Skip to content

REALITY: Warn about minClientVer compatibility and fingerprinting risks#6507

Closed
Avaritia-ZOV wants to merge 1 commit into
XTLS:mainfrom
Avaritia-ZOV:main
Closed

REALITY: Warn about minClientVer compatibility and fingerprinting risks#6507
Avaritia-ZOV wants to merge 1 commit into
XTLS:mainfrom
Avaritia-ZOV:main

Conversation

@Avaritia-ZOV

Copy link
Copy Markdown
Contributor

We don’t need to compromise. Vulnerabilities are serious and important. A great many people don’t realise this.

@Davoyan

Davoyan commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Do you realize that third-party developers will just hardcode those ClientHello values?
Or they'll just make those values configurable.

@Avaritia-ZOV

Copy link
Copy Markdown
Contributor Author

We will add clients who are not recommended, as was the case with a certain platform that cannot be named.

@RPRX

RPRX commented Jul 16, 2026

Copy link
Copy Markdown
Member

我欣赏你们的态度,但是按这个思路的话 Xray-core 可能只能留 VLESS 协议了,根据 XTLS/BBS#19 ,“特征问题”没有“能被解密的加密安全性问题”那么严重,对于后者我们的做法是必须全 ban https://t.me/projectXtls/3378 ,而对于解决前者则是尽力而为

特征风险都提示过了 af7eb68 ,如果有人不在乎被 TLS 指纹有问题的其它客户端或旧客户端连上那就随他去吧,被封别怪协议

@RPRX RPRX closed this Jul 16, 2026
@RPRX

RPRX commented Jul 16, 2026

Copy link
Copy Markdown
Member

倒是可以把这个 PR 改成输出两个 warning,默认值时提示只有 Xray-core v26.3.27+ 才能连接,非默认值时提示相关特征风险

@Avaritia-ZOV

Copy link
Copy Markdown
Contributor Author

The problem is that end users – ordinary people – won’t even be aware of it. After all, they don’t look at the logs. Ultimately, we’re sacrificing ordinary people.

@RPRX

RPRX commented Jul 16, 2026

Copy link
Copy Markdown
Member

这个问题的话只能开 issue/PR 敦促面板、脚本等开发者提示相关特征风险了,或者有的人被封了可能就会去排查原因

@kavore

kavore commented Jul 16, 2026

Copy link
Copy Markdown

I think this PR is satire - I don't want to believe it's real.

We have bigger issues in xray-core that RPRX is aware of (as far as I know), but instead we're doing some bullshit with minver in REALITY and FPs. Maybe we should solve the other issues instead of doing this?

Because almost all the big providers will strip this shit the moment it's released - no one wants to lose customers and money. End users don't give a fuck about xray-core, VLESS or anything else. They just want to watch YouTube, play Brawl Stars, and that's it. They'll switch to VPNs that don't force them to install a new app and change their account region to do it (the main VPN app, Happ, has been banned from the Russian App Store for the third time, and there's no way to update it on a Russian account right now)

And the ones who won't even bother switching to another VPN will just settle for the government-approved apps like VK and end up way less protected than before

@RPRX

RPRX commented Jul 16, 2026

Copy link
Copy Markdown
Member

这个 PR 至少看起来不是 satire,并且解决客户端 TLS 指纹问题并不等于其它问题不会得到解决不明白你敲这些字时的脑回路

@Avaritia-ZOV Avaritia-ZOV changed the title REALITY: Enforce minimum client version REALITY: Warn about minClientVer compatibility and fingerprinting risks Jul 16, 2026
@RPRX

RPRX commented Jul 16, 2026

Copy link
Copy Markdown
Member

我刚刚也改了下 #6508 ,用我改的版本吧

@RPRX RPRX closed this Jul 16, 2026
RPRX added a commit that referenced this pull request Jul 16, 2026
#6508 (comment)
#6507 (comment)

---------

Co-authored-by: RPRX <63339210+RPRX@users.noreply.github.com>
Co-authored-by: Aleksey <fraybyl@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants