[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #14256 [meek]: Clarify whether Cloudflare's Universal SSL thing works with meek
#14256: Clarify whether Cloudflare's Universal SSL thing works with meek
-------------------------+---------------------
Reporter: cypherpunks | Owner: dcf
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: meek | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Sponsor: |
-------------------------+---------------------
Changes (by abacabadabacaba):
* severity: => Normal
Comment:
I did some experiments with CloudFlare, and here are the results:
When using HTTP/1.1, CloudFlare requires SNI hostname to match the value
of `Host` header. If this is violated, HTTP error 403 is returned.
However, when using HTTP/2, the check is less strict. HTTP/2 has a feature
where a single connection can be used with multiple host names as long as
the TLS certificate presented by the server is valid for all those host
names. When using CloudFlare Free SSL, a single certificate is generated
for multiple domains, and it is possible to utilize domain fronting as
long as both the front and the back domain use the same certificate.
I don't know how they choose which domains share a certificate. Also,
these certificates seem to be reissued much more frequently than their
validity period might suggest. As a result, domain fronting with
CloudFlare is possible, but not very convenient.
Anyway, I registered an address https://meek-reflect.cf/ which you can use
for testing. Unfortunately, I don't know any command-line tools that can
send HTTP/2 requests, and constructing HTTP/2 requests by hand is not
trivial. Still, you can use this command to try ~~the voodoo magic of~~
domain fronting for yourself:
{{{
printf 'PRI *
HTTP/2.0\r\n\r\nSM\r\n\r\n\0\0\0\4\0\0\0\0\0\0\0\24\1\5\0\0\0\1\202\207\1
\17meek-reflect.cf\204' | openssl s_client -quiet -connect
spacebitco.in.net:443 -servername spacebitco.in.net -alpn h2
}}}
If you see the text `Iâm just a happy little web server.` somewhere in the
output, then it worked.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14256#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs