irinesistiana / simple-tls Goto Github PK

View Code? Open in Web Editor NEW

103.0 14.0 19.0 305 KB

License: GNU General Public License v3.0

Go 99.16% Dockerfile 0.84%

shadowsocks shadowsocks-plugin sip003 simple-tls shadowsocks-android

simple-tls's Introduction

simple-tls

简单易用的 TCP 连接转发器。可为原始数据流加一层 TLS。支持通过 gRPC 传输。

参数

      客户端监听地址               服务端监听地址
           |                            |
|客户端|-->|simple-tls 客户端|--TLS1.3-->|simple-tls 服务端|-->|最终目的地|
                                        |                     |   
                                   客户端目的地地址     服务端目的地地址  

# 通用参数
  -b string
      [Host:Port] (必需) 监听地址。
  -d string
      [Host:Port] (必需) 目的地地址。
  -grpc
      使用 gRPC 协议。客户端和服务端需一致。
  -grpc-path string
      (可选) gRPC 服务路径。客户端和服务端需一致。

# 客户端参数
# e.g. simple-tls -b 127.0.0.1:1080 -d your_server_ip:1080 -n your.server.name

  -n string
      服务器证书名。用于验证服务端的证书的合法性。也用作 SNI。
  -no-verify
      客户端将不会验证服务端的证书的合法性。(证书链验证)
  -ca string
      用于验证服务端的证书的 CA 证书文件。(默认使用系统证书池)
  -cert-hash string
      服务器证书的 hash。(服务端证书锁定)
      tips: 使用 -hash-cert 命令可以生成证书的 hash

# 服务端参数
# e.g. simple-tls -b :1080 -d 127.0.0.1:12345 -s -key /path/to/your/key -cert /path/to/your/cert
# 证书格式必须是 PEM (base64) 。
# -cert 和 -key 可以同时留空，会在内存中生成一个临时证书。证书的域名默认随机，但也可以取自 `-n` 参数。
# e.g. simple-tls -b :1080 -d 127.0.0.1:12345 -s -n my.test.domain

  -s    
      (必需) 以服务端运行。
  -cert string
      证书路径。
  -key string
      密钥路径。

# 其他通用参数

  -t int
      连接空闲超时，单位秒 (默认300)。
  -outbound-buf int
      设置出站 tcp rw socket buf。
  -inbound-buf    
      设置入站 tcp rw socket buf。

# 命令

  -gen-cert
      生成一个密钥长度为 256 的 ECC 证书到当前目录。
      证书的 dns name 可以用 `-n` 设定。默认是随机字符串。
      可以用 `-template` 指定模板证书。除密钥等关键参数外，其他参数都会从模板证书复制。
      可以用 `-cert` 和 `-key` 指定证书输出位置。(默认当前目录且文件名是证书的 dns name)
      e.g. simple-tls -gen-cert -n my.domain
      会生成证书 my.domain.cert 和密钥 my.domain.key 两个文件到当前目录。
  -hash-cert
      显示证书的 hash 值。(用于客户端的 -cert-hash)
      e.g. simple-tls -hash-cert ./my.cert
  -v
      显示目前程序版本

服务端无合法证书时如何快速使用

服务端使用临时证书，客户端不做任何验证。下层连接有安全措施时可以使用该方案。

# 服务端的 -cert 和 -key 同时留空，会在内存生成一个临时证书。
simple-tls -b :1080 -d 127.0.0.1:12345 -s -n my.cert.domain
# 客户端禁用证书链验证。
simple-tls -b :1080 -d your.server.address:1080 -n my.cert.domain -no-verify

服务端使用固定证书，客户端使用 hash 验证服务端证书 (证书锁定)。

# 服务端生成一个证书。
simple-tls -gen-cert -n my.cert.domain
# 然后显示证书的 hash。e.g. 8910fe28d2fb40398a...
simple-tls -hash-cert ./my.cert.domain.cert
# 使用这个证书启动服务端
simple-tls -b :1080 -d 127.0.0.1:12345 -s -key ./my.cert.domain.key -cert ./my.cert.domain.cert
# 客户端禁用证书链验证但启用证书 hash 验证。
simple-tls -b :1080 -d your.server.address:1080 -n my.cert.domain -no-verify -cert-hash 8910fe28d2fb40398a...

作为 SIP003 插件使用

支持 shadowsocks 的 SIP003 插件协议。shadowsocks 主程序会自动设定监听地址 -b 和目的地地址 -d。

以 shadowsocks-rust 为例:

ssserver -c config.json --plugin simple-tls --plugin-opts "s;key=/path/to/your/key;cert=/path/to/your/cert"
sslocal -c config.json --plugin simple-tls --plugin-opts "n=your.server.certificates.dnsname"

Android SIP003 插件

simple-tls-android 是 shadowsocks-android 的带 GUI 的插件。目前随 simple-tls 一起发布。可从 release 界面下载全平台通用的 apk。

simple-tls-android 的源代码在这里。

Beta 版本

simple-tls 目前不保证版本之间的兼容性。

simple-tls's People

Contributors

Stargazers

Watchers

Forkers

luckypoem lmhdrive cnxzp y1024 briteming ksharpdabu beyond-far pobizhe 0x1a0b icecodenew jonne021 test-base madjonr luuillu netboylee zhhuabj zinian chunqian

simple-tls's Issues

xtls?

考虑多支持xtls吗？测试一下，上方ss(md4rc5)+simple-tls(关pd)，中间是xray(xtls)，下方是ss(md4rc5)+simple-tls(关pd)。

因为已有tls，所以ss使用md4rc5。

-no-tls not working

./simple-tls -s -no-tls -ws -b :80 -d 127.0.0.1:22 -n example.com

client:
simple-tls -ws -b 127.0.0.1:2222 -d example.com:80 -n example.com

client output on connection:
failed to dial server connection: failed to WebSocket dial: failed to send handshake request: Get "https://example.com": x509: certificate signed by unknown authority

Conclusion: with -no-tls, server is still sending certificate

simple-tls v0.7.0-0-gdf0b4cc (go version: go1.17.6, os: linux, arch: amd64)
Linux Centos 7

Hello . Can you create a tutorial how to install and run this plugin once I install shadowsocks in the UBUNTU VPS, please .
Or just the command or a script, please
Or upload a full gif video or a YouTube video .

I just downloaded the apk and install it on my Android .
I am not a programmer , but I like shadowsocks and I would like to use your plugin.

I hope you answer.

Screenshots for F-Droid

You can add Screenshots for F-Droid, too, if you want.

https://f-droid.org/en/docs/All_About_Descriptions_Graphics_and_Screenshots/

https://gitlab.com/snippets/1895688

Android apk 填写cca参数后，启动ss节点报错

版本：Android 9

Apk版本：v0.1.1

Server端使用-gen-cert参数生成的证书，Android Client端填写cca参数后，启动ss节点，报错如下：

使用从Let's Encrypt获取合法的证书，Android端不填写cca字段时，无报错，节点连接正常。

[Bug] 最新版本插件模式下服务端无法启动

异常日志：

2020-09-28T12:00:57.564+00:00 INFO  [shadowsocks::relay::tcprelay::server] shadowsocks TCP listening on 127.0.0.1:35503
2020/09/28 12:00:57 main: simple-tls v0.4.4-0-ge9579ad
2020/09/28 12:00:57 main: simple-tls is running as a sip003 plugin
2020/09/28 12:00:57 main: net.Listen: listen tcp 127.0.0.1:35503: bind: address already in use

另外，版本号问题：

simple-tls -v

2020/09/28 13:33:52 main: simple-tls v0.4.4-0-ge9579ad
v0.4.4-0-ge9579ad

版本号查询如上，其实实际版本号是 v0.4.5。

有计划支持 MUX 多路复用吗？

以前的 mos-tls-tunnel 是有这个功能的。simple-tls 似乎没有了。
MUX 可以避免频繁连接，从而避免被机房或 CDN 的防火墙判为 DDoS，同时也能减少频繁尝试握手的资源开销。

插件模式运行提示地址占用

bindAddr = sip003Args.GetLocalAddr()
dstAddr = sip003Args.GetRemoteAddr()

上面这两个似乎写反了。

rand header (rh) 与wss无法同时使用

[Bug] flag provided but not defined: -V

Version:

shadowsocks-android: v5.1.4
simple-tls android: v0.4.6

logcat:

