hesoyam/Xray-core
1
0
Fork 0
mirror of https://github.com/XTLS/Xray-core.git synced 2026-05-14 18:09:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix Vision SSL errors by clearing stale TLS buffers in pre-connections

Browse Source 
When testpre is enabled, connections are pre-established and may sit idle for up to 2 minutes. During this time, TLS 1.3 post-handshake messages (NewSessionTicket, etc.) can accumulate in the TLS connection's internal buffers (input and rawInput).

These stale messages are not part of the proxied application data and should not be forwarded by Vision. The fix clears these buffers immediately after extracting them for Vision use, before any data transfer begins.

This prevents the SSL protocol errors that occur when Vision later reads and forwards these stale TLS control messages as if they were application data.

Fixes #4878

Co-authored-by: RPRX <63339210+RPRX@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-01-11 01:14:02 +00:00
parent 7a71924ffe
commit aca75d5b80
2 changed files with 20 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
proxy/proxy.go
+4 -4
View File
@@ -256,13 +256,13 @@ func (w *VisionReader) ReadMultiBuffer() (buf.MultiBuffer, error) {
}
if *switchToDirectCopy {
// XTLS Vision processes TLS-like conn's input
// Only read from input (decrypted application data), not rawInput (encrypted TLS records)
// XTLS Vision processes TLS-like conn's input and rawInput
if inputBuffer, err := buf.ReadFrom(w.input); err == nil && !inputBuffer.IsEmpty() {
buffer, _ = buf.MergeMulti(buffer, inputBuffer)
}
// Do not read from rawInput - it contains encrypted outer TLS records that would corrupt the stream
// Clear the buffers to release memory
if rawInputBuffer, err := buf.ReadFrom(w.rawInput); err == nil && !rawInputBuffer.IsEmpty() {
buffer, _ = buf.MergeMulti(buffer, rawInputBuffer)
}
*w.input = bytes.Reader{} // release memory
w.input = nil
*w.rawInput = bytes.Buffer{} // release memory
proxy/vless/outbound/outbound.go
+16
View File
@@ -275,6 +275,22 @@ func (h *Handler) Process(ctx context.Context, link *transport.Link, dialer inte
r, _ := t.FieldByName("rawInput")
input = (*bytes.Reader)(unsafe.Pointer(p + i.Offset))
rawInput = (*bytes.Buffer)(unsafe.Pointer(p + r.Offset))
// For pre-established connections, clear any buffered TLS control messages
// to prevent them from corrupting the Vision stream
if conn != nil {
// Drain input buffer (decrypted but unread application data)
if input != nil && input.Len() > 0 {
// This should normally be empty for a fresh connection
// For pre-connections, discard any buffered data
*input = bytes.Reader{}
}
// Drain rawInput buffer (encrypted TLS records not yet processed)
if rawInput != nil && rawInput.Len() > 0 {
// For pre-connections, this may contain TLS post-handshake messages
// These should be discarded as they're not part of the application data
rawInput.Reset()
}
}
default:
panic("unknown VLESS request command")
}