[GH-ISSUE #5131] transport.tls.force = false not working as expected #4012

New issue

Closed

opened 2026-05-05 14:32:59 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented 2026-05-05 14:32:59 -06:00

Owner

Copy link

Originally created by @Simon-Blandford-Onepoint on GitHub (Jan 16, 2026).
Original GitHub issue: https://github.com/fatedier/frp/issues/5131

Bug Description

When transport.tls.force = false in frps.toml non-tls connection attempts are not accepted. TLS connections work as expected.

Also, the expected error message, "non-TLS connection received on a TlsOnly server", is not reported on the server when transport.tls.force = true and a non-tls connection is attempted.

frpc Version

0.66

frps Version

0.66

System Architecture

linux/amd64

Configurations

FRPS

bindPort = 7000

transport.tls.force = false
transport.tls.certFile = "ssl/server.crt"
transport.tls.keyFile = "ssl/server.key"
transport.tls.trustedCaFile = "ssl/ca.crt"

FRPC case with TLS

serverAddr = "127.0.0.1"
serverPort = 7000

transport.tls.enable = true
transport.tls.certFile = "ssl/client.crt"
transport.tls.keyFile = "ssl/client.key"
transport.tls.trustedCaFile = "ssl/ca.crt"

[[proxies]]
name = "test"
type = "tcp"
localIP = "127.0.0.1"
localPort = 8080
remotePort = 5011

FRPC Without TLS

serverAddr = "127.0.0.1"
serverPort = 7000

[[proxies]]
name = "test"
type = "tcp"
localIP = "127.0.0.1"
localPort = 8080
remotePort = 5011

Logs

frpc log with TLS enabled on client and on server with force=false...

$ frpc -c frpc.toml 
2026-01-16 11:29:24.333 [I] [sub/root.go:159] start frpc service for config file [frpc.toml]
2026-01-16 11:29:24.333 [I] [client/service.go:331] try to connect to server...
2026-01-16 11:29:24.338 [I] [client/service.go:323] [69560caece61f030] login to server success, get run id [69560caece61f030]
2026-01-16 11:29:24.338 [I] [proxy/proxy_manager.go:180] [69560caece61f030] proxy added: [test]
2026-01-16 11:29:24.338 [I] [client/control.go:172] [69560caece61f030] [test] start proxy success

frps log with TLS enabled on client and on server with force=false...

$ frps -c frps.toml 
2026-01-16 11:29:08.877 [I] [frps/root.go:115] frps uses config file: frps.toml
2026-01-16 11:29:08.887 [I] [server/service.go:241] frps tcp listen on 0.0.0.0:7000
2026-01-16 11:29:08.887 [I] [frps/root.go:124] frps started successfully
2026-01-16 11:29:24.338 [I] [server/service.go:590] [69560caece61f030] client login info: ip [127.0.0.1:45286] version [0.66.0] hostname [] os [linux] arch [amd64]
2026-01-16 11:29:24.338 [I] [proxy/tcp.go:82] [69560caece61f030] [test] tcp proxy listen port [5011]
2026-01-16 11:29:24.338 [I] [server/control.go:403] [69560caece61f030] new proxy [test] type [tcp] success

frpc log with no TLS set up on client and TLS set up on server with force=false...

$ frpc -c frpc.toml 
2026-01-16 11:32:36.203 [I] [sub/root.go:159] start frpc service for config file [frpc.toml]
2026-01-16 11:32:36.203 [I] [client/service.go:331] try to connect to server...
2026-01-16 11:32:36.206 [W] [client/service.go:334] connect to server error: session shutdown
2026-01-16 11:32:36.206 [I] [sub/root.go:178] frpc service for config file [frpc.toml] stopped
login to the server failed: session shutdown. With loginFailExit enabled, no additional retries will be attempted`

frps log with no TLS set up on client and TLS set up on server with force=false...

$ frps -c frps.toml 
2026-01-16 11:32:31.980 [I] [frps/root.go:115] frps uses config file: frps.toml
2026-01-16 11:32:31.989 [I] [server/service.go:241] frps tcp listen on 0.0.0.0:7000
2026-01-16 11:32:31.989 [I] [frps/root.go:124] frps started successfully

Steps to reproduce

1. Create server and client certificates as per the README.
2. Configure server to accept TLS but with transport.tls.force = false
3. Configure client to connect to server using TLS
4. Start server then client, result = success
5. Configure client to connect to server without TLS
6. Start the client again, result = session shutdown

Affected area

• Docs
• Installation
• Performance and Scalability
• Security
• User Experience
• Test and Release
• Developer Infrastructure
• Client Plugin
• Server Plugin
• Extensions
• Others

