utls

2023-11-14 00:32:42 +08:00
parent 696d10fc28
commit 6108000cce
4 changed files with 120 additions and 7 deletions
--- a/dialer/ws/dialer.go
+++ b/dialer/ws/dialer.go
@ -2,6 +2,7 @@ package ws

 import (
 	"context"
+	tls "github.com/refraction-networking/utls"
 	"net"
 	"net/url"
 	"time"
@ -91,13 +92,38 @@ func (d *wsDialer) Handshake(ctx context.Context, conn net.Conn, options ...dial
 		},
 	}

-	url := url.URL{Scheme: "ws", Host: host, Path: d.md.path}
+	urlObj := url.URL{Scheme: "ws", Host: host, Path: d.md.path}
 	if d.tlsEnabled {
-		url.Scheme = "wss"
+		urlObj.Scheme = "wss"
 		dialer.TLSClientConfig = d.options.TLSConfig
+		tlsConfig := d.options.TLSConfig
+		dialer.NetDialTLSContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
+			utlsConf := &tls.Config{InsecureSkipVerify: tlsConfig.InsecureSkipVerify, ServerName: tlsConfig.ServerName, ClientAuth: tls.ClientAuthType(tlsConfig.ClientAuth), ClientCAs: tlsConfig.ClientCAs, RootCAs: tlsConfig.RootCAs}
+			if len(tlsConfig.Certificates) > 0 {
+				for _, certificate := range tlsConfig.Certificates {
+					utlsConf.Certificates = append(utlsConf.Certificates, tls.Certificate{
+						Certificate:                 certificate.Certificate,
+						PrivateKey:                  certificate.PrivateKey,
+						OCSPStaple:                  certificate.OCSPStaple,
+						SignedCertificateTimestamps: certificate.SignedCertificateTimestamps,
+						Leaf:                        certificate.Leaf,
+					})
+				}
+			}
+			client := tls.UClient(conn, utlsConf, tls.HelloCustom)
+			client.ApplyPreset(newWsSpec())
+			err := client.Handshake()
+			if err != nil {
+				return nil, err
+			}
+			return client, nil
+		}
 	}
-
-	c, resp, err := dialer.DialContext(ctx, url.String(), d.md.header)
+	urlStr, errUnescape := url.QueryUnescape(urlObj.String())
+	if errUnescape != nil {
+		d.options.Logger.Debugf("[ws] URL QueryUnescape Error URL.String() -> %s", urlObj.String())
+	}
+	c, resp, err := dialer.DialContext(ctx, urlStr, d.md.header)
 	if err != nil {
 		return nil, err
 	}
@ -133,3 +159,76 @@ func (d *wsDialer) keepalive(conn ws_util.WebsocketConn) {
 		conn.SetWriteDeadline(time.Time{})
 	}
 }
+
+func newWsSpec() *tls.ClientHelloSpec {
+	return &tls.ClientHelloSpec{
+		CipherSuites: []uint16{
+			tls.GREASE_PLACEHOLDER,
+			tls.TLS_AES_128_GCM_SHA256,
+			tls.TLS_AES_256_GCM_SHA384,
+			tls.TLS_CHACHA20_POLY1305_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
+			tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
+			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
+			tls.TLS_RSA_WITH_AES_128_CBC_SHA,
+			tls.TLS_RSA_WITH_AES_256_CBC_SHA,
+		},
+		CompressionMethods: []byte{
+			0x00, // compressionNone
+		},
+		Extensions: []tls.TLSExtension{
+			&tls.UtlsGREASEExtension{},
+			&tls.SNIExtension{},
+			&tls.ExtendedMasterSecretExtension{},
+			&tls.RenegotiationInfoExtension{Renegotiation: tls.RenegotiateOnceAsClient},
+			&tls.SupportedCurvesExtension{[]tls.CurveID{
+				tls.GREASE_PLACEHOLDER,
+				tls.X25519,
+				tls.CurveP256,
+				tls.CurveP384,
+			}},
+			&tls.SupportedPointsExtension{SupportedPoints: []byte{
+				0x00, // pointFormatUncompressed
+			}},
+			&tls.SessionTicketExtension{},
+			&tls.ALPNExtension{AlpnProtocols: []string{"http/1.1"}},
+			&tls.StatusRequestExtension{},
+			&tls.SignatureAlgorithmsExtension{SupportedSignatureAlgorithms: []tls.SignatureScheme{
+				tls.ECDSAWithP256AndSHA256,
+				tls.PSSWithSHA256,
+				tls.PKCS1WithSHA256,
+				tls.ECDSAWithP384AndSHA384,
+				tls.PSSWithSHA384,
+				tls.PKCS1WithSHA384,
+				tls.PSSWithSHA512,
+				tls.PKCS1WithSHA512,
+			}},
+			&tls.SCTExtension{},
+			&tls.KeyShareExtension{[]tls.KeyShare{
+				{Group: tls.CurveID(tls.GREASE_PLACEHOLDER), Data: []byte{0}},
+				{Group: tls.X25519},
+			}},
+			&tls.PSKKeyExchangeModesExtension{[]uint8{
+				tls.PskModeDHE,
+			}},
+			&tls.SupportedVersionsExtension{[]uint16{
+				tls.GREASE_PLACEHOLDER,
+				tls.VersionTLS13,
+				tls.VersionTLS12,
+			}},
+			&tls.UtlsCompressCertExtension{[]tls.CertCompressionAlgo{
+				tls.CertCompressionBrotli,
+			}},
+			&tls.ApplicationSettingsExtension{SupportedProtocols: []string{"h2"}},
+			&tls.UtlsGREASEExtension{},
+			&tls.UtlsPaddingExtension{GetPaddingLen: tls.BoringPaddingStyle},
+		},
+	}
+}