github-starred/frp
2
0
Fork 0
mirror of https://github.com/fatedier/frp.git synced 2026-05-15 08:05:49 -06:00
Code Issues 40 Projects Packages Wiki Activity Actions 1

[GH-ISSUE #2489] tls-only is always true if tls_trusted_ca_file is set #1977

New issue
Closed
opened 2026-05-05 13:16:27 -06:00 by gitea-mirror · 3 comments
gitea-mirror commented 2026-05-05 13:16:27 -06:00
Owner
Copy link

Originally created by @trananhtuan on GitHub (Jul 21, 2021).
Original GitHub issue: https://github.com/fatedier/frp/issues/2489

[REQUIRED] hat version of frp are you using

Version: 0.37.0

[REQUIRED] What operating system and processor architecture are you using
OS: Windows, Linux
CPU architecture: x86

[REQUIRED] description of errors
If tls_trusted_ca_file is set, server will reject non-TLS connections despite both tls_only and tls_enable are set to false.

I want TLS to be optional. When setting tls_enable = true and tls_only = false on frps.ini, client should be able to connect with tls_enable is either true or false.

confile

server:

[common]
bind_addr = 0.0.0.0
bind_port = 7000
vhost_http_port = 8080
log_level = trace

tls_only = false

tls_enable = false
#tls_cert_file = certs-local/server.crt
#tls_key_file = certs-local/server.key
tls_trusted_ca_file = certs-local/ca.crt

client:

[common]
server_addr = 127.0.0.1
server_port = 7000
log_level = debug
protocol = tcp

tls_enable = false

[web]
type = http
local_ip = 127.0.0.1
local_port = 80
custom_domains = localhost

log file

server:

D:\frp_0.37.0_windows_amd64>frps -c frps.ini
2021/07/21 11:13:28 [I] [root.go:200] frps uses config file: frps.ini
2021/07/21 11:13:28 [I] [service.go:192] frps tcp listen on 0.0.0.0:7000
2021/07/21 11:13:28 [I] [service.go:235] http service listen on 0.0.0.0:8080
2021/07/21 11:13:28 [I] [root.go:209] frps started successfully
2021/07/21 11:13:32 [T] [service.go:396] start check TLS connection...
2021/07/21 11:13:32 [W] [service.go:400] CheckAndEnableTLSServerConnWithTimeout error: non-TLS connection received on a TlsOnly server

client:

D:\frp_0.37.0_windows_amd64>frpc -c frpc.ini
2021/07/21 11:17:58 [W] [service.go:104] login to server failed: EOF
EOF

Steps to reproduce the issue

  1. In frps.ini: set tls_trusted_ca_file value. Set tls_only and tls_enable to false.
  2. In frpc.ini set tls_enable: false.
  3. Start server and client. Server will reject non-tls connections.

Supplementary information

Can you guess what caused this issue

Checklist:

  • I included all information required in the sections above
  • I made sure there are no duplicates of this report (Use Search)
Originally created by @trananhtuan on GitHub (Jul 21, 2021). Original GitHub issue: https://github.com/fatedier/frp/issues/2489 <!-- From Chinese to English by machine translation, welcome to revise and polish. --> <!-- ⚠️⚠️ Incomplete reports will be marked as invalid, and closed, with few exceptions ⚠️⚠️ --> <!-- in addition, please use search well so that the same solution can be found in the feedback, we will close it directly --> <!-- for convenience of differentiation, use FRPS or FRPC to refer to the FRP server or client --> **[REQUIRED] hat version of frp are you using** <!-- Use ./frpc -v or ./frps -v --> Version: 0.37.0 **[REQUIRED] What operating system and processor architecture are you using** OS: Windows, Linux CPU architecture: x86 **[REQUIRED] description of errors** If `tls_trusted_ca_file` is set, server will reject non-TLS connections despite both `tls_only` and `tls_enable` are set to `false`. I want TLS to be optional. When setting `tls_enable = true` and `tls_only = false` on frps.ini, client should be able to connect with `tls_enable` is either `true` or `false`. **confile** <!-- Please pay attention to hiding the token, server_addr and other privacy information --> server: ``` [common] bind_addr = 0.0.0.0 bind_port = 7000 vhost_http_port = 8080 log_level = trace tls_only = false tls_enable = false #tls_cert_file = certs-local/server.crt #tls_key_file = certs-local/server.key tls_trusted_ca_file = certs-local/ca.crt ``` client: ``` [common] server_addr = 127.0.0.1 server_port = 7000 log_level = debug protocol = tcp tls_enable = false [web] type = http local_ip = 127.0.0.1 local_port = 80 custom_domains = localhost ``` **log file** <!-- If the file is too large, use Pastebin, for example https://pastebin.ubuntu.com/ --> server: ``` D:\frp_0.37.0_windows_amd64>frps -c frps.ini 2021/07/21 11:13:28 [I] [root.go:200] frps uses config file: frps.ini 2021/07/21 11:13:28 [I] [service.go:192] frps tcp listen on 0.0.0.0:7000 2021/07/21 11:13:28 [I] [service.go:235] http service listen on 0.0.0.0:8080 2021/07/21 11:13:28 [I] [root.go:209] frps started successfully 2021/07/21 11:13:32 [T] [service.go:396] start check TLS connection... 2021/07/21 11:13:32 [W] [service.go:400] CheckAndEnableTLSServerConnWithTimeout error: non-TLS connection received on a TlsOnly server ``` client: ``` D:\frp_0.37.0_windows_amd64>frpc -c frpc.ini 2021/07/21 11:17:58 [W] [service.go:104] login to server failed: EOF EOF ``` **Steps to reproduce the issue** 1. In frps.ini: set `tls_trusted_ca_file` value. Set `tls_only` and `tls_enable` to `false`. 2. In frpc.ini set `tls_enable: false`. 3. Start server and client. Server will reject non-tls connections. **Supplementary information** **Can you guess what caused this issue** **Checklist**: <!--- Make sure you've completed the following steps (put an "X" between of brackets): --> - [x] I included all information required in the sections above - [x] I made sure there are no duplicates of this report [(Use Search)](https://github.com/fatedier/frp/issues?q=is%3Aissue)
gitea-mirror 2026-05-05 13:16:27 -06:00
gitea-mirror commented 2026-05-05 13:16:29 -06:00
Author
Owner
Copy link

