impl. utls conn factory

Author: Snawoot

go.mod

@@ -12,6 +12,7 @@ require (
 	github.com/jellydator/ttlcache/v3 v3.3.0
 	github.com/libp2p/go-reuseport v0.4.0
 	github.com/redis/go-redis/v9 v9.8.0
+	github.com/refraction-networking/utls v1.8.0
 	github.com/tg123/go-htpasswd v1.2.4
 	github.com/zeebo/xxh3 v1.0.2
 	golang.org/x/crypto v0.38.0
@@ -23,12 +24,14 @@ require (
 
 require (
 	github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5 // indirect
+	github.com/andybalholm/brotli v1.0.6 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/dlclark/regexp2 v1.11.5 // indirect
 	github.com/go-sourcemap/sourcemap v2.1.4+incompatible // indirect
 	github.com/google/pprof v0.0.0-20250501235452-c0086092b71a // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/klauspost/compress v1.17.4 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
 	github.com/pires/go-proxyproto v0.8.1
 	golang.org/x/sys v0.33.0 // indirect

go.sum

@@ -6,6 +6,8 @@ github.com/Snawoot/uniqueslice v0.1.1 h1:KEfv3FtAXiNEoxvcc79pFQDhnqwYXQyZIkxOM4e
 github.com/Snawoot/uniqueslice v0.1.1/go.mod h1:K9zIaHO43FGLHbqm6WCDFeY6+CN/du5eiio/vxvDVC8=
 github.com/Snawoot/xtime v0.0.0-20250501122004-d1ce456948bb h1:PleTDwc/EQenzLsvIal2BgvIXr2D214M88RFac3WkeI=
 github.com/Snawoot/xtime v0.0.0-20250501122004-d1ce456948bb/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+github.com/andybalholm/brotli v1.0.6 h1:Yf9fFpf49Zrxb9NlQaluyE92/+X7UVHlhMNJN2sxfOI=
+github.com/andybalholm/brotli v1.0.6/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
 github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=
 github.com/bsm/ginkgo/v2 v2.12.0/go.mod h1:SwYbGRRDovPVboqFv0tPTcG1sN61LM1Z4ARdbAV9g4c=
 github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA=
@@ -34,6 +36,8 @@ github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+l
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/jellydator/ttlcache/v3 v3.3.0 h1:BdoC9cE81qXfrxeb9eoJi9dWrdhSuwXMAnHTbnBm4Wc=
 github.com/jellydator/ttlcache/v3 v3.3.0/go.mod h1:bj2/e0l4jRnQdrnSTaGTsh4GSXvMjQcy41i7th0GVGw=
+github.com/klauspost/compress v1.17.4 h1:Ej5ixsIri7BrIjBkRZLTo6ghwrEtHFk7ijlczPW4fZ4=
+github.com/klauspost/compress v1.17.4/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM=
 github.com/klauspost/cpuid/v2 v2.2.10 h1:tBs3QSyvjDyFTq3uoc/9xFpCuOsJQFNPiAhYdw2skhE=
 github.com/klauspost/cpuid/v2 v2.2.10/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/libp2p/go-reuseport v0.4.0 h1:nR5KU7hD0WxXCJbmw7r2rhRYruNRl2koHw8fQscQm2s=
@@ -44,6 +48,8 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/redis/go-redis/v9 v9.8.0 h1:q3nRvjrlge/6UD7eTu/DSg2uYiU2mCL0G/uzBWqhicI=
 github.com/redis/go-redis/v9 v9.8.0/go.mod h1:huWgSWd8mW6+m0VPhJjSSQ+d6Nh1VICQ6Q5lHuCH/Iw=
+github.com/refraction-networking/utls v1.8.0 h1:L38krhiTAyj9EeiQQa2sg+hYb4qwLCqdMcpZrRfbONE=
+github.com/refraction-networking/utls v1.8.0/go.mod h1:jkSOEkLqn+S/jtpEHPOsVv/4V4EVnelwbMQl4vCWXAM=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tg123/go-htpasswd v1.2.4 h1:HgH8KKCjdmo7jjXWN9k1nefPBd7Be3tFCTjc2jPraPU=