Originally created by @Simon-Blandford-Onepoint on GitHub (Jan 16, 2026). Original GitHub issue: https://github.com/fatedier/frp/issues/5131 ### Bug Description When transport.tls.force = false in frps.toml non-tls connection attempts are not accepted. TLS connections work as expected. Also, the expected error message, "non-TLS connection received on a TlsOnly server", is not reported on the server when transport.tls.force = true and a non-tls connection is attempted. ### frpc Version 0.66 ### frps Version 0.66 ### System Architecture linux/amd64 ### Configurations FRPS ``` bindPort = 7000 transport.tls.force = false transport.tls.certFile = "ssl/server.crt" transport.tls.keyFile = "ssl/server.key" transport.tls.trustedCaFile = "ssl/ca.crt" ``` FRPC case with TLS ``` serverAddr = "127.0.0.1" serverPort = 7000 transport.tls.enable = true transport.tls.certFile = "ssl/client.crt" transport.tls.keyFile = "ssl/client.key" transport.tls.trustedCaFile = "ssl/ca.crt" [[proxies]] name = "test" type = "tcp" localIP = "127.0.0.1" localPort = 8080 remotePort = 5011 ``` FRPC Without TLS ``` serverAddr = "127.0.0.1" serverPort = 7000 [[proxies]] name = "test" type = "tcp" localIP = "127.0.0.1" localPort = 8080 remotePort = 5011 ``` ### Logs frpc log with TLS enabled on client and on server with force=false... ``` $ frpc -c frpc.toml 2026-01-16 11:29:24.333 [I] [sub/root.go:159] start frpc service for config file [frpc.toml] 2026-01-16 11:29:24.333 [I] [client/service.go:331] try to connect to server... 2026-01-16 11:29:24.338 [I] [client/service.go:323] [69560caece61f030] login to server success, get run id [69560caece61f030] 2026-01-16 11:29:24.338 [I] [proxy/proxy_manager.go:180] [69560caece61f030] proxy added: [test] 2026-01-16 11:29:24.338 [I] [client/control.go:172] [69560caece61f030] [test] start proxy success ``` frps log with TLS enabled on client and on server with force=false... ``` $ frps -c frps.toml 2026-01-16 11:29:08.877 [I] [frps/root.go:115] frps uses config file: frps.toml 2026-01-16 11:29:08.887 [I] [server/service.go:241] frps tcp listen on 0.0.0.0:7000 2026-01-16 11:29:08.887 [I] [frps/root.go:124] frps started successfully 2026-01-16 11:29:24.338 [I] [server/service.go:590] [69560caece61f030] client login info: ip [127.0.0.1:45286] version [0.66.0] hostname [] os [linux] arch [amd64] 2026-01-16 11:29:24.338 [I] [proxy/tcp.go:82] [69560caece61f030] [test] tcp proxy listen port [5011] 2026-01-16 11:29:24.338 [I] [server/control.go:403] [69560caece61f030] new proxy [test] type [tcp] success ``` frpc log with no TLS set up on client and TLS set up on server with force=false... ``` $ frpc -c frpc.toml 2026-01-16 11:32:36.203 [I] [sub/root.go:159] start frpc service for config file [frpc.toml] 2026-01-16 11:32:36.203 [I] [client/service.go:331] try to connect to server... 2026-01-16 11:32:36.206 [W] [client/service.go:334] connect to server error: session shutdown 2026-01-16 11:32:36.206 [I] [sub/root.go:178] frpc service for config file [frpc.toml] stopped login to the server failed: session shutdown. With loginFailExit enabled, no additional retries will be attempted` ``` frps log with no TLS set up on client and TLS set up on server with force=false... ``` $ frps -c frps.toml 2026-01-16 11:32:31.980 [I] [frps/root.go:115] frps uses config file: frps.toml 2026-01-16 11:32:31.989 [I] [server/service.go:241] frps tcp listen on 0.0.0.0:7000 2026-01-16 11:32:31.989 [I] [frps/root.go:124] frps started successfully ``` ### Steps to reproduce 1. Create server and client certificates as per the README. 2. Configure server to accept TLS but with transport.tls.force = false 3. Configure client to connect to server using TLS 4. Start server then client, result = success 5. Configure client to connect to server without TLS 6. Start the client again, result = session shutdown ### Affected area - [ ] Docs - [ ] Installation - [ ] Performance and Scalability - [x] Security - [x] User Experience - [ ] Test and Release - [ ] Developer Infrastructure - [ ] Client Plugin - [ ] Server Plugin - [ ] Extensions - [ ] Others

gitea-mirror 2026-05-05 14:32:59 -06:00

• closed this issue
• added the
  lifecycle/stale
  label

gitea-mirror commented 2026-05-05 14:33:02 -06:00

Author

Owner

Copy link

@fatedier commented on GitHub (Jan 20, 2026):

https://gofrp.org/en/docs/features/common/network/network-tls/

When transport.tls.force = true in frps.toml, it means the server only accepts TLS connection clients, which is also a prerequisite for frps to verify frpc identity. If the content of transport.tls.trustedCaFile in frps.toml is valid, then transport.tls.force = true will be enabled by default.

