From 3ce94d50dd9bf6c28ca5be9b6869c7365bda679e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=B8=96=E7=95=8C?= Date: Sat, 17 Jan 2026 04:18:34 +0800 Subject: [PATCH] Update uTLS to v1.8.2 --- docs/configuration/shared/tls.md | 15 ++++++++++++--- docs/configuration/shared/tls.zh.md | 11 +++++++++-- docs/manual/proxy-protocol/trojan.md | 21 ++++----------------- go.mod | 2 +- go.sum | 2 ++ 5 files changed, 28 insertions(+), 23 deletions(-) diff --git a/docs/configuration/shared/tls.md b/docs/configuration/shared/tls.md index 6fe74846b..5f9fdbe7e 100644 --- a/docs/configuration/shared/tls.md +++ b/docs/configuration/shared/tls.md @@ -230,9 +230,18 @@ The path to the server private key, in PEM format. ==Client only== -!!! failure "" - - There is no evidence that GFW detects and blocks servers based on TLS client fingerprinting, and using an imperfect emulation that has not been security reviewed could pose security risks. +!!! failure "Not Recommended" + + uTLS has had repeated fingerprinting vulnerabilities discovered by researchers. + + uTLS is a Go library that attempts to imitate browser TLS fingerprints by copying + ClientHello structure. However, browsers use completely different TLS stacks + (Chrome uses BoringSSL, Firefox uses NSS) with distinct implementation behaviors + that cannot be replicated by simply copying the handshake format, making detection possible. + Additionally, the library lacks active maintenance and has poor code quality, + making it unsuitable for censorship circumvention. + + For TLS fingerprint resistance, use [NaiveProxy](/configuration/inbound/naive/) instead. uTLS is a fork of "crypto/tls", which provides ClientHello fingerprinting resistance. diff --git a/docs/configuration/shared/tls.zh.md b/docs/configuration/shared/tls.zh.md index b85d32907..63104d514 100644 --- a/docs/configuration/shared/tls.zh.md +++ b/docs/configuration/shared/tls.zh.md @@ -220,9 +220,16 @@ TLS 版本值: ==仅客户端== -!!! failure "" +!!! failure "不推荐" - 没有证据表明 GFW 根据 TLS 客户端指纹检测并阻止服务器,并且,使用一个未经安全审查的不完美模拟可能带来安全隐患。 + uTLS 已被研究人员多次发现其指纹可被识别的漏洞。 + + uTLS 是一个试图通过复制 ClientHello 结构来模仿浏览器 TLS 指纹的 Go 库。 + 然而,浏览器使用完全不同的 TLS 实现(Chrome 使用 BoringSSL,Firefox 使用 NSS), + 其实现行为无法通过简单复制握手格式来复现,其行为细节必然存在差异,使得检测成为可能。 + 此外,此库缺乏积极维护,且代码质量较差,不建议用于反审查场景。 + + 如需 TLS 指纹抵抗,请改用 [NaiveProxy](/configuration/inbound/naive/)。 uTLS 是 "crypto/tls" 的一个分支,它提供了 ClientHello 指纹识别阻力。 diff --git a/docs/manual/proxy-protocol/trojan.md b/docs/manual/proxy-protocol/trojan.md index 731322f3a..2bd63f5c8 100644 --- a/docs/manual/proxy-protocol/trojan.md +++ b/docs/manual/proxy-protocol/trojan.md @@ -4,8 +4,7 @@ icon: material/horse # Trojan -Torjan is the most commonly used TLS proxy made in China. It can be used in various combinations, -but only the combination of uTLS and multiplexing is recommended. +Trojan is the most commonly used TLS proxy made in China. It can be used in various combinations. | Protocol and implementation combination | Specification | Resists passive detection | Resists active probes | |-----------------------------------------|----------------------------------------------------------------------|---------------------------|-----------------------| @@ -140,11 +139,7 @@ but only the combination of uTLS and multiplexing is recommended. "password": "password", "tls": { "enabled": true, - "server_name": "example.org", - "utls": { - "enabled": true, - "fingerprint": "firefox" - } + "server_name": "example.org" }, "multiplex": { "enabled": true @@ -171,11 +166,7 @@ but only the combination of uTLS and multiplexing is recommended. "tls": { "enabled": true, "server_name": "example.org", - "certificate_path": "/path/to/certificate.pem", - "utls": { - "enabled": true, - "fingerprint": "firefox" - } + "certificate_path": "/path/to/certificate.pem" }, "multiplex": { "enabled": true @@ -198,11 +189,7 @@ but only the combination of uTLS and multiplexing is recommended. "tls": { "enabled": true, "server_name": "example.org", - "insecure": true, - "utls": { - "enabled": true, - "fingerprint": "firefox" - } + "insecure": true }, "multiplex": { "enabled": true diff --git a/go.mod b/go.mod index b0806dab6..f8e34facb 100644 --- a/go.mod +++ b/go.mod @@ -16,7 +16,7 @@ require ( github.com/libdns/cloudflare v0.2.2-0.20250708034226-c574dccb31a6 github.com/logrusorgru/aurora v2.0.3+incompatible github.com/metacubex/tfo-go v0.0.0-20250921095601-b102db4216c0 - github.com/metacubex/utls v1.8.3 + github.com/metacubex/utls v1.8.4 github.com/mholt/acmez/v3 v3.1.2 github.com/miekg/dns v1.1.67 github.com/oschwald/maxminddb-golang v1.13.1 diff --git a/go.sum b/go.sum index bd5a47141..5c1ee5a7b 100644 --- a/go.sum +++ b/go.sum @@ -125,6 +125,8 @@ github.com/metacubex/tfo-go v0.0.0-20250921095601-b102db4216c0 h1:Ui+/2s5Qz0lSnD github.com/metacubex/tfo-go v0.0.0-20250921095601-b102db4216c0/go.mod h1:l9oLnLoEXyGZ5RVLsh7QCC5XsouTUyKk4F2nLm2DHLw= github.com/metacubex/utls v1.8.3 h1:0m/yCxm3SK6kWve2lKiFb1pue1wHitJ8sQQD4Ikqde4= github.com/metacubex/utls v1.8.3/go.mod h1:kncGGVhFaoGn5M3pFe3SXhZCzsbCJayNOH4UEqTKTko= +github.com/metacubex/utls v1.8.4 h1:HmL9nUApDdWSkgUyodfwF6hSjtiwCGGdyhaSpEejKpg= +github.com/metacubex/utls v1.8.4/go.mod h1:kncGGVhFaoGn5M3pFe3SXhZCzsbCJayNOH4UEqTKTko= github.com/mholt/acmez/v3 v3.1.2 h1:auob8J/0FhmdClQicvJvuDavgd5ezwLBfKuYmynhYzc= github.com/mholt/acmez/v3 v3.1.2/go.mod h1:L1wOU06KKvq7tswuMDwKdcHeKpFFgkppZy/y0DFxagQ= github.com/miekg/dns v1.1.67 h1:kg0EHj0G4bfT5/oOys6HhZw4vmMlnoZ+gDu8tJ/AlI0=