Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add TLS Client Authentication #1151

Open
wants to merge 117 commits into
base: dev-next
Choose a base branch
from
Open

Add TLS Client Authentication #1151

wants to merge 117 commits into from

Conversation

jose-C2OaWi
Copy link

Add a feature for Issue 1054

Credits:
@ginuerzh for the implementation of gost

@hiddify-com

This comment was marked as spam.

Sign in to view
@jose-C2OaWi

This comment was marked as abuse.

Sign in to view
@hiddify-com

This comment was marked as spam.

Sign in to view
@Mahdi-zarei
Copy link
Contributor

mTLS is an established protocol and the SSL error you mention is expected. The peers communicating using mTLS need to use certificates which are signed by a self-issued root certificate, meaning such networks are not available for public access and usual one way TLS connections are not allowed. So it is meaningless to implement a fallback since it completely invalidates the mTLS processes.

@hiddify-com

This comment was marked as spam.

Sign in to view
@jose-C2OaWi

This comment was marked as abuse.

Sign in to view
@jose-C2OaWi
docs: fix typo
edadbba 
fix typo in tls.zh.md

Signed-off-by: jose-C2OaWi <[email protected]>
@Mahdi-zarei
Copy link
Contributor

Mahdi-zarei commented Nov 27, 2023
edited
Loading

the fallback option to a simple website can avoid active detection. while dropping connection is itself a fingerprint for GFW to put this website in the gray/black list

This is absurd, regarding the diagram you have sent, the server asks for certificate from client (which tells the client that the protocol being used is mTLS and not TLS) whereas in normal TLS no such operation is performed. By simply accepting the GFW's invalid certificate and serving a webpage you are practically violating the protocol you are advertising to conform to and this is a much severer footprint than correctly rejecting the GFW's invalid certificate.

@nekohasekai nekohasekai force-pushed the dev-next branch 4 times, most recently from b759111 to 733c14d Compare November 29, 2023 07:41
@nekohasekai nekohasekai force-pushed the dev-next branch 9 times, most recently from 82269a4 to 1bc83a1 Compare June 22, 2024 06:16
@nekohasekai nekohasekai force-pushed the dev-next branch 11 times, most recently from b34153f to 6da5ed4 Compare June 27, 2024 13:22
@nekohasekai nekohasekai force-pushed the dev-next branch 10 times, most recently from 07b192a to 06ee404 Compare July 7, 2024 08:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@jose-C2OaWi @hiddify-com @Mahdi-zarei @nekohasekai @kwfcfc