diff --git a/docs/content/basic/full-config.md b/docs/content/basic/full-config.md index 2548b1b56..d45ac1ff3 100644 --- a/docs/content/basic/full-config.md +++ b/docs/content/basic/full-config.md @@ -43,6 +43,7 @@ weight: 30 "key": *required*, "key_password": "", "cipher": "", + "ciphers": [], "curves": "", "prefer_server_cipher": false, "sni": "", @@ -182,6 +183,8 @@ weight: 30 ```cipher```TLS使用的密码学套件。```cipher13``字段与此字段合并。只有在你明确知道自己在做什么的情况下,才应该去填写此项以修改trojan-go使用的TLS密码学套件。**正常情况下,你应该将其留空或者不填**,trojan-go会根据当前硬件平台以及远端的情况,自动选择最合适的加密算法以提升性能和安全性。如果需要填写,密码学套件名用分号(":")分隔,按优先顺序排列。Go的TLS库中弃用了TLS1.2中部分不安全的密码学套件,并完全支持TLS1.3。默认情况下,trojan-go将优先使用更安全的TLS1.3。 +```ciphers```TLS使用的密码学套件。```cipher13``字段与此字段合并。只有在你明确知道自己在做什么的情况下,才应该去填写此项以修改trojan-go使用的TLS密码学套件。**正常情况下,你应该将其留空或者不填**,trojan-go会根据当前硬件平台以及远端的情况,自动选择最合适的加密算法以提升性能和安全性。如果需要填写,密码学套件名以数组书写,按优先顺序排列。Go的TLS库中弃用了TLS1.2中部分不安全的密码学套件,并完全支持TLS1.3。默认情况下,trojan-go将优先使用更安全的TLS1.3。 + ```curves```指定TLS在ECDHE中偏好使用的椭圆曲线。只有你明确知道自己在做什么的情况下,才应该填写此项。曲线名称用分号(":")分隔,按优先顺序排列。 ```plain_http_response```指服务端TLS握手失败时,明文发送的原始数据(原始TCP数据)。这个字段填入该文件路径。推荐使用```fallback_port```而不是该字段。 diff --git a/tunnel/router/client.go b/tunnel/router/client.go index 1de3431d7..3f46f9e69 100644 --- a/tunnel/router/client.go +++ b/tunnel/router/client.go @@ -137,6 +137,7 @@ func (c *Client) Route(address *tunnel.Address) int { if err == nil { for i := Block; i <= Proxy; i++ { if matchIP(c.cidrs[i], resolvedIP.IP) { + log.Warnf("%s (%s) hit %s", address.DomainName, resolvedIP.IP, i) return i } } @@ -144,6 +145,7 @@ func (c *Client) Route(address *tunnel.Address) int { } for i := Block; i <= Proxy; i++ { if matchDomain(c.domains[i], address.DomainName) { + log.Warnf("%s hit %s", address.DomainName, i) return i } } @@ -152,6 +154,7 @@ func (c *Client) Route(address *tunnel.Address) int { if err == nil { for i := Block; i <= Proxy; i++ { if matchIP(c.cidrs[i], resolvedIP.IP) { + log.Warnf("%s (%s) hit %s", address.DomainName, resolvedIP.IP, i) return i } } diff --git a/tunnel/tls/client.go b/tunnel/tls/client.go index f6ffc2675..20b1d988a 100644 --- a/tunnel/tls/client.go +++ b/tunnel/tls/client.go @@ -107,11 +107,18 @@ func NewClient(ctx context.Context, underlay tunnel.Client) (*Client, error) { log.Warn("tls sni is unspecified") } + var cipherSuite []uint16 + if len(cfg.TLS.Cipher) != 0 { + cipherSuite = fingerprint.ParseCipher(strings.Split(cfg.TLS.Cipher, ":")) + } else if len(cfg.TLS.Ciphers) != 0 { + cipherSuite = fingerprint.ParseCipher(cfg.TLS.Ciphers) + } + client := &Client{ underlay: underlay, verify: cfg.TLS.Verify, sni: cfg.TLS.SNI, - cipher: fingerprint.ParseCipher(strings.Split(cfg.TLS.Cipher, ":")), + cipher: cipherSuite, sessionTicket: cfg.TLS.ReuseSession, fingerprint: cfg.TLS.Fingerprint, helloID: helloID, diff --git a/tunnel/tls/config.go b/tunnel/tls/config.go index cfe0bc442..6bd6fa68e 100644 --- a/tunnel/tls/config.go +++ b/tunnel/tls/config.go @@ -22,6 +22,7 @@ type TLSConfig struct { KeyPath string `json:"key" yaml:"key"` KeyPassword string `json:"key_password" yaml:"key-password"` Cipher string `json:"cipher" yaml:"cipher"` + Ciphers []string `json:"ciphers" yaml:"ciphers"` PreferServerCipher bool `json:"prefer_server_cipher" yaml:"prefer-server-cipher"` SNI string `json:"sni" yaml:"sni"` HTTPResponseFileName string `json:"plain_http_response" yaml:"plain-http-response"` diff --git a/tunnel/tls/server.go b/tunnel/tls/server.go index f9f66d717..b1b332119 100644 --- a/tunnel/tls/server.go +++ b/tunnel/tls/server.go @@ -335,6 +335,8 @@ func NewServer(ctx context.Context, underlay tunnel.Server) (*Server, error) { var cipherSuite []uint16 if len(cfg.TLS.Cipher) != 0 { cipherSuite = fingerprint.ParseCipher(strings.Split(cfg.TLS.Cipher, ":")) + } else if len(cfg.TLS.Ciphers) != 0 { + cipherSuite = fingerprint.ParseCipher(cfg.TLS.Ciphers) } ctx, cancel := context.WithCancel(ctx)