tlsutil/util.go

@@ -4,9 +4,12 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
+	"net"
 	"net/url"
 	"os"
 	"strings"
+
+	utls "github.com/refraction-networking/utls"
 )
 
 func ExpectPeerName(name string, roots *x509.CertPool) func(cs tls.ConnectionState) error {
@@ -222,3 +225,186 @@ func TLSConfigFromURL(u *url.URL) (*tls.Config, error) {
 	}
 	return tlsConfig, nil
 }
+
+func TLSFactoryFromURL(u *url.URL) (func(c net.Conn, config *tls.Config) net.Conn, error) {
+	params, err := url.ParseQuery(u.RawQuery)
+	if err != nil {
+		return nil, fmt.Errorf("unable to parse query string of proxy specification URL %q: %w", u.String(), err)
+	}
+	if params.Has("utls-fp") {
+		var fp utls.ClientHelloID
+		switch params.Get("utls-fp") {
+		case "Hello360_11_0":
+			fp = utls.Hello360_11_0
+		case "Hello360_7_5":
+			fp = utls.Hello360_7_5
+		case "Hello360_Auto":
+			fp = utls.Hello360_Auto
+		case "HelloAndroid_11_OkHttp":
+			fp = utls.HelloAndroid_11_OkHttp
+		case "HelloChrome_100":
+			fp = utls.HelloChrome_100
+		case "HelloChrome_100_PSK":
+			fp = utls.HelloChrome_100_PSK
+		case "HelloChrome_102":
+			fp = utls.HelloChrome_102
+		case "HelloChrome_106_Shuffle":
+			fp = utls.HelloChrome_106_Shuffle
+		case "HelloChrome_112_PSK_Shuf":
+			fp = utls.HelloChrome_112_PSK_Shuf
+		case "HelloChrome_114_Padding_PSK_Shuf":
+			fp = utls.HelloChrome_114_Padding_PSK_Shuf
+		case "HelloChrome_115_PQ":
+			fp = utls.HelloChrome_115_PQ
+		case "HelloChrome_115_PQ_PSK":
+			fp = utls.HelloChrome_115_PQ_PSK
+		case "HelloChrome_120":
+			fp = utls.HelloChrome_120
+		case "HelloChrome_120_PQ":
+			fp = utls.HelloChrome_120_PQ
+		case "HelloChrome_131":
+			fp = utls.HelloChrome_131
+		case "HelloChrome_133":
+			fp = utls.HelloChrome_133
+		case "HelloChrome_58":
+			fp = utls.HelloChrome_58
+		case "HelloChrome_62":
+			fp = utls.HelloChrome_62
+		case "HelloChrome_70":
+			fp = utls.HelloChrome_70
+		case "HelloChrome_72":
+			fp = utls.HelloChrome_72
+		case "HelloChrome_83":
+			fp = utls.HelloChrome_83
+		case "HelloChrome_87":
+			fp = utls.HelloChrome_87
+		case "HelloChrome_96":
+			fp = utls.HelloChrome_96
+		case "HelloChrome_Auto":
+			fp = utls.HelloChrome_Auto
+		case "HelloCustom":
+			fp = utls.HelloCustom
+		case "HelloEdge_106":
+			fp = utls.HelloEdge_106
+		case "HelloEdge_85":
+			fp = utls.HelloEdge_85
+		case "HelloEdge_Auto":
+			fp = utls.HelloEdge_Auto
+		case "HelloFirefox_102":
+			fp = utls.HelloFirefox_102
+		case "HelloFirefox_105":
+			fp = utls.HelloFirefox_105
+		case "HelloFirefox_120":
+			fp = utls.HelloFirefox_120
+		case "HelloFirefox_55":
+			fp = utls.HelloFirefox_55
+		case "HelloFirefox_56":
+			fp = utls.HelloFirefox_56
+		case "HelloFirefox_63":
+			fp = utls.HelloFirefox_63
+		case "HelloFirefox_65":
+			fp = utls.HelloFirefox_65
+		case "HelloFirefox_99":
+			fp = utls.HelloFirefox_99
+		case "HelloFirefox_Auto":
+			fp = utls.HelloFirefox_Auto
+		case "HelloGolang":
+			fp = utls.HelloGolang
+		case "HelloIOS_11_1":
+			fp = utls.HelloIOS_11_1
+		case "HelloIOS_12_1":
+			fp = utls.HelloIOS_12_1
+		case "HelloIOS_13":
+			fp = utls.HelloIOS_13
