Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add TLS Client Authentication #1151

Open
wants to merge 117 commits into
base: dev-next
Choose a base branch
from

Conversation

jose-C2OaWi
Copy link

Add a feature for Issue 1054

Credits:
@ginuerzh for the implementation of gost

@hiddify-com

This comment was marked as spam.

@jose-C2OaWi

This comment was marked as abuse.

@hiddify-com

This comment was marked as spam.

@Mahdi-zarei
Copy link
Contributor

mTLS is an established protocol and the SSL error you mention is expected. The peers communicating using mTLS need to use certificates which are signed by a self-issued root certificate, meaning such networks are not available for public access and usual one way TLS connections are not allowed. So it is meaningless to implement a fallback since it completely invalidates the mTLS processes.

@hiddify-com

This comment was marked as spam.

@jose-C2OaWi

This comment was marked as abuse.

fix typo in tls.zh.md

Signed-off-by: jose-C2OaWi <[email protected]>
@Mahdi-zarei
Copy link
Contributor

Mahdi-zarei commented Nov 27, 2023

the fallback option to a simple website can avoid active detection. while dropping connection is itself a fingerprint for GFW to put this website in the gray/black list

This is absurd, regarding the diagram you have sent, the server asks for certificate from client (which tells the client that the protocol being used is mTLS and not TLS) whereas in normal TLS no such operation is performed. By simply accepting the GFW's invalid certificate and serving a webpage you are practically violating the protocol you are advertising to conform to and this is a much severer footprint than correctly rejecting the GFW's invalid certificate.

@nekohasekai nekohasekai force-pushed the dev-next branch 4 times, most recently from b759111 to 733c14d Compare November 29, 2023 07:41
@nekohasekai nekohasekai force-pushed the dev-next branch 30 times, most recently from be13007 to 492934f Compare December 15, 2024 14:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants