Skip to content

Comments

Commands: Output certificate chain's total length in tls ping#4933

Merged
RPRX merged 3 commits intomainfrom
tls-ping
Jul 25, 2025
Merged

Commands: Output certificate chain's total length in tls ping#4933
RPRX merged 3 commits intomainfrom
tls-ping

Conversation

@Fangliding
Copy link
Member

@Fangliding Fangliding commented Jul 25, 2025

tls ping 显示整个证书链长度 用于寻找比较长的证书
(如果如之前讨论所述只找到一个证书也会有注释)

@Fangliding
Copy link
Member Author

Fangliding commented Jul 25, 2025
edited
Loading

btw 使用ecc但是很长的我暂时只看到 google.com (不带www) 但是在墙外带mldsa65使用它客户端会报错 怀疑是附加扩展的可能出问题了(?)
x509: certificate has expired or is not yet valid: current time 2025-07-25T08:40:46Z is after 0001-01-01T00:00:00Z x509: certificate has expired or is not yet valid: current time 2025-07-25T08:40:47Z is after 0001-01-01T00:00:00Z

@RPRX
Copy link
Member

RPRX commented Jul 25, 2025

你先测试下有没有域名能输出第二个证书吧,反正我是没找到,怀疑是 TLS 库的问题

@Fangliding
Copy link
Member Author

Fangliding commented Jul 25, 2025

都可以啊 只有一个它有括号注释的

@RPRX
Copy link
Member

RPRX commented Jul 25, 2025

@Fangliding 比如哪个域名

@Fangliding
Copy link
Member Author

Fangliding commented Jul 25, 2025

谷歌啊 cf啊 国内的百度b站腾讯什么的都是的
image

@RPRX
Copy link
Member

RPRX commented Jul 25, 2025

我知道原因了,现在的代码中有这三行:

		if len(cert.DNSNames) == 0 {
			continue
		}

@RPRX RPRX mentioned this pull request Jul 25, 2025
Merged
@RPRX
Copy link
Member

RPRX commented Jul 25, 2025

@Fangliding 两个空格别改吧,我本来也想改成一个,后来发现两个更清晰些

@Fangliding
Copy link
Member Author

Fangliding commented Jul 25, 2025

那直接回退好了

@RPRX
Copy link
Member

RPRX commented Jul 25, 2025

cert count 也被回退了 @Fangliding

@Fangliding
Copy link
Member Author

Fangliding commented Jul 25, 2025

反正都是3(偶尔4)应该没有必要了吧

@RPRX
Copy link
Member

RPRX commented Jul 25, 2025

加上吧

@RPRX
Copy link
Member

RPRX commented Jul 25, 2025

如果只有一个的话不用区分,输出 1 就行

@RPRX RPRX changed the title Commands: Show certificate chain length Commands: Output certificate chain's total length in tls ping Jul 25, 2025
@RPRX RPRX merged commit 87d8b97 into main Jul 25, 2025
78 checks passed
@RPRX RPRX deleted the tls-ping branch July 25, 2025 10:18
@RPRX
Copy link
Member

RPRX commented Jul 25, 2025

@Fangliding 测试 caee152 ,看一下谷歌的 Server Hello 是扩展顺序和绝大多数网站不一样,还是有别的东西

@Fangliding
Copy link
Member Author

Fangliding commented Jul 25, 2025

没问题了 google.com 可以用了
image

@RPRX
Copy link
Member

RPRX commented Jul 25, 2025

@Fangliding 绝大多数网站的 Server Hello 就两个扩展,固定顺序,你看下谷歌有啥特别的

@Fangliding
Copy link
Member Author

Fangliding commented Jul 25, 2025
edited
Loading

一个TCP包里 有server hello消息 ccs消息 这段部分我比了一下和其他mlkem的server hello长度都是一样的 唯一不一样的是后面还粘了一块不完整的application data 而且超级长一千五百多个字节(别人也有但是没这么长)

@RPRX
Copy link
Member

RPRX commented Jul 25, 2025

@Fangliding 不是这个,我是说 Server Hello 里的数据,要不你本地用 WireShark 看下 cf.dyn.riotcdn.net.cdn.cloudflare.net

@Fangliding
Copy link
Member Author

Fangliding commented Jul 25, 2025

server hello我看了就那么点东西都一样的

@RPRX
Copy link
Member

RPRX commented Jul 25, 2025

@Fangliding 那很奇怪了,因为那个 commit 改的就是不重新 marshal Server Hello,是不是扩展顺序不一样

@RPRX
Copy link
Member

RPRX commented Jul 25, 2025
edited
Loading

看了群里的图,就是 Server Hello 扩展顺序的锅,绝大多数网站是把 supported_versions 放 key_share 上面,谷歌反着放的

This was referenced Jul 25, 2025
Merged
Merged
maoxikun pushed a commit to maoxikun/Xray-core that referenced this pull request Aug 23, 2025
@Fangliding @RPRX @maoxikun
Commands: Output certificate chain's total length in tls ping (XTLS…
01fe414 
…#4933)

Co-authored-by: RPRX <[email protected]>
(cherry picked from commit 87d8b97)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Fangliding @RPRX