@fatedier commented on GitHub (Jul 21, 2021):

It's designed to be used in this way.

We add tls_only for compatible reason and it maybe removed in future release. If you enable TLS,it will reject all nonTLS connections.

<!-- gh-comment-id:883928056 --> @fatedier commented on GitHub (Jul 21, 2021): It's designed to be used in this way. We add `tls_only` for compatible reason and it maybe removed in future release. If you enable TLS,it will reject all nonTLS connections.
gitea-mirror commented 2026-05-05 13:16:30 -06:00
Author
Owner
Copy link

@trananhtuan commented on GitHub (Jul 21, 2021):

But why? TLS is cool but certificate management is a burden, and performance might be an issue. I would rather to enable TLS only for plain http traffic and leave everything else unencrypted. This way I can use nginx with certificates to further protect traffic serving from vhost.

<!-- gh-comment-id:883938051 --> @trananhtuan commented on GitHub (Jul 21, 2021): But why? TLS is cool but certificate management is a burden, and performance might be an issue. I would rather to enable TLS only for plain http traffic and leave everything else unencrypted. This way I can use nginx with certificates to further protect traffic serving from vhost.
gitea-mirror commented 2026-05-05 13:16:31 -06:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Aug 21, 2021):

Issues go stale after 30d of inactivity. Stale issues rot after an additional 7d of inactivity and eventually close.

<!-- gh-comment-id:903022707 --> @github-actions[bot] commented on GitHub (Aug 21, 2021): Issues go stale after 30d of inactivity. Stale issues rot after an additional 7d of inactivity and eventually close.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
dev
new
master
copilot/review-pull-request-5198
v0.68.1
v0.68.0
v0.67.0
v0.66.0
v0.65.0
v0.64.0
v0.63.0
v0.62.1
v0.62.0
v0.61.2
v0.61.1
v0.61.0
v0.60.0
v0.59.0
v0.58.1
v0.58.0
v0.57.0
v0.56.0
v0.55.1
v0.55.0
v0.54.0
v0.53.2
v0.53.1
v0.53.0
v0.52.3
v0.52.2
v0.52.1
v0.52.0
v0.51.3
v0.51.2
v0.51.1
v0.51.0
v0.50.0
v0.49.0
v0.48.0
v0.47.0
v0.46.1
v0.46.0
v0.45.0
v0.44.0
v0.43.0
v0.42.0
v0.41.0
v0.40.0
v0.39.1
v0.39.0
v0.38.0
v0.37.1
v0.37.0
v0.36.2
v0.36.1
v0.36.0
v0.35.1
v0.35.0
v0.34.3
v0.34.2
v0.34.1
v0.34.0
v0.33.0
v0.32.1
v0.32.0
v0.31.2
v0.31.1
v0.31.0
v0.30.0
v0.29.1
v0.29.0
v0.28.2
v0.28.1
v0.28.0
v0.27.1
v0.27.0
v0.26.0
v0.25.3
v0.25.2
v0.25.1
v0.25.0
v0.24.1
v0.24.0
v0.23.3
v0.23.2
v0.23.1
v0.23.0
v0.22.0
v0.21.0
v0.20.0
v0.19.1
v0.19.0
v0.18.0
v0.17.0
v0.16.1
v0.16.0
v0.15.1
v0.15.0
v0.14.1
v0.14.0
v0.13.0
v0.12.0
v0.11.0
v0.10.0
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.1
v0.8.0
v0.7.0
v0.6.0
v0.5.0
v0.3.0
v0.2.0
v0.1.0
Labels
Clear labels   
In Progress

   
WIP

   
WaitingForInfo

   
bug

   
doc

   
duplicate

   
easy

   
enhancement

   
future

   
help wanted

   
invalid

   
lifecycle/stale

   
need-issue-template

   
need-usage-help

   
no plan

   
proposal

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
todo
No labels
In Progress
WIP
WaitingForInfo
bug
doc
duplicate
easy
enhancement
future
help wanted
invalid
lifecycle/stale
need-issue-template
need-usage-help
no plan
proposal
pull-request
question
todo
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/frp#1977
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?