You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The internal Vision encryption layer previously accepted TLS records up to 17,000 bytes. This exceeds the TLS 1.3 maximum TLSCiphertext length defined in RFC 8446 §5.2, which mandates a hard limit of 16,640 bytes (2^14 + 256).
Problem
Records between 16,641 and 17,000 bytes are never produced by any compliant TLS implementation (Go crypto/tls, OpenSSL, BoringSSL, etc.). Accepting them creates a detectable fingerprint that DPI systems can use to identify VLESS Vision (PQ/decryption mode) traffic via active probing.
Per the RFC:
"The length MUST NOT exceed 2^14 + 256. An endpoint that receives a record that exceeds this length MUST terminate the connection with a record_overflow alert."
Impact
Area
Detail
Security
Eliminates a fingerprinting vector usable by DPI/active probing
Compatibility
Fully backward compatible — Write() already fragments at ~8192 bytes, well below the new limit
Scope
Only affects VLESS configurations with decryption enabled. Standard TLS/REALITY transport is unaffected (handled by Go crypto/tls)
RFC Compliance: Aligns the code with the exact TLS 1.3 specification (RFC 8446 §5.2), which defines the maximum as 2^14 + 256 = 16640 bytes
Defense in Depth: Protects against malformed packets from third-party implementations or potentially malicious actors attempting protocol fingerprinting
Code Quality: Removes the TODO comment and documents the reasoning with a proper RFC reference
Future-proofing: As more third-party clients interact with Xray, strict validation becomes more important
I understand the impact is minimal, but since we're here, it's a small improvement that brings the code closer to the standard.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The internal Vision encryption layer previously accepted TLS records up to 17,000 bytes. This exceeds the TLS 1.3 maximum
TLSCiphertextlength defined in RFC 8446 §5.2, which mandates a hard limit of 16,640 bytes (2^14 + 256).Problem
Records between 16,641 and 17,000 bytes are never produced by any compliant TLS implementation (Go
crypto/tls, OpenSSL, BoringSSL, etc.). Accepting them creates a detectable fingerprint that DPI systems can use to identify VLESS Vision (PQ/decryption mode) traffic via active probing.Per the RFC:
Impact
Write()already fragments at ~8192 bytes, well below the new limitdecryptionenabled. Standard TLS/REALITY transport is unaffected (handled by Gocrypto/tls)