v4.38.0

[xiaokangwang]

Feature

• FakeDNS: Added fakedns+others sniffer , based on Add sniffer enhancement related to Fake DNS  #697 . Thanks @yuhan6665 .
• TLS: A SECURITY improvement that allow the remote peer's TLS certificate to be pinned to a known value. Document for TLS is updated.
• Observatory: A component that measure the connectivity of selected outbounds. The document for Observatory is updated.
• Routing : leastPing balancing strategy is added. This strategy will select a outbound that is alive and completed HTTPS GET request in the least time. The document for Routing is updated.

Chore

• Fixed two typo in comments. Thanks @U-v-U

Security Advisory

• TLS connections with dangerous diagnose option allowInsecure turn on and without certificate pin with pinnedPeerCertificateChainSha256 will not be able protect your data at all from a attacker in privileged network path(for example ISP or any firewall or censorship infrastructure). This is especially dangerous when an unprotected protocol or option is used, such as any VLess configuration, VMess with none or zero security, and any trojan configuration, in which case your data is accessible to attacker in plain text and attacker can inject arbitrary data pretending to the the remote server. In the case of VLess and trojan, the proxy protocol access control credential is also exposed to the attacker, the attacker will be able to use your proxy. You are advised to use certificate pin (and/or other security features provided in a later version of V2Ray) whenever allowInsecure is turned on. Attempting to MITM your connection temporarily to identify TLS based proxy is a known threat.

Notices

• VMess: From Jan 1, 2022, compatibility for legacy VMess MD5 will be disabled by default. Visit here for more information.
• You are able to compile exactly the same binaries as the ones in Assets section below by simply following the compiling guide.

For downstream developers

The Go module name of v2ray-core has been changed to github.com/v2fly/v2ray-core/v4. Do NOT use v2ray.com/core anymore.

---

This discussion was created from the release v4.38.0.

[bhoppi]

FakeDNS sniffer的功能改进非常棒，使这个功能具备了足够的鲁棒性，在透明代理中可以作为标配功能进行推广了。
但是配置方式，我个人觉得，过于复杂了，完全可以从易用性的角度进行简化。比方说，提供metadataOnly这个选项的意义是什么，根据destOverride的内容自动决定metadataOnly的值不行吗？还有，当设定destOverride: ["fakedns", "http", "tls"]时，v2ray自动按照现在"fakedns+others"的方式工作不行吗，为什么还要另外增加一项？

[xiaokangwang]

metadataOnly 用于由服务器主动发送首个消息的协议 如 SMTP。
"http", "tls" 的行为是针对全部IP的， "fakedns+others"仅针对FakeDNS的IP。
增加选项是保证每个选项的正交 https://stackoverflow.com/questions/1527393/what-is-orthogonality。 每个选项的行为必须是单一可预测的，不能几个选项组合的行为和其中的每个选项的行为相加不一致。

[xiaokangwang]

这个主要是用来让自签发证书也能相对安全的使用的。未来会加入Certificate Transparency的支持。

[bhoppi]

metadataOnly 用于由服务器主动发送首个消息的协议 如 SMTP。
"http", "tls" 的行为是针对全部IP的， "fakedns+others"仅针对FakeDNS的IP。
增加选项是保证每个选项的正交 https://stackoverflow.com/questions/1527393/what-is-orthogonality。 每个选项的行为必须是单一可预测的，不能几个选项组合的行为和其中的每个选项的行为相加不一致。

我明白了，其实我的理解跟您是不一样的。我是认为fakedns的优先级是天然高于其他的嗅探方式的，在这个基础上，我上面的各项提议就顺理成章了，简化配置后也没有任何的行为不一致。而您的思路显然是把这些项当作并列项看待的，从而导致了配置的复杂性。当然，我只是提出个人建议，没有仔细研究细节，如果这种理解方式不正确请您忽略。

[IceCodeNew]

关于推荐设置的 pinnedPeerCertificateChainSha256 一项，对于签免费证书的用户来说，应该是最少也需要每 90 天更新一次？个人觉得是有些繁琐了。
翻阅群聊给我一种感觉是希望应对 CA 乱发证书的问题，是不是可以考虑改成验证中间证书/根证书？或者是后面讨论里提到的 Certificate Transparency？

[xiaokangwang]

这个主要是用来让自签发证书也能相对安全的使用的。未来会加入Certificate Transparency的支持。

[xiaokangwang]

但是使用自签发证书其实也会暴露使用了自签发证书这个信息，所以说也不能说建议使用，但是至少可以提高一下安全性。

[yuhan6665]

感谢大佬对 fakedns 的改进工作，fff3e1a 你觉得目前不需要吗？
这个是为了解决每次从 0 分配地址，重启会容易产生的冲突的问题。

[xiaokangwang]

抱歉。。。我就看了PR的描述，没有特别仔细看这部分的代码。
现在看了后我的想法是：
嗯。关于这个，我觉得与其用时间来分配，不如使用域名地址的散列值。这样的话如果地址池足够大（比如IPv6下），每次每个域名分配到的IP都是相同或相似的。

[yuhan6665]

我觉得这个也可以，如果这个地址过于“稳定”，有没有隐私的疑虑？

[karldonitz]

同样配置下,为啥windows的v2rayN和iOS的shadowrocket就可以把allowinsecure开成false,而linux和macos的v2ray-core开启后就会校验失败无法上网?服务端配置为tls+websocket+web.

[karldonitz]

报错日志:
x509: certificate signed by unknown authority transport/internet/websocket: failed to dial WebSocket > transport/internet/websocket: failed to dial to (wss://x.x.x/v2ray): > dial tcp: operation was canceled] > common/retry: all retry attempts failed
allowinsecure改成true就可以正常了

[Loyalsoldier]

请补全 TLS 证书的中间证书。