Skip to content

Fix Hysteria2/QUIC ALPN negotiation failure with ACME#4213

Open
BioniCosmos wants to merge 110 commits into
SagerNet:testingfrom
BioniCosmos:testing
Open

Fix Hysteria2/QUIC ALPN negotiation failure with ACME#4213
BioniCosmos wants to merge 110 commits into
SagerNet:testingfrom
BioniCosmos:testing

Conversation

@BioniCosmos

@BioniCosmos BioniCosmos commented Jun 13, 2026
edited
Loading

Copy link
Copy Markdown

Hysteria2 inbounds using ACME with the default TLS-ALPN-01 challenge fail the QUIC handshake with CRYPTO_ERROR 0x178 (remote): tls: no application protocol in client side. Manually specifying certificate_path/key_path, or using a DNS-01 solver, works around the issue.

The key is: NextProtos could be reused in multiple stages. However, the current implemention failed to strip the ALPN settings used in the ACME stage, causing issue in the following communication.

sing-box/transport/v2rayquic/server.go

Lines 40 to 42 in 8247670

if len(tlsConfig.NextProtos()) == 0 {
tlsConfig.SetNextProtos([]string{http3.NextProtoH3})
}

Related issues

#3389

Tested working in v1.13.12.

nekohasekai added 30 commits June 8, 2026 08:51
@nekohasekai
Add MAC and hostname rule items
179d081
@nekohasekai
Add Android support for MAC and hostname rule items
3da3820
@nekohasekai
Add macOS support for MAC and hostname rule items
85b0c78
@nekohasekai
documentation: Update descriptions for neighbor rules
880d753
@nekohasekai
Refactor ACME support to certificate provider
2c01a63
@nekohasekai
Add BBR profile and hop interval randomization for Hysteria2
d37626e
@nekohasekai
platform: Add OOM Report & Crash Report
d4cd859
@nekohasekai
Also enable certificate store by default on Apple platforms
158cdc0 
`SecTrustEvaluateWithError` is serial
@nekohasekai
Add evaluate DNS rule action and related rule items
9a3dcca
@nekohasekai
platform: Fix set local
ea8bf34
@nekohasekai
Fix deprecated warning double-formatting on localized clients
e5a57a3
@nekohasekai
oom-killer: Free memory on pressure notification and use gradual inte…
2d20363 
…rval backoff
@nekohasekai
tools: Network Quality & STUN
fe83054
@nekohasekai
platform: Fix darwin signal handler
d0c6a43
@nekohasekai
tools: Tailscale status
953981a
@nekohasekai
Revert "Also enable certificate store by default on Apple platforms"
6b18967 
This reverts commit 62cb06c.
@nekohasekai
Fix rules lock
286f99f
@nekohasekai
Fix darwin local DNS transport
fa3d6de
@nekohasekai
tools: Tailscale status
863d67b
@nekohasekai
Un-deprecate ip_accept_any DNS rule item
5e02c70
@nekohasekai
documentation: Fixes
849cdb6
@nekohasekai
Add package_name_regex route, DNS and headless rule item
d70d15f
@nekohasekai
platform: Wrap command RPC error returns with E.Cause
9a04600
@nekohasekai
Fix lint errors
99a28b9
@nekohasekai
Add cloudflared inbound
d1ac250
@nekohasekai
documentation: Fix missing update for ip_version and query_type
adeea0f
@nekohasekai
Fix stun test
6bb84ab
@nekohasekai
Fix darwin cgo DNS again
df5a3e5
@nekohasekai
Fix tailscale error
d16cb4c
@nekohasekai
Add optimistic DNS cache
0525f6c
nekohasekai and others added 18 commits June 8, 2026 08:51
@nekohasekai
tailssh: fix platform SFTP session teardown
4bf449a
@nekohasekai
platform: Add tailscale device name and logout
dc110f5
@nekohasekai
Fix crash on Apple platforms caused by concurrent libresolv calls
6b490f5
@nekohasekai
Bump version
8a42af3
@nekohasekai
platform: Add shell support for iOS
992b1bb
@nekohasekai
daemon: Split host operations into ManagedService
bb3de82
@nekohasekai
Add sing-box API service
9db1cc5
@nekohasekai
tailscale: Fix auth URL not refreshed after logout
eb61380
@nekohasekai
Update Go to 1.25.11
f93c441
@nekohasekai
Bump version
fa34e6c
@nekohasekai
Fix group status updates broken by API service
0298b2f 
The URL test history update hook and the Clash mode update hook were
single-slot: the API service's attached service overwrote the hook set
by the daemon, so clients stopped receiving group updates. Replace both
with multicast hook lists.

Also share a single URL test history storage via context: Clash API
looked it up under a key nobody registered and fell back to its own
empty storage, so dashboards showed no delay once an API service was
configured. Selector changes now notify through the shared storage,
covering selections made from any API surface.
@nekohasekai
release: Fix apple release
a275890
@nekohasekai
dns: Remove unused files
f7779cc
@nekohasekai
Improve remote rule-set update
c688b61
@nekohasekai
Bump version
fc25ced
@nekohasekai
documentation: Fix release message
326615d
@nekohasekai
Add dashboard support for API service
8247670
@BioniCosmos
Fix TLS ALPN when using ACME
62a3573
@nekohasekai nekohasekai force-pushed the testing branch 10 times, most recently from f7ca395 to f27d0e3 Compare June 21, 2026 04:16
@nekohasekai nekohasekai force-pushed the testing branch 2 times, most recently from 22fe3b6 to b2d51f6 Compare June 29, 2026 03:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@BioniCosmos @nekohasekai @macronut