Plaintext client compatibility is intended as a temporary migration path only; we may remove plaintext support entirely in the future. If you rely on mixed TLS/plaintext, please treat it as transitional and plan to move all clients to TLS.

<!-- gh-comment-id:3770789156 --> @fatedier commented on GitHub (Jan 20, 2026): https://gofrp.org/en/docs/features/common/network/network-tls/ > When transport.tls.force = true in frps.toml, it means the server only accepts TLS connection clients, which is also a prerequisite for frps to verify frpc identity. If the content of transport.tls.trustedCaFile in frps.toml is valid, then transport.tls.force = true will be enabled by default. Plaintext client compatibility is intended as a temporary migration path only; we may remove plaintext support entirely in the future. If you rely on mixed TLS/plaintext, please treat it as transitional and plan to move all clients to TLS.

gitea-mirror commented 2026-05-05 14:33:02 -06:00

Author

Owner

Copy link

@Simon-Blandford-Onepoint commented on GitHub (Jan 21, 2026):

Please don't remove the non-encrypted option. If there are already a number of SSH tunnels set up then (1) it is already encrypted and doesn't need more encryption and (2) the change is disruptive for anyone that have already set up a lot of clients.

Update: I have just understood how this encryption actually works and didn't even realise I was already using it. Please ignore above comment. It's not so bad after all (since it is transparent and doesn't add complexity)!
https://gofrp.org/en/docs/features/common/network/network-tls/

<!-- gh-comment-id:3777408508 --> @Simon-Blandford-Onepoint commented on GitHub (Jan 21, 2026): Please don't remove the non-encrypted option. If there are already a number of SSH tunnels set up then (1) it is already encrypted and doesn't need more encryption and (2) the change is disruptive for anyone that have already set up a lot of clients. Update: I have just understood how this encryption actually works and didn't even realise I was already using it. Please ignore above comment. It's not so bad after all (since it is transparent and doesn't add complexity)! https://gofrp.org/en/docs/features/common/network/network-tls/

gitea-mirror commented 2026-05-05 14:33:03 -06:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Feb 5, 2026):

Issues go stale after 14d of inactivity. Stale issues rot after an additional 3d of inactivity and eventually close.

<!-- gh-comment-id:3850481039 --> @github-actions[bot] commented on GitHub (Feb 5, 2026): Issues go stale after 14d of inactivity. Stale issues rot after an additional 3d of inactivity and eventually close.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

dev

new

master

copilot/review-pull-request-5198

v0.68.1

v0.68.0

v0.67.0

v0.66.0

v0.65.0

v0.64.0

v0.63.0

v0.62.1

v0.62.0

v0.61.2

v0.61.1

v0.61.0

v0.60.0

v0.59.0

v0.58.1

v0.58.0

v0.57.0

v0.56.0

v0.55.1

v0.55.0

v0.54.0

v0.53.2

v0.53.1

v0.53.0

v0.52.3

v0.52.2

v0.52.1

v0.52.0

v0.51.3

v0.51.2

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.1

v0.46.0

v0.45.0

v0.44.0

v0.43.0

v0.42.0

v0.41.0

v0.40.0

v0.39.1

v0.39.0

v0.38.0

v0.37.1

v0.37.0

v0.36.2

v0.36.1

v0.36.0

v0.35.1

v0.35.0

v0.34.3

v0.34.2

v0.34.1

v0.34.0

v0.33.0

v0.32.1

v0.32.0

v0.31.2

v0.31.1

v0.31.0

v0.30.0

v0.29.1

v0.29.0

v0.28.2

v0.28.1

v0.28.0

v0.27.1

v0.27.0

v0.26.0

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.3

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.0

v0.19.1

v0.19.0

v0.18.0

v0.17.0

v0.16.1

v0.16.0

v0.15.1

v0.15.0

v0.14.1

v0.14.0

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.1

v0.8.0

v0.7.0

v0.6.0

v0.5.0

v0.3.0

v0.2.0

v0.1.0

Labels

Clear labels   

In Progress

  

WIP

  

WaitingForInfo

  

bug

  

doc

  

duplicate

  

easy

  

enhancement

  

future

  

help wanted

  

invalid

  

lifecycle/stale

  

need-issue-template

  

need-usage-help

  

no plan

  

proposal

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

todo

No labels

In Progress

WIP

WaitingForInfo

bug

doc

duplicate

easy

enhancement

future

help wanted

invalid

lifecycle/stale

need-issue-template

need-usage-help

no plan

proposal

pull-request

question

todo

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/frp#4012

No description provided.