[Bug] Mihomo core darwin-amd64-compatible v1.19.1 & alpha-1c5f4a3 cause SSL_ERROR_SYSCALL with remote SS TFO proxies.

[lxp0gb]

Verify steps

• I have read the documentation and understand the meaning of all the configuration items I have written, rather than just piling up seemingly useful options or default values.
• I have carefully reviewed the documentation and have not resolved the issue.
• I have searched the Issue Tracker for the issue I want to raise and did not find it.
• I am a non-Chinese user.
• I have tested with the latest Alpha branch version, and the issue still persists.
• I have provided the server and client configuration files and processes that can reproduce the issue locally, rather than a sanitized complex client configuration file.
• I provided the simplest configuration that can be used to reproduce the errors in my report, rather than relying on remote servers or piling on a lot of unnecessary configurations for reproduction.
• I have provided complete logs, rather than just the parts I think are useful out of confidence in my own intelligence.
• I have directly reproduced the error using the Mihomo command-line program, rather than using other tools or scripts.

Operating System

MacOS

System Version

15.2

Mihomo Version

Mihomo Meta v1.19.1 darwin amd64 with go1.23.4 Tue Dec 31 16:29:23 UTC 2024
Mihomo Meta alpha-1c5f4a3 darwin amd64 with go1.23.4 Fri Jan 3 04:23:20 UTC 2025

Configuration File

# config.yaml
mixed-port: 2025
log-level: debug
ipv6: false
proxies:
# replace sensitive info for server, port and password with my_server, my_port, my_password
  - { name: s1, type: ss, server: my_server, port: my_port, cipher: aes-128-gcm, password: 'my_password', tfo: true }
rules:
  - MATCH,s1

Description

This is not the same issue of #1739
On macOS, test Mihomo core v1.19.1 and alpha-1c5f4a3 to connect some remote ss nodes with tfo enabled configuration, SSL_ERROR_SYSCALL, test mihomo core v1.11.1 with same configuration, no such issue. Test Mihomo core v1.19.1 and alpha-1c5f4a3 on mihomo-linux-amd64-compatible platform with same configuration are also OK.

curl -x socks5h://127.0.0.1:2025 -v https://www.baidu.com

• Trying 127.0.0.1:2025...
• Connected to 127.0.0.1 (127.0.0.1) port 2025
• SOCKS5 connect to www.baidu.com:443 (remotely resolved)
• SOCKS5 request granted.
• Connected to 127.0.0.1 (127.0.0.1) port 2025
• ALPN: curl offers h2,http/1.1
• (304) (OUT), TLS handshake, Client hello (1):
• CAfile: /etc/ssl/cert.pem
• CApath: none
• LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.baidu.com:443
• Closing connection
  curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.baidu.com:443

Expected:

• Trying 127.0.0.1:2025...
• Connected to 127.0.0.1 (127.0.0.1) port 2025
• SOCKS5 connect to www.baidu.com:443 (remotely resolved)
• SOCKS5 request granted.
• Connected to 127.0.0.1 (127.0.0.1) port 2025
• ALPN: curl offers h2,http/1.1
• (304) (OUT), TLS handshake, Client hello (1):
• CAfile: /etc/ssl/cert.pem
• CApath: none
• (304) (IN), TLS handshake, Server hello (2):
• TLSv1.2 (IN), TLS handshake, Certificate (11):
• TLSv1.2 (IN), TLS handshake, Server key exchange (12):
• TLSv1.2 (IN), TLS handshake, Server finished (14):
• TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
• TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
• TLSv1.2 (OUT), TLS handshake, Finished (20):
• TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
• TLSv1.2 (IN), TLS handshake, Finished (20):
• SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 / [blank] / UNDEF
• ALPN: server accepted http/1.1
• Server certificate:
• subject: C=CN; ST=beijing; L=beijing; O=Beijing Baidu Netcom Science Technology Co., Ltd; CN=baidu.com
• start date: Jul 8 01:41:02 2024 GMT
• expire date: Aug 9 01:41:01 2025 GMT
• subjectAltName: host "www.baidu.com" matched cert's "*.baidu.com"
• issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
• SSL certificate verify ok.

