TLS ECH client: Revert echForceQuery's behavior#4971
Conversation
patterniha
changed the title
patterniha
changed the title
patterniha
changed the title
RPRX
changed the title
echForceQuery's behavior
|
这不还是dns服务器不可用的时候强制失败 |
??? if DNS if fails, we have error other than emptyResponse, so the connection will not made. what is the problem? |
|
被你们整晕了,总之查询失败就是失败,不要管是不是 emptyResponse,然后 force-query 与否有不同的逻辑 @patterniha 你看下当前代码的逻辑是否符合 #4949 (comment) ,不符合的话我删掉最新的 commit,你重新 PR |
现在这样是没 force query 的话 错误是emptyresponse 连接成功 不然强制失败 以及只缓存 emptyresponse |
|
@Fangliding 那我把这个 commit 删了,你 PR 修一下吧 |
|
let explain: A: ech DNS query fails, get no response S1: if C, connection is made with ech-TLS. this is my logic, because ech may be used in MitM-uses, what is your logic? please say your logic and I implemented that. |
|
我觉得mitm继续用分片就是了 没必要硬用ech |
|
can you please say your logic exactly? I think we can reach an agreement with three mode but I still doesn't know your exact logic. |
|
@patterniha 我们的意思是把 AB 视为同一种情况,然后走 S3 的逻辑 |
|
but suppose our internet is dropped for just a seconds, so we get no response and we cache this fail for 5 minutes !!! and we don't try to use ech-TLS, or getting new key for 5 minutes !!! this is not help for my MitM-use and if fragment blocked, this cause connection fail for 5 minutes. /// so I implement three mode full: -> equal to current is it OK? |
|
对于 "none" 和 "half",第一次等查询,后面不等查询(但这次查到了会带 TTL 缓存,下次就能用),避免影响体验 |
|
OK, please wait... |
This comment was marked as outdated.
This comment was marked as outdated.
|
ok, i only subdivide that for showing errors. |
|
还有对于 "none" 和 "half",第一次可以等查询,后面就别等了(不知道现在是不是这个逻辑)
|
…TLS#4973) XTLS#4971 (comment) (cherry picked from commit 7cbf5b0)
3 participants
#4949 (comment)
Yes, I just neglected this.
In case of a doh fails, the connection will be made for 6 hours and try to update the key. If it is unsuccessful within these 6 hours to get the new-key(even empty), then the connection will not be made.