[Critical] [Pending] uTLS fingerprint leakage, and how to disable uTLS

[Ra2-IFV]

uTLS fingerprint leakage

from TG channel

本频道匿名披露的UTLS ECH GREASE BUG已被修复

请注意，此BUG会导致UTLS Chrome指纹纯被动识别
识别率50%（但是鉴于代理软件TCP连接数巨大，识别率可到100%）

影响范围 2023.12 - 2025.10

请立刻停用旧版客户端的Chrome指纹或更新客户端

如图，ECH套件与CipherSuite套件需匹配

*注 ECH GREASE 是网站不支持ECH时候发送的假ECH占位，目的是为了让防火墙区分不出来是不是真ECH

refraction-networking/utls@24bd1e0

Update

Release on the way.

Documented but mismatched behavior

https://xtls.github.io/config/transport.html#tlsobject

fingerprint : string此参数用于配置指定 TLS Client Hello 的指纹。当其值为空时，表示不启用此功能。

However, code implementation:

Xray-core/transport/internet/tls/tls.go

Lines 166 to 168 in 1952488

	if name == "" {
	return &utls.HelloChrome_Auto
	}

I respect RPRX, but at least give your dumb end users choices, now we are cooked. Release a new version ASAP.

Update

Docs are wrong. Xray use uTLS by default by intention.
For old clients, use unsafe to be safe to disable uTLS, but Reality cannot do this.
Reality is built on uTLS, use firefox instead.

[Fangliding]

#5229 (comment)

[Ra2-IFV]

So you are neither fixing this documented mismatch behavior nor correcting the doc, if it's wrong, since you closed without a fix

[Fangliding]

当初就默认utls这事其实吵过一次所以没动 这事也算是当初的回旋镖
我close的时候就已经改掉文档了

[Ra2-IFV]

😄 Now unsafe is safe

[Ra2-IFV]

infra/conf: failed to build stream settings for outbound detour > infra/conf: Failed to build REALITY config. > infra/conf: invalid "fingerprint": unsafe

[Fangliding]

reality好像是强制utls 这下淦了 可以用Firefox

[Ra2-IFV]

Dont tie reality to utls please, reality is excellent
https://github.com/XTLS/Xray-core/blob/main/transport/internet/reality/reality.go
we need a complete rewrite for reality

[Fangliding]

并不 reality 的协议实现使用了utls的暴露函数以操作底层tls结构 用原生gotls是没法实现的

[RPRX]

#5229 (comment) 先简单评价一下就是：

1. 这并非 uTLS 第一次出这样的问题，上一次就在几个月前，我报告的 [URGENT] Maybe uTLS is reusing the same x25519EphemeralKey for both X25519MLKEM768 and X25519, unlike Chrome refraction-networking/utls#342
2. Xray 虽然默认 Chrome 但并没有假设 uTLS 一定没问题，比如 REALITY 设计之初就有客户端发版本号机制，但其它实现冻结了
3. 都两年了不差这一两天，发了新版客户端也要半年才能普及，且还会残存不少旧版客户端，TLS 类都没救了洗洗睡吧
4. 好在 uTLS 的使用广泛，比如爬虫也会用，对于真网站也会出现些这样的指纹，如果 GFW 按这个来封 IP 可以被利用封锁真网站
5. 所以服务端加个指纹过滤也没啥必要，还有 iOS 上一堆非 Go 的实现可能不存在该问题，但有没有其它问题就不知道了

[iambabyninja]

I understand your skepticism regarding the update timelines for client devices, but delivering a new version on Android is quite easy and fast. However, releasing a new version on iOS, due to Apple Store moderation, can sometimes take several weeks.

If you don’t mind, perhaps we could release a new version so that the developers of client applications can publish their updates as soon as possible?

[RPRX]

#5229 (comment) 不都说了明天发新版吗，本来风扇发了个忘更新内置版本号的版本也让他删掉了