[Bug] 基于socks5的ssl连接报错

[jinsongzhao]

先决条件

• 我了解这里是官方开源版 Clash 核心仓库，只提供开源版或者 Premium 内核的支持
• 我要提交 Clash 核心的问题，并非 Clash.Meta / OpenClash / ClashX / Clash For Windows 或其他任何衍生版本的问题
• 我使用的是本仓库最新版本的 Clash 或 Clash Premium 内核
• 我已经在 Issue Tracker 中找过我要提出的 bug，并且没有找到相关问题
• 我已经仔细阅读 官方 Wiki 并无法自行解决问题
• （非 Premium 内核必填）我已经使用 dev 分支版本测试过，问题依旧存在

版本

v2.0.24

适用的作业系统

Linux

适用的硬件架构

amd64

配置文件

port: 8081
# socks-port: 7891
# redir-port: 7892
allow-lan: true
mode: Rule
log-level: debug
external-controller: 0.0.0.0:9090
dns:
  enable: false
  ipv6: false
Proxy:
  - {
      name: "socks5h",
      type: socks5,
      server: 127.0.0.1,
      port: 1080,
      tls: true,
      skip-cert-verify: true
    }
Proxy Group:
  - {
      name: "Proxy",
      type: select,
      proxies: [ "socks5h" ]
    }
Rule:
  - DOMAIN-KEYWORD,google,Proxy
  - GEOIP,CN,DIRECT
  - MATCH,Proxy

日志输出

curl -x http://127.0.0.1:8081 -v https://www.google.com
* Rebuilt URL to: https://www.google.com/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8081 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to www.google.com:443
> CONNECT www.google.com:443 HTTP/1.1
> Host: www.google.com:443
> User-Agent: curl/7.58.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.google.com:443
* stopped the pause stream!
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.google.com:443

问题描述

GNU C Library (Ubuntu GLIBC 2.27-3ubuntu1.5) stable release version 2.27
通过privoxy做代理的正常输出

curl -x http://127.0.0.1:8080 -v https://www.google.com

• Rebuilt URL to: https://www.google.com/
• Trying 127.0.0.1...
• TCP_NODELAY set
• Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
• allocate connect buffer!
• Establish HTTP proxy tunnel to www.google.com:443

CONNECT www.google.com:443 HTTP/1.1
Host: www.google.com:443
User-Agent: curl/7.58.0
Proxy-Connection: Keep-Alive

< HTTP/1.1 200 Connection established
<

• Proxy replied 200 to CONNECT request
• CONNECT phase completed!
• ALPN, offering h2
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• CONNECT phase completed!
• CONNECT phase completed!
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
• TLSv1.3 (IN), TLS handshake, Unknown (8):
• TLSv1.3 (IN), TLS handshake, Certificate (11):
• TLSv1.3 (IN), TLS handshake, CERT verify (15):
• TLSv1.3 (IN), TLS handshake, Finished (20):
• TLSv1.3 (OUT), TLS change cipher, Client hello (1):
• TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
• TLSv1.3 (OUT), TLS handshake, Finished (20):
• SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
• ALPN, server accepted to use h2
• Server certificate:
• subject: CN=www.google.com
• start date: Feb 5 08:19:50 2024 GMT
• expire date: Apr 29 08:19:49 2024 GMT
• subjectAltName: host "www.google.com" matched cert's "www.google.com"
• issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
• SSL certificate verify ok.
• Using HTTP2, server supports multi-use
• Connection state changed (HTTP/2 confirmed)
• Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
• TLSv1.3 (OUT), TLS Unknown, Unknown (23):
• TLSv1.3 (OUT), TLS Unknown, Unknown (23):
• TLSv1.3 (OUT), TLS Unknown, Unknown (23):
• Using Stream ID: 1 (easy handle 0x55c7869e2620)
• TLSv1.3 (OUT), TLS Unknown, Unknown (23):

GET / HTTP/2
Host: www.google.com
User-Agent: curl/7.58.0
Accept: /

• TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
• TLSv1.3 (IN), TLS Unknown, Unknown (23):
• Connection state changed (MAX_CONCURRENT_STREAMS updated)!
• TLSv1.3 (OUT), TLS Unknown, Unknown (23):
• TLSv1.3 (IN), TLS Unknown, Unknown (23):
• TLSv1.3 (IN), TLS Unknown, Unknown (23):
  < HTTP/2 200
  < date: Mon, 26 Feb 2024 07:40:52 GMT
  < expires: -1
  < cache-control: private, max-age=0

复现步骤

No response