Lokasi ngalangkungan proxy:   [ UP ]  
[Ngawartoskeun bug]   [Panyetelan cookie]                
Skip to content

Disable none cipher for shadowsocks#6303

Open
OfficialKatana wants to merge 8 commits into
XTLS:mainfrom
OfficialKatana:main
Open

Disable none cipher for shadowsocks#6303
OfficialKatana wants to merge 8 commits into
XTLS:mainfrom
OfficialKatana:main

Conversation

@OfficialKatana

@OfficialKatana OfficialKatana commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Remove "NONE Cipher" which is not widely used.

@OfficialKatana
Validate VMess outbound security settings
57a4617 
Forbid insecure outbound settings.
@OfficialKatana
Add detection for loopback and private addr
6f66c6d 
增加了内网地址检测(IsLoopback和IsPrivate应该够了)
@OfficialKatana
Implement address validation and TLS conflict checks on more protocols
0e6e03b 
Add Vless Hysteria2 and Trojan support
@OfficialKatana
Remove duplicated detection
24c7dd1 
Removed duplicated TLS outbound detection on hysteria2 (should always with QUIC)
@OfficialKatana
Update error messages and security checks
3603a0a 
Add extra detection for Trojan protocol
@OfficialKatana
Disable none cipher for shadowsocks
8110a14
bytecategory
bytecategory reviewed Jun 10, 2026
View reviewed changes

@bytecategory bytecategory left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

加个标签: 破坏性变更
问题在于即使是CipherType_NONE 也可以再套一层TLS(依旧安全)

@OfficialKatana

OfficialKatana commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown
Contributor Author

加个标签: 破坏性变更 问题在于即使是CipherType_NONE 也可以再套一层TLS(依旧安全)

理论上Shadowsocks不应该出现无加密这种组合
不需要加密的情况下应该使用vless或者别的任何协议结合TLS
虽然确实可以用TLS不过TLS+无加密貌似还不如Socks5结合无加密(同理Socks5也可以套

@bytecategory

bytecategory commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

加个标签: 破坏性变更 问题在于即使是CipherType_NONE 也可以再套一层TLS(依旧安全)

理论上Shadowsocks不应该出现无加密这种组合 不需要加密的情况下应该使用vless或者别的任何协议结合TLS 虽然确实可以用TLS不过TLS+无加密貌似还不如Socks5结合无加密(同理Socks5也可以套

也就是把以前的换成Socks5了 ... 我先去忙Astrbot事件了

@bytecategory

bytecategory commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

为什么不删Vmess的 None安全模式

@RPRX

RPRX commented Jun 10, 2026

Copy link
Copy Markdown
Member

毕竟计划是 #5640 (comment) ,似乎的确可以直接把 SS 和 VMess 不加密的模式删掉,只剩 VLESS 和 Trojan 需要配置检查了

@LjhAUMEM 有空给 Hy2 协议加个限制,只能搭配 Hy2 传输层,避免有人搞出公网明文传输的配置

@Fangliding

Fangliding commented Jun 10, 2026

Copy link
Copy Markdown
Member

俩pr都是一个人合一起不就行了吗

@RPRX

RPRX commented Jun 10, 2026

Copy link
Copy Markdown
Member

这个 PR base 更新一些,@OfficialKatana 可以把 #5640 的内容并入这个 PR

Private IP 段的话 Freedom 那里有,可以移到 common 那里

至于判断我想了一下,确实应该仅认可 VLESS Encryption 和 TLS/REALITY,毕竟 Finalmask 那些东西被认为不够可靠

这下正好防止有人配出明文 VLESS+mKCP+XDNS,得加个 Encryption 才行

@RPRX

RPRX commented Jun 10, 2026

Copy link
Copy Markdown
Member

此外还有个 dialerProxy 感觉不太好处理

@LjhAUMEM

LjhAUMEM commented Jun 10, 2026

Copy link
Copy Markdown
Collaborator

@LjhAUMEM 有空给 Hy2 协议加个限制,只能搭配 Hy2 传输层,避免有人搞出公网明文传输的配置

#6287 之后 in out 的 init 可以拿到 streamSettings,可以在里面判断

@RPRX

RPRX commented Jun 10, 2026

Copy link
Copy Markdown
Member

VMess 的 none 和 zero 直接删了吧都没人用,然后 VMess 不用判断了,Hy2 也是,@LjhAUMEM 直接在 #6287 限制一下吧

Private IP 段改为 Freedom 那里的,内网段允许用,注意留着 "localhost",应该不会有人 hosts 把它改到公网吧,那得炸多少

@RPRX RPRX mentioned this pull request Jun 10, 2026
Closed
@RPRX

RPRX commented Jun 10, 2026

Copy link
Copy Markdown
Member

@OfficialKatana 以及修一下 test 和 fmt

@LjhAUMEM

LjhAUMEM commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Hy2 也是,@LjhAUMEM 直接在 #6287 限制一下吧

done,这下手写 proto 的也无法绕过了

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@bytecategory bytecategory bytecategory left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@OfficialKatana @bytecategory @RPRX @Fangliding @LjhAUMEM