uTLS support

go.mod

@@ -12,6 +12,7 @@ require (
 	github.com/miekg/dns v1.1.35
 	github.com/pelletier/go-toml v1.8.1
 	github.com/pires/go-proxyproto v0.4.1
+	github.com/refraction-networking/utls v0.0.0-20201210053706-2179f286686b
 	github.com/seiflotfy/cuckoofilter v0.0.0-20201222105146-bc6005554a0c
 	github.com/stretchr/testify v1.7.0
 	github.com/xtls/go v0.0.0-20201118062508-3632bf3b7499

go.sum

@@ -137,6 +137,8 @@ github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/common v0.0.0-20180801064454-c7de2306084e/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/procfs v0.0.0-20180725123919-05ee40e3a273/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/refraction-networking/utls v0.0.0-20201210053706-2179f286686b h1:lzo71oHzQEz0fKMSjR0BpVzuh2hOHvJTxnN3Rnikmtg=
+github.com/refraction-networking/utls v0.0.0-20201210053706-2179f286686b/go.mod h1:tz9gX959MEFfFN5whTIocCLUG57WiILqtdVxI8c6Wj0=
 github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
 github.com/seiflotfy/cuckoofilter v0.0.0-20201222105146-bc6005554a0c h1:pqy40B3MQWYrza7YZXOXgl0Nf0QGFqrOC0BKae1UNAA=
 github.com/seiflotfy/cuckoofilter v0.0.0-20201222105146-bc6005554a0c/go.mod h1:bR6DqgcAl1zTcOX8/pE2Qkj9XO00eCNqmKb7lXP8EAg=

infra/conf/transport_internet.go

@@ -300,6 +300,7 @@ type TLSConfig struct {
 	MaxVersion               string           `json:"maxVersion"`
 	CipherSuites             string           `json:"cipherSuites"`
 	PreferServerCipherSuites bool             `json:"preferServerCipherSuites"`
+	Fingerprint              string           `json:"fingerprint"`
 }
 
 // Build implements Buildable.
@@ -321,6 +322,7 @@ func (c *TLSConfig) Build() (proto.Message, error) {
 	if c.ALPN != nil && len(*c.ALPN) > 0 {
 		config.NextProtocol = []string(*c.ALPN)
 	}
+	config.Fingerprint = c.Fingerprint
 	config.EnableSessionResumption = c.EnableSessionResumption
 	config.DisableSystemRoot = c.DisableSystemRoot
 	config.MinVersion = c.MinVersion

transport/internet/tcp/dialer.go

@@ -21,14 +21,24 @@ func Dial(ctx context.Context, dest net.Destination, streamSettings *internet.Me
 
 	if config := tls.ConfigFromStreamSettings(streamSettings); config != nil {
 		tlsConfig := config.GetTLSConfig(tls.WithDestination(dest))
+		if config.Fingerprint != "" {
+			fingerprint, err := tls.GetuTLSClientHelloID(config.Fingerprint)
+			if err != nil {
+				conn = tls.Client(conn, tlsConfig)
+				newError("Switching to TLS.").Base(err).AtWarning().WriteToLog()
+			} else {
+				conn = tls.UClient(conn, tlsConfig, *fingerprint)
+			}
+		} else {
+			conn = tls.Client(conn, tlsConfig)
+		}
 		/*
 			if config.IsExperiment8357() {
 				conn = tls.UClient(conn, tlsConfig)
 			} else {
 				conn = tls.Client(conn, tlsConfig)
 			}
 		*/
-		conn = tls.Client(conn, tlsConfig)
 	} else if config := xtls.ConfigFromStreamSettings(streamSettings); config != nil {
 		xtlsConfig := config.GetXTLSConfig(xtls.WithDestination(dest))
 		conn = xtls.Client(conn, xtlsConfig)

transport/internet/tls/config.proto

@@ -55,4 +55,7 @@ message Config {
 
   // Whether the server selects its most preferred ciphersuite.
   bool prefer_server_cipher_suites = 10;
+
+  // ClientHello fingerprinting resistance(utls)
+  string fingerprint = 11;
 }

transport/internet/tls/tls.go

@@ -3,6 +3,7 @@ package tls
 import (
 	"crypto/tls"
 
+	utls "github.com/refraction-networking/utls"
 	"github.com/xtls/xray-core/common/buf"
 	"github.com/xtls/xray-core/common/net"
 )
@@ -41,22 +42,48 @@ func Client(c net.Conn, config *tls.Config) net.Conn {
 	return &Conn{Conn: tlsConn}
 }
 
-/*
 func copyConfig(c *tls.Config) *utls.Config {
+	//return &utls.Config{
+	//	NextProtos:         c.NextProtos,
+	//	ServerName:         c.ServerName,
+	//	InsecureSkipVerify: c.InsecureSkipVerify,
+	//	MinVersion:         c.MinVersion,
+	//	MaxVersion:         c.MaxVersion,
+	//}
 	return &utls.Config{
-		NextProtos:         c.NextProtos,
-		ServerName:         c.ServerName,
-		InsecureSkipVerify: c.InsecureSkipVerify,
-		MinVersion:         utls.VersionTLS12,
-		MaxVersion:         utls.VersionTLS12,
+		RootCAs:                  c.RootCAs,
+		NextProtos:               c.NextProtos,
+		ServerName:               c.ServerName,
+		InsecureSkipVerify:       c.InsecureSkipVerify,
+		CipherSuites:             c.CipherSuites,
+		PreferServerCipherSuites: c.PreferServerCipherSuites,
+		SessionTicketsDisabled:   c.SessionTicketsDisabled,
+		MinVersion:               c.MinVersion,
+		MaxVersion:               c.MaxVersion,
 	}
 }
 
-func UClient(c net.Conn, config *tls.Config) net.Conn {
+func GetuTLSClientHelloID(name string) (*utls.ClientHelloID, error) {
+	switch name {
+	case "randomized":
+		return &utls.HelloRandomized, nil
+	case "chrome":
+		return &utls.HelloChrome_Auto, nil
+	case "firefox":
+		return &utls.HelloFirefox_Auto, nil
+	case "ios":
+		return &utls.HelloIOS_Auto, nil
+	default:
+		return nil, newError("invalid fingerprint: " + name)
+	}
+}
+
+func UClient(c net.Conn, config *tls.Config, clientHelloID utls.ClientHelloID) net.Conn {
 	uConfig := copyConfig(config)
-	return utls.Client(c, uConfig)
+	conn := utls.UClient(c, uConfig, clientHelloID)
+	conn.Handshake()
+	return conn
 }
-*/
 
 // Server initiates a TLS server handshake on the given connection.
 func Server(c net.Conn, config *tls.Config) net.Conn {