[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #25804 [Obfuscation/Snowflake]: Domain fronting to App Engine stopped working
#25804: Domain fronting to App Engine stopped working
-----------------------------------+------------------------
Reporter: dcf | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Obfuscation/Snowflake | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-----------------------------------+------------------------
Comment (by dcf):
Replying to [comment:2 cypherpunks]:
> > <p>This HTTP request has a Host header that is not covered \
> > by the TLS certificate used. Due to an infrastructure change, \
> > this request cannot be processed.</p></body></html>
>
> No domain fronting to App Engine but works without SNI
I confirm that this is the case. Resolve www.google.com to an IP address,
access the server via its IP address (need to override the certificate
check) and pass a Host header:
{{{
$ dig +short www.google.com
172.217.11.164
$ wget --content-on-error --save-header --no-check-certificate -q -O-
https://172.217.11.164/ip --header 'Host: snowflake-reg.appspot.com'
HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
X-Cloud-Trace-Context: b0805cfcb7d0d60a3f5352c65879afaa
Date: Sun, 15 Apr 2018 22:18:54 GMT
Server: Google Frontend
Content-Length: 13
Alt-Svc: hq=":443"; ma=2592000; quic=51303432; quic=51303431;
quic=51303339; quic=51303335,quic=":443"; ma=2592000; v="42,41,39,35"
X.X.X.X
}}}
Related meek ticket (not implemented):
* #12208: Make it possible to use an IP address as a front
If someone has a ticket for SNI-less Snowflake rendezvous, it would be
very welcome. The relevant code is here:
https://gitweb.torproject.org/pluggable-
transports/snowflake.git/tree/client/rendezvous.go?id=c61336c897b5d21cc94a21241e98b33df5dcbf78#n61
Here is a cheesy proof of concept. It's not suitable because it disable
certificate verification (`InsecureSkipVerify`). What's needed is another
parameter to verify the certificate ''as if'' we had accessed
www.google.com (or other specific domain).
{{{#!diff
diff --git a/client/rendezvous.go b/client/rendezvous.go
index cab7f5a..c74e041 100644
--- a/client/rendezvous.go
+++ b/client/rendezvous.go
@@ -14,9 +14,11 @@ package main
import (
"bufio"
"bytes"
+ "crypto/tls"
"errors"
"io/ioutil"
"log"
+ "net"
"net/http"
"net/url"
"os"
@@ -46,6 +48,10 @@ type BrokerChannel struct {
func CreateBrokerTransport() http.RoundTripper {
transport := http.DefaultTransport.(*http.Transport)
transport.Proxy = nil
+ // haxxx
+ transport.TLSClientConfig = &tls.Config{
+ InsecureSkipVerify: true,
+ }
return transport
}
@@ -61,9 +67,17 @@ func NewBrokerChannel(broker string, front string,
transport http.RoundTripper)
bc := new(BrokerChannel)
bc.url = targetURL
if "" != front { // Optional front domain.
- log.Println("Domain fronting using:", front)
+ var addr net.Addr
+ addr, err = net.ResolveIPAddr("ip", front)
+ if nil != err {
+ addr, err = net.ResolveTCPAddr("tcp", front)
+ if nil != err {
+ return nil
+ }
+ }
+ log.Println("Domain fronting using:", addr)
bc.Host = bc.url.Host
- bc.url.Host = front
+ bc.url.Host = addr.String()
}
bc.transport = transport
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25804#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs