change default value of tls_enable and disable_custom_tls_first_byte (#3494)

2023-06-26 00:10:27 +08:00 · 2023-06-26 00:10:27 +08:00 · 685d7618f3
parent 15a245766e
commit 685d7618f3
10 changed files with 95 additions and 87 deletions
--- a/README.md
+++ b/README.md
@ -562,11 +562,9 @@ use_compression = true
 #### TLS
-frp supports the TLS protocol between `frpc` and `frps` since v0.25.0.
+Since v0.50.0, the default value of `tls_enable` and `disable_custom_tls_first_byte` has been changed to true, and tls is enabled by default.
-For port multiplexing, frp sends a first byte `0x17` to dial a TLS connection.
+For port multiplexing, frp sends a first byte `0x17` to dial a TLS connection. This only takes effect when you set `disable_custom_tls_first_byte` to false.
 Configure `tls_enable = true` in the `[common]` section to `frpc.ini` to enable this feature.
 To **enforce** `frps` to only accept TLS connections - configure `tls_only = true` in the `[common]` section in `frps.ini`. **This is optional.**
@ -581,7 +579,6 @@ tls_trusted_ca_file = ca.crt
 **`frps` TLS settings (under the `[common]` section):**
 ```ini
 tls_only = true
 tls_enable = true
 tls_cert_file = certificate.crt
 tls_key_file = certificate.key
 tls_trusted_ca_file = ca.crt
--- a/client/proxy/xtcp.go
+++ b/client/proxy/xtcp.go
@ -61,6 +61,7 @@ func (pxy *XTCPProxy) InWorkConn(conn net.Conn, startWorkConnMsg *msg.StartWorkC
 		return
 	}
 	xl.Trace("nathole prepare start")
 	prepareResult, err := nathole.Prepare([]string{pxy.clientCfg.NatHoleSTUNServer})
 	if err != nil {
 		xl.Warn("nathole prepare error: %v", err)
@ -80,6 +81,7 @@ func (pxy *XTCPProxy) InWorkConn(conn net.Conn, startWorkConnMsg *msg.StartWorkC
 		AssistedAddrs: prepareResult.AssistedAddrs,
 	}
 	xl.Trace("nathole exchange info start")
 	natHoleRespMsg, err := nathole.ExchangeInfo(pxy.ctx, pxy.msgTransporter, transactionID, natHoleClientMsg, 5*time.Second)
 	if err != nil {
 		xl.Warn("nathole exchange info error: %v", err)
--- a/client/visitor/xtcp.go
+++ b/client/visitor/xtcp.go
@ -266,11 +266,13 @@ func (sv *XTCPVisitor) getTunnelConn() (net.Conn, error) {
 // 4. Create a tunnel session using an underlying UDP connection.
 func (sv *XTCPVisitor) makeNatHole() {
 	xl := xlog.FromContextSafe(sv.ctx)
 	xl.Trace("makeNatHole start")
 	if err := nathole.PreCheck(sv.ctx, sv.helper.MsgTransporter(), sv.cfg.ServerName, 5*time.Second); err != nil {
 		xl.Warn("nathole precheck error: %v", err)
 		return
 	}
 	xl.Trace("nathole prepare start")
 	prepareResult, err := nathole.Prepare([]string{sv.clientCfg.NatHoleSTUNServer})
 	if err != nil {
 		xl.Warn("nathole prepare error: %v", err)
@ -294,6 +296,7 @@ func (sv *XTCPVisitor) makeNatHole() {
 		AssistedAddrs: prepareResult.AssistedAddrs,
 	}
 	xl.Trace("nathole exchange info start")
 	natHoleRespMsg, err := nathole.ExchangeInfo(sv.ctx, sv.helper.MsgTransporter(), transactionID, natHoleVisitorMsg, 5*time.Second)
 	if err != nil {
 		listenConn.Close()
--- a/cmd/frpc/sub/root.go
+++ b/cmd/frpc/sub/root.go
@ -94,7 +94,7 @@ func RegisterCommonFlags(cmd *cobra.Command) {
 	cmd.PersistentFlags().StringVarP(&logFile, "log_file", "", "console", "console or file path")
 	cmd.PersistentFlags().IntVarP(&logMaxDays, "log_max_days", "", 3, "log file reversed days")
 	cmd.PersistentFlags().BoolVarP(&disableLogColor, "disable_log_color", "", false, "disable log color in console")
-	cmd.PersistentFlags().BoolVarP(&tlsEnable, "tls_enable", "", false, "enable frpc tls")
+	cmd.PersistentFlags().BoolVarP(&tlsEnable, "tls_enable", "", true, "enable frpc tls")
 	cmd.PersistentFlags().StringVarP(&dnsServer, "dns_server", "", "", "specify dns server instead of using system default one")
 }
--- a/conf/frpc_full.ini
+++ b/conf/frpc_full.ini
@ -107,7 +107,8 @@ connect_server_local_ip = 0.0.0.0
 # quic_max_idle_timeout = 30
 # quic_max_incoming_streams = 100000
-# if tls_enable is true, frpc will connect frps by tls
+# If tls_enable is true, frpc will connect frps by tls.
 # Since v0.50.0, the default value has been changed to true, and tls is enabled by default.
 tls_enable = true
 # tls_cert_file = client.crt
@ -140,9 +141,10 @@ udp_packet_size = 1500
 # include other config files for proxies.
 # includes = ./confd/*.ini
-# By default, frpc will connect frps with first custom byte if tls is enabled.
+# If the disable_custom_tls_first_byte is set to false, frpc will establish a connection with frps using the
-# If DisableCustomTLSFirstByte is true, frpc will not send that custom byte.
+# first custom byte when tls is enabled.
-disable_custom_tls_first_byte = false
+# Since v0.50.0, the default value has been changed to true, and the first custom byte is disabled by default.
 disable_custom_tls_first_byte = true
 # Enable golang pprof handlers in admin listener.
 # Admin port must be set first.
--- a/pkg/config/client.go
+++ b/pkg/config/client.go
@ -127,6 +127,7 @@ type ClientCommonConf struct {
 	// TLSEnable specifies whether or not TLS should be used when communicating
 	// with the server. If "tls_cert_file" and "tls_key_file" are valid,
 	// client will load the supplied tls configuration.
 	// Since v0.50.0, the default value has been changed to true, and tls is enabled by default.
 	TLSEnable bool `ini:"tls_enable" json:"tls_enable"`
 	// TLSCertPath specifies the path of the cert file that client will
 	// load. It only works when "tls_enable" is true and "tls_key_file" is valid.
@ -142,8 +143,9 @@ type ClientCommonConf struct {
 	// TLSServerName specifies the custom server name of tls certificate. By
 	// default, server name if same to ServerAddr.
 	TLSServerName string `ini:"tls_server_name" json:"tls_server_name"`
-	// By default, frpc will connect frps with first custom byte if tls is enabled.
+	// If the disable_custom_tls_first_byte is set to false, frpc will establish a connection with frps using the
-	// If DisableCustomTLSFirstByte is true, frpc will not send that custom byte.
+	// first custom byte when tls is enabled.
 	// Since v0.50.0, the default value has been changed to true, and the first custom byte is disabled by default.
 	DisableCustomTLSFirstByte bool `ini:"disable_custom_tls_first_byte" json:"disable_custom_tls_first_byte"`
 	// HeartBeatInterval specifies at what interval heartbeats are sent to the
 	// server, in seconds. It is not recommended to change this value. By
@ -189,6 +191,8 @@ func GetDefaultClientConf() ClientCommonConf {
 		QUICKeepalivePeriod:       10,
 		QUICMaxIdleTimeout:        30,
 		QUICMaxIncomingStreams:    100000,
 		TLSEnable:                 true,
 		DisableCustomTLSFirstByte: true,
 		HeartbeatInterval:         30,
 		HeartbeatTimeout:          90,
 		Metas:                     make(map[string]string),
--- a/pkg/config/client_test.go
+++ b/pkg/config/client_test.go
@ -288,6 +288,7 @@ func Test_LoadClientCommonConf(t *testing.T) {
 		TLSKeyFile:                "client.key",
 		TLSTrustedCaFile:          "ca.crt",
 		TLSServerName:             "example.com",
 		DisableCustomTLSFirstByte: true,
 		DNSServer:                 "8.8.8.9",
 		Start:                     []string{"ssh", "dns"},
 		HeartbeatInterval:         39,
--- a/pkg/nathole/controller.go
+++ b/pkg/nathole/controller.go
@ -194,7 +194,7 @@ func (c *Controller) HandleVisitor(m *msg.NatHoleVisitor, transporter transport.
 		_ = transporter.Send(c.GenNatHoleResponse(m.TransactionID, nil, err.Error()))
 		return
 	}
-	log.Trace("handle visitor message, sid [%s]", sid)
+	log.Trace("handle visitor message, sid [%s], server name: %s", sid, m.ProxyName)
 	defer func() {
 		c.mu.Lock()
@ -256,7 +256,7 @@ func (c *Controller) HandleClient(m *msg.NatHoleClient, transporter transport.Me
 	if !ok {
 		return
 	}
-	log.Trace("handle client message, sid [%s]", session.sid)
+	log.Trace("handle client message, sid [%s], server name: %s", session.sid, m.ProxyName)
 	session.clientMsg = m
 	session.clientTransporter = transporter
 	select {
--- a/test/e2e/basic/basic.go
+++ b/test/e2e/basic/basic.go
@ -409,9 +409,13 @@ var _ = ginkgo.Describe("[Feature: Basic]", func() {
 				f.RunProcesses([]string{serverConf}, []string{clientServerConf, clientVisitorConf, clientUser2VisitorConf})
 				for _, test := range tests {
 					timeout := time.Second
 					if t == "xtcp" {
 						timeout = 4 * time.Second
 					}
 					framework.NewRequestExpect(f).
 						RequestModify(func(r *request.Request) {
-							r.Timeout(3 * time.Second)
+							r.Timeout(timeout)
 						}).
 						Protocol(protocol).
 						PortName(test.bindPortName).
--- a/test/e2e/basic/client_server.go
+++ b/test/e2e/basic/client_server.go
@ -101,11 +101,13 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
 		supportProtocols := []string{"tcp", "kcp", "quic", "websocket"}
 		for _, protocol := range supportProtocols {
 			tmp := protocol
-			defineClientServerTest("TLS over "+strings.ToUpper(tmp), f, &generalTestConfigures{
+			// Since v0.50.0, the default value of tls_enable has been changed to true.
 			// Therefore, here it needs to be set as false to test the scenario of turning it off.
 			defineClientServerTest("Disable TLS over "+strings.ToUpper(tmp), f, &generalTestConfigures{
 				server: fmt.Sprintf(`
 				%s
 				`, renderBindPortConfig(protocol)),
-				client: fmt.Sprintf(`tls_enable = true
+				client: fmt.Sprintf(`tls_enable = false
 				protocol = %s
 				`, protocol),
 			})
@ -113,10 +115,10 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
 		defineClientServerTest("enable tls_only, client with TLS", f, &generalTestConfigures{
 			server: "tls_only = true",
 			client: "tls_enable = true",
 		})
 		defineClientServerTest("enable tls_only, client without TLS", f, &generalTestConfigures{
 			server:      "tls_only = true",
 			client:      "tls_enable = false",
 			expectError: true,
 		})
 	})
@ -155,7 +157,6 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
 					`, renderBindPortConfig(tmp), caCrtPath),
 					client: fmt.Sprintf(`
 						protocol = %s
 						tls_enable = true
 						tls_cert_file = %s
 						tls_key_file = %s
 					`, tmp, clientCrtPath, clientKeyPath),
@ -172,7 +173,6 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
 					`, renderBindPortConfig(tmp), serverCrtPath, serverKeyPath, caCrtPath),
 					client: fmt.Sprintf(`
 						protocol = %s
 						tls_enable = true
 						tls_cert_file = %s
 						tls_key_file = %s
 						tls_trusted_ca_file = %s
@ -211,7 +211,6 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
 				tls_trusted_ca_file = %s
 				`, serverCrtPath, serverKeyPath, caCrtPath),
 				client: fmt.Sprintf(`
 				tls_enable = true
 				tls_server_name = example.com
 				tls_cert_file = %s
 				tls_key_file = %s
@ -228,7 +227,6 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
 				tls_trusted_ca_file = %s
 				`, serverCrtPath, serverKeyPath, caCrtPath),
 				client: fmt.Sprintf(`
 				tls_enable = true
 				tls_server_name = invalid.com
 				tls_cert_file = %s
 				tls_key_file = %s
@ -239,7 +237,7 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
 		})
 	})
-	ginkgo.Describe("TLS with disable_custom_tls_first_byte", func() {
+	ginkgo.Describe("TLS with disable_custom_tls_first_byte set to false", func() {
 		supportProtocols := []string{"tcp", "kcp", "quic", "websocket"}
 		for _, protocol := range supportProtocols {
 			tmp := protocol
@ -248,9 +246,8 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
 					%s
 					`, renderBindPortConfig(protocol)),
 				client: fmt.Sprintf(`
 					tls_enable = true
 					protocol = %s
-					disable_custom_tls_first_byte = true
+					disable_custom_tls_first_byte = false
 					`, protocol),
 			})
 		}
@ -266,9 +263,7 @@ var _ = ginkgo.Describe("[Feature: Client-Server]", func() {
 					%s
 					`, renderBindPortConfig(protocol)),
 				client: fmt.Sprintf(`
 					tls_enable = true
 					protocol = %s
 					disable_custom_tls_first_byte = true
 					`, protocol),
 			})
 		}