From fb212905bdeaeac1ba4440453d22fa75bbd0ccd1 Mon Sep 17 00:00:00 2001
From: yuhan6665 <1588741+yuhan6665@users.noreply.github.com>
Date: Thu, 26 Jan 2023 22:43:58 -0500
Subject: [PATCH] XTLS Vision checks outer TLS version (#1554)

---
 proxy/vless/inbound/inbound.go   |  4 ++++
 proxy/vless/outbound/outbound.go | 11 +++++++++++
 2 files changed, 15 insertions(+)

diff --git a/proxy/vless/inbound/inbound.go b/proxy/vless/inbound/inbound.go
index 86b09e04..76051288 100644
--- a/proxy/vless/inbound/inbound.go
+++ b/proxy/vless/inbound/inbound.go
@@ -5,6 +5,7 @@ package inbound
 import (
 	"bytes"
 	"context"
+	gotls "crypto/tls"
 	"io"
 	"reflect"
 	"strconv"
@@ -470,6 +471,9 @@ func (h *Handler) Process(ctx context.Context, network net.Network, connection s
 					var t reflect.Type
 					var p uintptr
 					if tlsConn, ok := iConn.(*tls.Conn); ok {
+						if tlsConn.ConnectionState().Version != gotls.VersionTLS13 {
+							return newError(`failed to use ` + requestAddons.Flow + `, found outer tls version `, tlsConn.ConnectionState().Version).AtWarning()
+						}
 						netConn = tlsConn.NetConn()
 						if pc, ok := netConn.(*proxyproto.Conn); ok {
 							netConn = pc.Raw()
diff --git a/proxy/vless/outbound/outbound.go b/proxy/vless/outbound/outbound.go
index c84d5b4c..a4c70a2b 100644
--- a/proxy/vless/outbound/outbound.go
+++ b/proxy/vless/outbound/outbound.go
@@ -5,11 +5,13 @@ package outbound
 import (
 	"bytes"
 	"context"
+	gotls "crypto/tls"
 	"reflect"
 	"syscall"
 	"time"
 	"unsafe"
 
+	utls "github.com/refraction-networking/utls"
 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/buf"
 	"github.com/xtls/xray-core/common/net"
@@ -261,6 +263,15 @@ func (h *Handler) Process(ctx context.Context, link *transport.Link, dialer inte
 
 		var err error
 		if rawConn != nil && requestAddons.Flow == vless.XRV {
+			if tlsConn, ok := iConn.(*tls.Conn); ok {
+				if tlsConn.ConnectionState().Version != gotls.VersionTLS13 {
+					return newError(`failed to use ` + requestAddons.Flow + `, found outer tls version `, tlsConn.ConnectionState().Version).AtWarning()
+				}
+			} else if utlsConn, ok := iConn.(*tls.UConn); ok {
+				if utlsConn.ConnectionState().Version != utls.VersionTLS13 {
+					return newError(`failed to use ` + requestAddons.Flow + `, found outer tls version `, utlsConn.ConnectionState().Version).AtWarning()
+				}
+			}
 			var counter stats.Counter
 			if statConn != nil {
 				counter = statConn.WriteCounter