diff --git a/README.md b/README.md index 5929c78..8cd3a0d 100644 --- a/README.md +++ b/README.md @@ -1,130 +1,95 @@ # simple-tls -[中文](README_zh.md) [English](README.md) - ---- - -Probably the simplest TLS plugin. It can: - -- Protect and obfuscate your connections with real TLS1.3. -- Easily run as a SIP003 plugin and run on Android platform. -- Send random data packets at appropriate times. This can change the timing characteristics of data packets in one connection, which can protect you against timing traffic analysis. (optional, experimental) See [documentation (Chinese only)](https://github.com/IrineSistiana/simple-tls/wiki/%E6%97%B6%E5%BA%8F%E5%A1%AB%E5%85%85(pd)%E6%A8%A1%E5%BC%8F). +[中文](README.md) [English](README_en.md) --- - [simple-tls](#simple-tls) - - [How to build](#how-to-build) - - [Usage](#usage) - - [Standalone mode](#standalone-mode) - - [SIP003 mode](#sip003-mode) - - [Start a server without certificate](#start-a-server-without-certificate) - - [How to import CA in client](#how-to-import-ca-in-client) + - [参数](#参数) + - [SIP003模式](#sip003模式) - [Android](#android) -## How to build - -You will need go v1.14 or later. - - go build - -## Usage - - client bind addr server bind addr - | | - |client|-->|simple-tls client|--TLS1.3-->|simple-tls server|-->|final destination| - | | - client dst addr server dst addr - - # Common arguments - -b string - [Host:Port] bind addr. - -d string - [Host:Port] destination addr. - - # Transfer mode (Client and server must have the same mode) - -pd - Enable padding-data mode. Server will send some padding data to protect against traffic analysis. - - # Client arguments - -n string - Server certificate name. - -no-verify - Client won't verify the server's certificate chain and host name. - -ca string - Load a CA file from path. - -cca string - Load a base64 encoded PEM CA certificate from string. - - # Server arguments - -s - Run as a server. - -cert string - PEM certificate file path. - -key string - PEM key file path. - - # Other geek's arguments - -cpu int - The maximum number of CPUs to simultaneously use. - -fast-open - Enable TCP-Fast-Open. Only available on Linux kernel 4.11+. - -t int - Idle timeout in seconds (default to 300). - - # Helper commands - -gen-cert - Quickly generate an ECC certificate. - -v - Print out version information of the current binary. - -## Standalone mode - - # server - simple-tls -b 0.0.0.0:1080 -d 127.0.0.1:12345 -s -key /path/to/your/key -cert /path/to/your/cert - - # client - simple-tls -b 127.0.0.1:1080 -d your_server_ip:1080 -n your.server.certificates.dnsname - -## SIP003 mode - -Complies with Shadowsocks [SIP003](https://shadowsocks.org/en/wiki/Plugin.html) plugin protocol. Shadowsocks will automatically set `-d` and `-b` parameters, no need to set those manually. - -Take [shadowsocks-libev](https://github.com/shadowsocks/shadowsocks-libev) as an example: - - ss-server -c config.json --plugin simple-tls --plugin-opts "s;key=/path/to/your/key;cert=/path/to/your/cert" - ss-local -c config.json --plugin simple-tls --plugin-opts "n=your.server.certificates.dnsname" - -## Start a server without certificate - -You can use `-gen-cert` to quickly generate an [ECC certificate](https://www.digicert.com/faq/ecc.htm). - - simple-tls -gen-cert -n certificate.dnsname -key ./my_ecc_cert.key -cert ./my_ecc_cert.cert - -Or you can just start the server without `-key` and `-cert`. Server will automatically generate a temporary certificate and store it in memory. - -**Please note that:** In those cases, clients have to import the generated certificate as CA. See below. Else clients need to disable server certificate verification by using `-no-verify`. Not recommended because this is susceptible to man-in-the-middle attacks. - -## How to import CA in client - -You can use `-cca` or `-ca` to import a certificate or ca-bundle file as CA. - -`-ca` accepts a path. - - simple-tls ... ... -ca ./path/to/my.ca.cert - -`-cca` accepts a base64 encoded certificate. - - simple-tls ... ... -cca VkRJWkpCK1R1c3h...4eGdFbz0K== +## 参数 + +```text + 客户端监听地址 服务端监听地址 + | | +|客户端|-->|simple-tls 客户端|--TLS1.3-->|simple-tls 服务端|-->|最终目的地| + | | + 客户端目的地地址 服务端目的地地址 + +# 通用参数 + -b string + [Host:Port] 监听地址。 + -d string + [Host:Port] 目的地地址。 + -auth string + 身份验证密码。(可选。客户端和服务端需一致。仅用于过滤扫描流量。) + +# 客户端参数 +# e.g. simple-tls -b 127.0.0.1:1080 -d your_server_ip:1080 -n your.server.name + + -mux int + 单条 TCP 连接内最大复用的连接数。(默认 0 禁用 mux) + -n string + 服务器证书名。 + -no-verify + 客户端将不会验证服务端的证书。 + -ca string + 加载 PEM CA 证书文件。 + e.g. -ca ./path/to/my.ca.cert + -cca string + 从字符串加载被 base64 编码 (e.g. base64 -w 0 ./my.cert) 的 PEM CA 证书。 + e.g. -cca VkRJW...4eGdFbz0K== + +# 服务端参数 +# e.g. simple-tls -b 0.0.0.0:1080 -d 127.0.0.1:12345 -s -key /path/to/your/key -cert /path/to/your/cert +# -cert 和 -key 可以同时留空,会生成一个临时证书。证书的 Subject Alternate Name 取自 `-n` 参数。 +# e.g. simple-tls -b 0.0.0.0:1080 -d 127.0.0.1:12345 -s -n my.test.domain + + -s + 以服务端运行。 + -cert string + PEM 证书路径。 + -key string + PEM 密钥路径。 + +# 其他参数 + + -cpu int + 最多使用的cpu数。 + -fast-open + 启用TCP快速开启,仅支持Linux内核4.11+。 + -t int + 空闲超时,以秒记 (默认300)。 + +# 命令 + + -gen-cert + 快速生成一个 Subject Alternate Name 为 `-n` 的 ECC 证书 + e.g. simple-tls -gen-cert -n my.test.domain + -v + 显示目前程序版本 +``` + +## SIP003模式 + +支持 [SIP003](https://shadowsocks.org/en/wiki/Plugin.html) 插件协议。 以 [shadowsocks-libev](https://github.com/shadowsocks/shadowsocks-libev) 为例: + +```shell +ss-server -c config.json --plugin simple-tls --plugin-opts "s;key=/path/to/your/key;cert=/path/to/your/cert" +ss-local -c config.json --plugin simple-tls --plugin-opts "n=your.server.certificates.dnsname" +``` ## Android -simple-tls-android is a GUI plugin for [shadowsocks-android](https://github.com/shadowsocks/shadowsocks-android). You need to download and install shadowsocks-android first. It's also an open source software. Source code is available [here](https://github.com/IrineSistiana/simple-tls-android). +simple-tls-android 是 [shadowsocks-android](https://github.com/shadowsocks/shadowsocks-android) 的GUI插件,需要先下载 shadowsocks-android。simple-tls-android 同样是开源软件,源代码在 [这里](https://github.com/IrineSistiana/simple-tls-android) 。 -
Screenshot +
屏幕截图