Reproduction Steps

mihomo_core -f config.yaml
curl -x socks5h://127.0.0.1:2025 -v https://www.baidu.com

This issue cannot be duplicated in local ss tfo enable server and some remote ss tfo servers, but happen to 20+ ss tfo servers, I can provide one of them for duplicating the symptoms internally instead of providing in public.

Logs

# v1.19.1
INFO[2025-01-03T16:55:30.267257000+08:00] Start initial configuration in progress      
INFO[2025-01-03T16:55:30.269449000+08:00] Geodata Loader mode: memconservative         
INFO[2025-01-03T16:55:30.269560000+08:00] Geosite Matcher implementation: succinct     
INFO[2025-01-03T16:55:30.269986000+08:00] Initial configuration complete, total time: 2ms 
INFO[2025-01-03T16:55:30.274890000+08:00] Sniffer is closed                            
INFO[2025-01-03T16:55:30.275273000+08:00] Mixed(http+socks) proxy listening at: 127.0.0.1:2025 
INFO[2025-01-03T16:55:30.276670000+08:00] Start initial Compatible provider default    
DEBU[2025-01-03T16:55:35.991684000+08:00] [Rule] use default rules                     
DEBU[2025-01-03T16:55:35.992254000+08:00] [DNS] system dns update to [xxxx:xxxx:xxxx:xxxx:xxxx%en0 192.168.31.1] 
DEBU[2025-01-03T16:55:35.992298000+08:00] [DNS] resolve xxx.xxx.xxx A from system(udp://[xxxx:xxxx:xxxx:xxxx:xxxx%en0]:53,udp://192.168.31.1:53) 
DEBU[2025-01-03T16:55:35.992335000+08:00] [DNS] resolve xxx.xxx.xxx A from udp://192.168.31.1:53 
DEBU[2025-01-03T16:55:35.992476000+08:00] [DNS] resolve xxx.xxx.xxx A from udp://[xxxx:xxxx:xxxx:xxxx:xxxx%en0]:53 
DEBU[2025-01-03T16:55:36.002327000+08:00] [DNS] xxx.xxx.xxx --> [xxx.xxx.xxx.xxx] A from udp://192.168.31.1:53 
DEBU[2025-01-03T16:55:36.002407000+08:00] [DNS] xxx.xxx.xxx --> [xxx.xxx.xxx.xxx] A from system(udp://[xxxx:xxxx:xxxx:xxxx:xxxx%en0]:53,udp://192.168.31.1:53) 
WARN[2025-01-03T16:55:41.004101000+08:00] [TCP] dial s1 (match Match/) 127.0.0.1:54367 --> www.baidu.com:443 error: dial tcp xxx.xxx.xxx.xxx:xxx: i/o timeout