+		case "HelloIOS_14":
+			fp = utls.HelloIOS_14
+		case "HelloIOS_Auto":
+			fp = utls.HelloIOS_Auto
+		case "HelloQQ_11_1":
+			fp = utls.HelloQQ_11_1
+		case "HelloQQ_Auto":
+			fp = utls.HelloQQ_Auto
+		case "HelloRandomized":
+			fp = utls.HelloRandomized
+		case "HelloRandomizedALPN":
+			fp = utls.HelloRandomizedALPN
+		case "HelloRandomizedNoALPN":
+			fp = utls.HelloRandomizedNoALPN
+		case "HelloSafari_16_0":
+			fp = utls.HelloSafari_16_0
+		case "HelloSafari_Auto":
+			fp = utls.HelloSafari_Auto
+		default:
+			return nil, fmt.Errorf("unknown uTLS client hello ID %q", params.Get("utls-fp"))
+		}
+		return func(c net.Conn, config *tls.Config) net.Conn {
+			var ucfg *utls.Config
+			if config != nil {
+				ucfg = &utls.Config{
+					Rand:                        config.Rand,
+					Time:                        config.Time,
+					Certificates:                castCertsToUCerts(config.Certificates),
+					RootCAs:                     config.RootCAs,
+					NextProtos:                  config.NextProtos,
+					ServerName:                  config.ServerName,
+					ClientAuth:                  utls.ClientAuthType(config.ClientAuth),
+					ClientCAs:                   config.ClientCAs,
+					InsecureSkipVerify:          config.InsecureSkipVerify,
+					CipherSuites:                config.CipherSuites,
+					PreferServerCipherSuites:    config.PreferServerCipherSuites,
+					SessionTicketsDisabled:      config.SessionTicketsDisabled,
+					SessionTicketKey:            config.SessionTicketKey,
+					MinVersion:                  config.MinVersion,
+					MaxVersion:                  config.MaxVersion,
+					CurvePreferences:            castCurvesToUCurves(config.CurvePreferences),
+					DynamicRecordSizingDisabled: config.DynamicRecordSizingDisabled,
+					KeyLogWriter:                config.KeyLogWriter,
+				}
+			}
+			return utls.UClient(c, ucfg, fp)
+		}, nil
+	}
+	return func(c net.Conn, config *tls.Config) net.Conn {
+		return tls.Client(c, config)
+	}, nil
+}
+
+func castCertsToUCerts(certs []tls.Certificate) []utls.Certificate {
+	if certs == nil {
+		return nil
+	}
+	ucerts := make([]utls.Certificate, len(certs))
+	for i, cert := range certs {
+		ucerts[i] = utls.Certificate{
+			Certificate:                  cert.Certificate,
+			PrivateKey:                   cert.PrivateKey,
+			SupportedSignatureAlgorithms: castSigSchemesToUSigSchemes(cert.SupportedSignatureAlgorithms),
+			OCSPStaple:                   cert.OCSPStaple,
+			SignedCertificateTimestamps:  cert.SignedCertificateTimestamps,
+			Leaf:                         cert.Leaf,
+		}
+	}
+	return ucerts
+}
+
+func castSigSchemesToUSigSchemes(schemes []tls.SignatureScheme) []utls.SignatureScheme {
+	if schemes == nil {
+		return nil
+	}
+	uschemes := make([]utls.SignatureScheme, len(schemes))
+	for i, scheme := range schemes {
+		uschemes[i] = utls.SignatureScheme(scheme)
+	}
+	return uschemes
+}
+
+func castCurvesToUCurves(curves []tls.CurveID) []utls.CurveID {
+	if curves == nil {
+		return nil
+	}
+	ucurves := make([]utls.CurveID, len(curves))
+	for i, curve := range curves {
+		ucurves[i] = utls.CurveID(curve)
+	}
+	return ucurves
+}