Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] 希望支持Encrypted ClientHello #839

Closed
2 tasks done
Malus-risus opened this issue Oct 31, 2023 · 13 comments
Closed
2 tasks done

[Feature] 希望支持Encrypted ClientHello #839

Malus-risus opened this issue Oct 31, 2023 · 13 comments
Labels
enhancement New feature or request

Comments

@Malus-risus
Copy link

Verify steps

Description

目前如不使用clash則ech可以生效,開啓之後無論tun模式還是普通代理模式均不生效,不知道是bug還是未實現功能,望解決。

Possible Solution

No response
@Malus-risus Malus-risus added the enhancement New feature or request label Oct 31, 2023
@NahidaBuer
Copy link

ech 需要 dns 服务器支持 HTTPS 记录,clash 的内建 dns 服务器没有实现。作为替代,如果可以接受支持 ech 但是丧失基于域名的分流,可以通过打开浏览器内置的 doh 来绕过这点

@dycwuxing
Copy link

要能在clash内部支持就好了,貌似singbox是可以的?

1 similar comment
@dycwuxing
Copy link

要能在clash内部支持就好了,貌似singbox是可以的?

@ncpmeplmls0614
Copy link

求求了,支持吧,就这个漏洞,补上吧

@crzidea
Copy link

crzidea commented Sep 20, 2024

Cloudflare 已经重新开始给免费域名启用 ECH 了,这个对于对抗监控上网行为来说非常重要。

@dycwuxing
Copy link

Cloudflare 已经重新开始给免费域名启用 ECH 了,这个对于对抗监控上网行为来说非常重要。

边缘证书里还找不到开启的开关呢,你的能够找到吗?

@crzidea
Copy link

crzidea commented Sep 25, 2024

边缘证书里还找不到开启的开关呢,你的能够找到吗?

应该是已经全部免费的用户都开启了。试一下解析 HTTPS 记录,现在多了一个 ech 的字段,而且 /cdn-cgi/trace 里会显示 sni=encrypted

@CescMessi
Copy link

希望尽快加上,现在和分流二选一太难受了

@Skyxim
Copy link
Collaborator

Skyxim commented Sep 30, 2024

短期内不会做相关支持

@Skyxim Skyxim closed this as not planned Won't fix, can't repro, duplicate, stale Sep 30, 2024
@UjuiUjuMandan
Copy link

ech 需要 dns 服务器支持 HTTPS 记录,clash 的内建 dns 服务器没有实现

你确定吗?别说 A/AAAA ,我从type1到type65都能查询到呢。

@UjuiUjuMandan
Copy link

crypto/tls supports ech natively.
golang/go#63369 (comment)

@vvb2060
Copy link

vvb2060 commented Oct 2, 2024

你确定吗?别说 A/AAAA ,我从type1到type65都能查询到呢。

mihomo/dns/middleware.go

Lines 154 to 157 in 4a16d22

switch q.Qtype {
case D.TypeAAAA, D.TypeSVCB, D.TypeHTTPS:
return handleMsgWithEmptyAnswer(r), nil
}

@UjuiUjuMandan
Copy link

UjuiUjuMandan commented Oct 2, 2024
edited
Loading

fake-ip 啊,目前的实现要丢太多东西了:DNSSEC、首次HTTP/3、ECH、DoH。

丢掉 SVCB 目前没什么后果,但以后会有更多的应用用它发现服务的。丢掉 AAAA 会影响应用对网络环境的判定。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@crzidea @CescMessi @vvb2060 @dycwuxing @NahidaBuer @Malus-risus @Skyxim @UjuiUjuMandan @ncpmeplmls0614