# alpha-1c5f4a3
INFO[2025-01-03T17:03:12.917552000+08:00] Start initial configuration in progress      
INFO[2025-01-03T17:03:12.921104000+08:00] Geodata Loader mode: memconservative         
INFO[2025-01-03T17:03:12.921165000+08:00] Geosite Matcher implementation: succinct     
INFO[2025-01-03T17:03:12.921891000+08:00] Initial configuration complete, total time: 4ms 
INFO[2025-01-03T17:03:12.933390000+08:00] Sniffer is closed                            
INFO[2025-01-03T17:03:12.935555000+08:00] Mixed(http+socks) proxy listening at: 127.0.0.1:2025 
INFO[2025-01-03T17:03:12.941582000+08:00] Start initial Compatible provider default    
DEBU[2025-01-03T17:03:20.011664000+08:00] [Rule] use default rules                     
DEBU[2025-01-03T17:03:20.015542000+08:00] [DNS] system dns update to [xxxx:xxxx:xxxx:xxxx:xxxx%en0 192.168.31.1] 
DEBU[2025-01-03T17:03:20.016021000+08:00] [DNS] resolve xxx.xxx.xxx A from system(udp://[xxxx:xxxx:xxxx:xxxx:xxxx%en0]:53,udp://192.168.31.1:53) 
DEBU[2025-01-03T17:03:20.016094000+08:00] [DNS] resolve xxx.xxx.xxx A from udp://[xxxx:xxxx:xxxx:xxxx:xxxx%en0]:53 
DEBU[2025-01-03T17:03:20.016263000+08:00] [DNS] resolve xxx.xxx.xxx A from udp://192.168.31.1:53 
DEBU[2025-01-03T17:03:20.025158000+08:00] [DNS] xxx.xxx.xxx --> [xxx.xxx.xxx.xxx] A from udp://192.168.31.1:53 
DEBU[2025-01-03T17:03:20.025225000+08:00] [DNS] xxx.xxx.xxx --> [xxx.xxx.xxx.xxx] A from system(udp://[xxxx:xxxx:xxxx:xxxx:xxxx%en0]:53,udp://192.168.31.1:53) 
WARN[2025-01-03T17:03:25.025549000+08:00] [TCP] dial s1 (match Match/) 127.0.0.1:54413 --> www.baidu.com:443 error: dial tcp xxx.xxx.xxx.xxx:xxx: i/o timeout

[xishang0128]

TCP Fast Open may be blocked by intermediate routers. Please ensure that your link fully supports TFO

In addition, the old version does not support tfo, so it connects normally

[lxp0gb]

TCP Fast Open may be blocked by intermediate routers. Please ensure that your link fully supports TFO

In addition, the old version does not support tfo, so it connects normally

At same network environment, I use latest version cmfa (android) and that old version mihomo core (macOS) with same configuration, they are work fine, but switched to current version core, it shows io timeout. Since the old version one has no support for tfo, if the latest version cmfa doesn’t support tfo either, then I cannot prove this link fully support tfo.

[lxp0gb]

I figured out a way to prove the link fully supports tfo. I used UTM on this macOS machine to create linux VM to run the test.

localhost:~# ./mihomo-linux-amd64-compatible-v1.19.1 -v
Mihomo Meta v1.19.1 linux amd64 with go1.23.4 Tue Dec 31 16:58:27 UTC 2024
Use tags: with_gvisor
localhost:~# curl -x socks5h://127.0.0.1:2025 -v https://www.baidu.com
*   Trying 127.0.0.1:2025...
* SOCKS5 connect to www.baidu.com:443 (remotely resolved)
* SOCKS5 request granted.
* Connected to 127.0.0.1 () port 2025
* using HTTP/1.x
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 / secp256r1 / RSASSA-PSS
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: C=CN; ST=beijing; L=beijing; O=Beijing Baidu Netcom Science Technology Co., Ltd; CN=baidu.com
*  start date: Jul  8 01:41:02 2024 GMT
*  expire date: Aug  9 01:41:01 2025 GMT
*  subjectAltName: host "www.baidu.com" matched cert's "*.baidu.com"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
*  SSL certificate verify ok. 
...

localhost:~# ./mihomo-linux-amd64-compatible-alpha-1c5f4a3 -v
Mihomo Meta alpha-1c5f4a3 linux amd64 with go1.23.4 Fri Jan  3 04:23:56 UTC 2025
Use tags: with_gvisor
localhost:~# curl -x socks5h://127.0.0.1:2025 -v https://www.baidu.com
*   Trying 127.0.0.1:2025...
* SOCKS5 connect to www.baidu.com:443 (remotely resolved)
* SOCKS5 request granted.
* Connected to 127.0.0.1 () port 2025
* using HTTP/1.x
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 / secp256r1 / RSASSA-PSS
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: C=CN; ST=beijing; L=beijing; O=Beijing Baidu Netcom Science Technology Co., Ltd; CN=baidu.com
*  start date: Jul  8 01:41:02 2024 GMT
*  expire date: Aug  9 01:41:01 2025 GMT
*  subjectAltName: host "www.baidu.com" matched cert's "*.baidu.com"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign RSA OV SSL CA 2018
*  SSL certificate verify ok.
...