使用 Hysteria 2 与 TUIC 协议时，HTTPS 连接出现异常

NekoLSD

这个问题有点复杂。

当我使用 Hysteria 2 官方最新版本的服务端与客户端时，在本地多次执行 time curl -x socks5h://127.0.0.1:1080 https://cp.cloudflare.com，返回的结果总是 0.170 total 上下。这个结果是正常的，我使用 Shadowsocks 协议得到的结果大概也是如此（我本地到服务器的 ICMP 响应时间大概稳定在 70ms 左右）。

然而当我将客户端切换为 Surge，运行同样的命令，返回的结果却总是 0.300 total 左右。这表示一个 HTTPS 请求完成的时长相比于正常情况增加了一百多毫秒。但如果将 cURL 请求的地址换成 http://cp.cloudflare.com，那么返回的结果又是 0.100 total 左右，这说明 HTTP 连接没有问题。

这个问题在我使用 sing-box 作为 Hysteria 2 或 TUIC 协议的服务端，Surge 作为客户端时也出现了。

Hysteria 和 sing-box 都使用 quic-go 作为他们的 QUIC 库，我不确定这是 Surge 的问题还是 quic-go 的问题。

还请开发者关注一下。

NekoLSD

cURL 后续测试发现，HTTPS 请求的 time_starttransfer 时间增加了一倍。

第一次使用 Surge 作为客户端，第二次使用 Hysteria 官方客户端的 cURL 时长对比：

➜  ~ curl -o /dev/null -s -w "time_namelookup: %{time_namelookup}\ntime_connect: %{time_connect}\ntime_appconnect: %{time_appconnect}\ntime_redirect: %{time_redirect}\ntime_pretransfer: %{time_pretransfer}\ntime_starttransfer: %{time_starttransfer}\ntime_total: %{time_total}\n" -x socks5h://127.0.0.1:6153 "https://cp.cloudflare.com"
time_namelookup: 0.000190
time_connect: 0.000496
time_appconnect: 0.086730
time_redirect: 0.000000
time_pretransfer: 0.087029
time_starttransfer: 0.297039
time_total: 0.297047
➜  ~ curl -o /dev/null -s -w "time_namelookup: %{time_namelookup}\ntime_connect: %{time_connect}\ntime_appconnect: %{time_appconnect}\ntime_redirect: %{time_redirect}\ntime_pretransfer: %{time_pretransfer}\ntime_starttransfer: %{time_starttransfer}\ntime_total: %{time_total}\n" -x socks5h://127.0.0.1:6153 "https://cp.cloudflare.com"
time_namelookup: 0.000220
time_connect: 0.000503
time_appconnect: 0.081312
time_redirect: 0.000000
time_pretransfer: 0.081455
time_starttransfer: 0.155040
time_total: 0.155047

使用 Surge 作为客户端时 curl https://cp.cloudflare.com -v 的输出：

➜  ~ curl -x socks5h://127.0.0.1:6153 https://cp.cloudflare.com -v
*   Trying 127.0.0.1:6153...
* Connected to 127.0.0.1 (127.0.0.1) port 6153
* SOCKS5 connect to cp.cloudflare.com:443 (remotely resolved)
* SOCKS5 request granted.
* Connected to 127.0.0.1 (127.0.0.1) port 6153
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=cloudflare.com
*  start date: Apr  4 00:00:00 2023 GMT
*  expire date: Apr  3 23:59:59 2024 GMT
*  subjectAltName: host "cp.cloudflare.com" matched cert's "*.cloudflare.com"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA256
*   Certificate level 1: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (2048/112 Bits/secBits), signed using sha1WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://cp.cloudflare.com/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: cp.cloudflare.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.6.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: cp.cloudflare.com
> User-Agent: curl/8.6.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 204
< date: Thu, 08 Feb 2024 01:17:57 GMT
< set-cookie: __cf_bm=; path=/; expires=Thu, 08-Feb-24 01:47:57 GMT; domain=.cloudflare.com; HttpOnly; Secure; SameSite=None
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s="}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< strict-transport-security: max-age=15780000; includeSubDomains
< server: cloudflare
< cf-ray: 852009349c9ae6c6-HKG
< alt-svc: h3=":443"; ma=86400
<
* Connection #0 to host 127.0.0.1 left intact

使用 Hysteria 官方客户端时 curl https://cp.cloudflare.com -v 的输出：

➜  ~ curl -x socks5h://127.0.0.1:6153 https://cp.cloudflare.com -v
*   Trying 127.0.0.1:6153...
* Connected to 127.0.0.1 (127.0.0.1) port 6153
* SOCKS5 connect to cp.cloudflare.com:443 (remotely resolved)
* SOCKS5 request granted.
* Connected to 127.0.0.1 (127.0.0.1) port 6153
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=cloudflare.com
*  start date: Apr  4 00:00:00 2023 GMT
*  expire date: Apr  3 23:59:59 2024 GMT
*  subjectAltName: host "cp.cloudflare.com" matched cert's "*.cloudflare.com"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA256
*   Certificate level 1: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (2048/112 Bits/secBits), signed using sha1WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://cp.cloudflare.com/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: cp.cloudflare.com]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.6.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: cp.cloudflare.com
> User-Agent: curl/8.6.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 204
< date: Thu, 08 Feb 2024 01:20:40 GMT
< set-cookie: __cf_bm=; path=/; expires=Thu, 08-Feb-24 01:50:40 GMT; domain=.cloudflare.com; HttpOnly; Secure; SameSite=None
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s="}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< strict-transport-security: max-age=15780000; includeSubDomains
< server: cloudflare
< cf-ray: 85200d2e39c220ee-HKG
< alt-svc: h3=":443"; ma=86400
<
* Connection #0 to host 127.0.0.1 left intact

NekoLSD

顶

NekoLSD

再顶

NekoLSD

再顶

NekoLSD

😭

NekoLSD

😭

NekoLSD

是否是因为没有实现 Hysteria 2 的 fastOpen？

SurgeTeam

NekoLSD 请测试一下最新的 Mac 版本 beta 2561 是否有改进，先前的 FastOpen 只支持服务端未确认时发生单个数据包，可能导致部分 app 的额外等待。

Masu

是谁导演这场戏
在这孤单角色里
对白总是自言自语
对手都是回忆
看不出什么结局

NekoLSD

SurgeTeam
beta 2561 的表现和以往一样，延迟上没有什么变化

SurgeTeam

NekoLSD 请再试一下 build 2562

NekoLSD

SurgeTeam
已修复👌