-![screenshot](/assets/simple-tls-android-screenshot.jpg) +![截屏](/assets/simple-tls-android-screenshot.jpg)
diff --git a/README_en.md b/README_en.md new file mode 100644 index 0000000..92142c3 --- /dev/null +++ b/README_en.md @@ -0,0 +1,96 @@ +# simple-tls + +[中文](README.md) [English](README_en.md) + +--- + +- [simple-tls](#simple-tls) + - [Usage](#usage) + - [SIP003 mode](#sip003-mode) + - [Android](#android) + +## Usage + +```text + client bind addr server bind addr + | | +|client|-->|simple-tls client|--TLS1.3-->|simple-tls server|-->|final destination| + | | + client dst addr server dst addr + +# Common arguments + -b string + [Host:Port] bind addr. + -d string + [Host:Port] destination addr. + -auth string + Authentication password. (Optional. The client and server must be the same. Only used to filter scan traffic.) + +# Client arguments +# e.g. simple-tls -b 127.0.0.1:1080 -d your_server_ip:1080 -n your.server.name + + -mux int + The maximum number of multiplexed connections in a single TCP connection. (Default 0 disables mux) + -n string + Server certificate name. + -no-verify + Client won't verify the server's certificate chain and host name. + -ca string + Load a CA file from path. + e.g. -ca ./path/to/my.ca.cert + -cca string + Load a base64 encoded (e.g. base64 -w 0 ./my.cert) PEM CA certificate from string. + e.g. -cca VkRJW...4eGdFbz0K== + +# Server arguments +# e.g. simple-tls -b 0.0.0.0:1080 -d 127.0.0.1:12345 -s -key /path/to/your/key -cert /path/to/your/cert +# -cert and -key can be left blank, a temporary certificate will be generated. The Subject Alternate Name of the certificate is taken from the `-n` parameter. +# e.g. simple-tls -b 0.0.0.0:1080 -d 127.0.0.1:12345 -s -n my.test.domain + + -s + (Required) Run as a server. + -cert string + PEM certificate file path. + -key string + PEM key file path. + +# Other geek's arguments + + -cpu int + The maximum number of CPUs to simultaneously use. + -fast-open + Enable TCP-Fast-Open. Only available on Linux kernel 4.11+. + -t int + Idle timeout in seconds (default to 300). + +# Helper commands + + -gen-cert + Quickly generate an ECC certificate with Subject Alternate Name taken from the `-n` parameter. + e.g. simple-tls -gen-cert -n my.test.domain + -v + Print out version information of the current binary. +``` + +## SIP003 mode + +Complies with Shadowsocks [SIP003](https://shadowsocks.org/en/wiki/Plugin.html) plugin protocol. Shadowsocks will automatically set `-d` and `-b` parameters, no need to set those manually. + +```shell +ss-server -c config.json --plugin simple-tls --plugin-opts "s;key=/path/to/your/key;cert=/path/to/your/cert" +ss-local -c config.json --plugin simple-tls --plugin-opts "n=your.server.certificates.dnsname" +``` + +## Android + +simple-tls-android is a GUI plugin for [shadowsocks-android](https://github.com/shadowsocks/shadowsocks-android). You need to download and install shadowsocks-android first. It's also an open source software. Source code is available [here](https://github.com/IrineSistiana/simple-tls-android). + +
Screenshot + +