10-21 14:34:39.445 16447 26106 E libsslocal: 2020-10-21T14:34:39.444+08:00 INFO  shadowsocks 1.8.20
10-21 14:34:39.450 16447 26106 E libsslocal: 2020-10-21T14:34:39.449+08:00 INFO  started plugin "/data/app/com.github.IrineSistiana.plugin.simple_tls_android-7Mpj8YjrpIONpEEDWVOMeg==/lib/arm64/libsimple-tls.so" on 127.0.0.1:40777 <-> 66.66.66.66:443 (26117)
10-21 14:34:39.473 16447 26106 E libsslocal: flag provided but not defined: -V
10-21 14:34:39.473 16447 26106 E libsslocal: Usage of /data/app/com.github.IrineSistiana.plugin.simple_tls_android-7Mpj8YjrpIONpEEDWVOMeg==/lib/arm64/libsimple-tls.so:
10-21 14:34:39.473 16447 26106 E libsslocal:   -b string
10-21 14:34:39.473 16447 26106 E libsslocal:            [Host:Port] bind address
10-21 14:34:39.473 16447 26106 E libsslocal:   -ca string
10-21 14:34:39.473 16447 26106 E libsslocal:            PEM CA file path
10-21 14:34:39.473 16447 26106 E libsslocal:   -cca string
10-21 14:34:39.474 16447 26106 E libsslocal:            base64 encoded PEM CA
10-21 14:34:39.474 16447 26106 E libsslocal:   -cert string
10-21 14:34:39.474 16447 26106 E libsslocal:            [Path] PEM cert file
10-21 14:34:39.474 16447 26106 E libsslocal:   -cpu int
10-21 14:34:39.474 16447 26106 E libsslocal:            the maximum number of CPUs that can be executing simultaneously (default 6)
10-21 14:34:39.474 16447 26106 E libsslocal:   -d string
10-21 14:34:39.474 16447 26106 E libsslocal:            [Host:Port] destination address
10-21 14:34:39.474 16447 26106 E libsslocal:   -fast-open
10-21 14:34:39.474 16447 26106 E libsslocal:            enable tfo, only available on linux 4.11+
10-21 14:34:39.474 16447 26106 E libsslocal:   -gen-cert
10-21 14:34:39.474 16447 26106 E libsslocal:            [This is a helper function]: generate a certificate, store it's key to [-key] and cert to [-cert], print cert in base64 format without padding characters
10-21 14:34:39.474 16447 26106 E libsslocal:   -key string
10-21 14:34:39.474 16447 26106 E libsslocal:            [Path] PEM key file
10-21 14:34:39.474 16447 26106 E libsslocal:   -n string
10-21 14:34:39.474 16447 26106 E libsslocal:            server name
10-21 14:34:39.474 16447 26106 E libsslocal:   -no-verify
10-21 14:34:39.474 16447 26106 E libsslocal:            client won't verify the server's certificate chain and host name
10-21 14:34:39.474 16447 26106 E libsslocal:   -pd
10-21 14:34:39.474 16447 26106 E libsslocal:            send padding data occasionally to against traffic analysis
10-21 14:34:39.474 16447 26106 E libsslocal:   -s       is server
10-21 14:34:39.474 16447 26106 E libsslocal:   -t int
10-21 14:34:39.474 16447 26106 E libsslocal:            timeout after sec (default 300)
10-21 14:34:39.474 16447 26106 E libsslocal:   -v       output version info and exit
10-21 14:34:39.474 16447 26106 E libsslocal: 2020/10/21 06:34:39 main: invalid arg: flag provided but not defined: -V

UDP side

Hello,

As I understood, UDP is not supported right now?

Do you plan to support UDP side?

Consider removing default timeout?

Quote from cbeuw:

StreamTimeout is now no longer an option on Cloak server as Cloak will no longer timeout connections after at least some data has been sent. Connection timeout behaviours should be entirely implemented by the underlying proxy program. See shadowsocks/shadowsocks-rust#343.

Should simple-tls too consider unsetting its default timeout of 300s, or perhaps removing the option altogether?

[Suggestion] Add [-v] --version argument

It would be helpful to be able to know which binary version I am running.

支持ss python版吗？

你说“以shadowsocks-libev为例”，那么支持ss python版吗？

simple-tls插件不是此平台可执行程序

add support client auth instead of key auth

we know stunnel using both client and server auth for security, do you have any plan to add client auth?

and configurable ciphere-suites and curves for TLS1.3?

[Suggestion] Add note on TLS mode and WSS mode?

Can you please make a recommendation in the documentation on which mode is preferable?

As per my understanding, WSS should be preferred because it is full-duplex, but I am not sure whether this is the case for your software. It would be best to have a recommendation from the author.

Thanks.

Crypto Go ：we are a research group to help developers build secure applications.

Hi, we are a research group to help developers build secure applications. We designed a cryptographic misuse detector (i.e., CryptoGo) on Go language. We found your great public repository from Github, and several security issues detected by CryptoGo are shown in the following.
Note that the cryptographic algorithms are categorized with two aspects: security strength and security vulnerability based on NIST Special Publication 800-57 and other public publications. Moreover, CryptoGo defined certain rules derived from the APIs of Go cryptographic library and other popular cryptographic misuse detectors. The specific security issues we found are as follows:
(1) Location: core/auth.go:48
Broken rule: MD5 is an insecure algorithm;
(2) Location: core/auth.go:57
Broken rule: MD5 is an insecure algorithm;
(3) Location: core/client.go:101
Broken rule: SSL/TLS use insecure verification;
We wish the above security issues could truly help you to build a secure application. If you have any concern or suggestion, please feel free to contact us, we are looking forward to your reply. Thanks.

Solution for ARM

Hey. I am grateful for your work. Tell me, please, are you planning to compile a solution for the RaspBerry Pi (arm) platform?