx context.Context) error

WebsocketHandshake basically calls UConn.Handshake inside it but it will only send http/1.1 in its ALPN.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.