Increase REALITY target TLS record buffer to 17 KiB#33
Conversation
|
Update: changed the proposed bound from Reason: TLS plaintext records are commonly described as 16 KiB, but TLS 1.3 encrypted records can exceed 16 KiB slightly due to overhead (RFC allows TLSCiphertext length up to The original reproducer ( |
|
I met the same issue. LGTM👍 Nit: Please update the PR title accordingly to align with your change. |
|
Is this fix included in v26.7.11? As i remember it was promised to include it to next release... |
|
Really interested in merging this, otherwise clients (which I can't change) are broken for dest with big certs |
Fixes XTLS/Xray-core#6356.
Summary
Increase REALITY's target TLS record buffer from 8192 bytes to 16384 bytes.
This fixes a reproducible REALITY failure when the legitimate target server returns a TLS Certificate record slightly larger than 8192 bytes. In the linked Xray-core issue,
www.microsoft.comcan return a Certificate record with total record length 8273 bytes when OCSP/status is included:The current REALITY code rejects it because:
The resulting user-facing/server log error is only:
Validation
I reproduced the failure with Xray-core
v26.3.27using:dest:www.microsoft.com:443serverNames:www.microsoft.comchromeUnpatched Xray failed locally with:
After this patch, the same localhost REALITY server/client setup succeeds:
A production deployment using the patched binary was also verified by the reporter.
Notes
TLS records can be up to around 16 KiB, so 8192 is too tight for real-world OCSP-stapled Certificate records from some large sites/CDN edges. This patch keeps the change minimal and avoids changing protocol behavior beyond allowing larger legitimate target handshake records.