+ +![screenshot](/assets/simple-tls-android-screenshot.jpg) + +
+ +--- diff --git a/README_zh.md b/README_zh.md deleted file mode 100644 index 4a1c34d..0000000 --- a/README_zh.md +++ /dev/null @@ -1,131 +0,0 @@ -# simple-tls - -[中文](README_zh.md) [English](README.md) - ---- - -可能是最简单的TLS插件。它可以: - -- 使用真正的TLS1.3协议来保护并混淆连接。 -- 支持SIP003插件协议。可用于shadowsocks-android。 -- 时序填充:在合适的时刻发送随机填充数据包,改变连接的时序特征。(可选,目前处于实验阶段) [时序填充说明](https://github.com/IrineSistiana/simple-tls/wiki/%E6%97%B6%E5%BA%8F%E5%A1%AB%E5%85%85(pd)%E6%A8%A1%E5%BC%8F) - ---- - -- [simple-tls](#simple-tls) - - [如何构建](#如何构建) - - [参数](#参数) - - [独立模式](#独立模式) - - [SIP003模式](#sip003模式) - - [如何无证书时启动服务端](#如何无证书时启动服务端) - - [客户端如何导入CA证书](#客户端如何导入ca证书) - - [Android](#android) - -## 如何构建 - -需要go 1.14及以上版本。 - - go build - -## 参数 - - 客户端监听地址 服务端监听地址 - | | - |客户端|-->|simple-tls 客户端|--TLS1.3-->|simple-tls 服务端|-->|最终目的地| - | | - 客户端目的地地址 服务端目的地地址 - - # 通用参数 - -b string - [Host:Port] 监听地址 - -d string - [Host:Port] 目的地地址 - - # 传输模式 (客户端和服务端需保持一致) - -pd - 启用填充数据模式,服务端会发送填充数据来对抗流量分析。 - - # 客户端参数 - -n string - 服务器证书名 - -no-verify - 客户端将不会验证服务端的证书。 - -ca string - 加载PEM CA证书文件 - -cca string - 加载base64编码的PEM CA证书 - - # 服务端参数 - -s - 以服务端运行 - -cert string - PEM 证书路径 - -key string - PEM 密钥路径 - - # 其他参数 - -cpu int - 最多使用的cpu数 - -fast-open - 启用TCP快速开启,仅支持Linux内核4.11+ - -t int - 空闲超时,以秒记 (默认300) - - # 命令 - -gen-cert - 快速生成一个ECC证书 - -v - 显示目前程序版本 - -## 独立模式 - - # server - simple-tls -b 0.0.0.0:1080 -d 127.0.0.1:12345 -s -key /path/to/your/key -cert /path/to/your/cert - - # client - simple-tls -b 127.0.0.1:1080 -d your_server_ip:1080 -n your.server.certificates.dnsname - -## SIP003模式 - -支持[SIP003](https://shadowsocks.org/en/wiki/Plugin.html)插件协议。Shadowsocks会自动设置`-d`和`-b`参数,无需手动设置。 - -以[shadowsocks-libev](https://github.com/shadowsocks/shadowsocks-libev)为例: - - ss-server -c config.json --plugin simple-tls --plugin-opts "s;key=/path/to/your/key;cert=/path/to/your/cert" - ss-local -c config.json --plugin simple-tls --plugin-opts "n=your.server.certificates.dnsname" - -## 如何无证书时启动服务端 - -可以用`-gen-cert`命令快速生成一个[ECC证书](https://zhuanlan.zhihu.com/p/57710573)。 - - simple-tls -gen-cert -n certificate.dnsname -key ./my_ecc_cert.key -cert ./my_ecc_cert.cert - -或者`-key`和`-cert`留空,直接启动服务端。服务端会生成一个仅保存在内存中的临时证书。 - -**请注意:** 这种情况下,客户端需要导入生成的证书作为CA。见下。或者使用`-no-verify`禁用证书验证。不建议,因为有潜在MITM攻击风险。 - -## 客户端如何导入CA证书 - -可以用`-cca`或`-ca`导入一个证书或证书包(ca-bundle)作为CA。 - -`-ca`接受一个路径。 - - simple-tls ... ... -ca ./path/to/my.ca.cert - -`-cca`接受一个经base64编码的证书。 - - simple-tls ... ... -cca VkRJWkpCK1R1c3h...4eGdFbz0K== - -## Android - -simple-tls-android是[shadowsocks-android](https://github.com/shadowsocks/shadowsocks-android)的GUI插件,需要先下载shadowsocks-android。simple-tls-android同样是开源软件,源代码在[这里](https://github.com/IrineSistiana/simple-tls-android)。 - -
屏幕截图 - -
- -![截屏](/assets/simple-tls-android-screenshot.jpg) - -
- ---- diff --git a/assets/simple-tls-android-screenshot.jpg b/assets/simple-tls-android-screenshot.jpg index 822b053..ccc0859 100644 Binary files a/assets/simple-tls-android-screenshot.jpg and b/assets/simple-tls-android-screenshot.jpg differ