TLS ECH: Avoid outer ALPN http/1.1 for WSS & HUS; Change echForceQuery's default value to "full"; Update github.com/refraction-networking/utls to 20260301010127; Add irrelevant tests for uTLS-REALITY (#5725)

https://github.com/XTLS/Xray-core/pull/5725#issuecomment-3982680111
2026-05-08 14:13:22 +00:00 · 2026-03-09 20:49:49 +08:00
parent 0321cdd0d2
commit e86c365572
5 changed files with 167 additions and 6 deletions
--- a/transport/internet/tls/ech.go
+++ b/transport/internet/tls/ech.go
@@ -53,7 +53,7 @@ func ApplyECH(c *Config, config *tls.Config) error {
 		switch ECHForceQuery {
 		case "none", "half", "full":
 		case "":
-			ECHForceQuery = "none" // default to none
+			ECHForceQuery = "full" // default to full
 		default:
 			panic("Invalid ECHForceQuery: " + c.EchForceQuery)
 		}
@@ -174,7 +174,7 @@ func QueryRecord(domain string, server string, forceQuery string, sockopt *inter
 	// If expire is zero value, it means we are in initial state, wait for the query to finish
 	// otherwise return old value immediately and update in a goroutine
 	// but if the cache is too old, wait for update
-	if configRecord.expire == (time.Time{}) || configRecord.expire.Add(time.Hour*6).Before(time.Now()) {
+	if configRecord.expire == (time.Time{}) || configRecord.expire.Add(time.Hour*4).Before(time.Now()) {
 		return echConfigCache.Update(domain, server, false, forceQuery, sockopt)
 	} else {
 		// If someone already acquired the lock, it means it is updating, do not start another update goroutine
--- a/transport/internet/tls/tls.go
+++ b/transport/internet/tls/tls.go
@@ -10,6 +10,7 @@ import (
 	utls "github.com/refraction-networking/utls"
 	"github.com/xtls/xray-core/common/buf"
 	"github.com/xtls/xray-core/common/net"
+	"github.com/xtls/xray-core/common/utils"
 )

 type Interface interface {
@@ -97,6 +98,12 @@ func (c *UConn) WebsocketHandshakeContext(ctx context.Context) error {
 	if err := c.BuildHandshakeState(); err != nil {
 		return err
 	}
+	config := *utils.AccessField[*utls.Config](c, "config")
+	// Do not modify outer ALPN to http/1.1 if ECH is used
+	// Outer ALPN will be h2,http/1.1, and real ALPN in config will be hidden in ECH
+	if config.EncryptedClientHelloConfigList != nil {
+		return c.HandshakeContext(ctx)
+	}
 	// Iterate over extensions and check for utls.ALPNExtension
 	hasALPNExtension := false
 	for _, extension := range c.Extensions {
@@ -131,7 +138,7 @@ func GeneraticUClient(c net.Conn, config *tls.Config) *utls.UConn {
 }

 func copyConfig(c *tls.Config) *utls.Config {
-	return &utls.Config{
+	config := &utls.Config{
 		Rand:                           c.Rand,
 		RootCAs:                        c.RootCAs,
 		ServerName:                     c.ServerName,
@@ -140,6 +147,10 @@ func copyConfig(c *tls.Config) *utls.Config {
 		KeyLogWriter:                   c.KeyLogWriter,
 		EncryptedClientHelloConfigList: c.EncryptedClientHelloConfigList,
 	}
+	if config.EncryptedClientHelloConfigList != nil {
+		config.NextProtos = c.NextProtos
+	}
+	return config
 }

 func init() {