TLS CHIPER SUITE

[PutinEvilRex]

Hello. Whats up? I have a problem with your app Intra for dns over https. I live in Turkmenistan, and here your app is blocked by CLIENT HELLO message. Intra have specefic TLS Fingerprint. My country blocked this fingerprint. I need to change TLS chiper suite of an app. But I am not programmer, I dont know what i need to do. If it is not difficult for you. Please tell me how can I solve this problem. Your help will give us Freedom in internet.

[PutinEvilRex]

Please help

[bemasc]

How were you able to determine that the blocking is based on the TLS fingerprint?

[PutinEvilRex]

How were you able to determine that the blocking is based on the TLS fingerprint?

I have checked it in Wireshark. Intra sends client hello message but server is not responding with Server Hello.

V2rayng wasn't working with this problem too. But I put Chrome chiper suite in v2rayng app, and it is working now. But I don't know how to do it with Intra.

[bemasc]

Thanks. This could be done using uTLS but it would require a code change.

[PutinEvilRex]

Thanks. This could be done using uTLS but it would require a code change.

It is very hard for me. What can I do? Maybe you have another solution?

[bemasc]

You could try using the Secure DNS support in your platform. Most operating systems and browsers now have built-in support.

[PutinEvilRex]

You could try using the Secure DNS support in your platform. Most operating systems and browsers now have built-in support.

I've checked it too. It works , but it is not opening YouTube. I have ability to ping YouTube.com. but YouTube is not working.

I've tried analog of Intra app. It was Nebula from Playmarket. I have connection to the DNS over Https server with Nebula but YouTube is not working.

Only intra opening YouTube. Another app do not work with YouTube.

[PutinEvilRex]

All VPS IP is blocked in our country. Only php shared hosting ip is not blocked here it because government understands that the people haven't ability to create VPN server on shared hosting. And all public DNS over Https servers is blocked too. But I am using shared hosting like proxy for Google DNS. It is very important for us. Only intra helps us to bypass great firewall

[PutinEvilRex]

If you have some idea what to do. Please tell me. A am not asking only for me, I am asking for my people. If you help us thousands will have ability to watch YouTube for free

[bemasc]

Could you share a packet capture (i.e. PCAP file) of the Intra traffic from Wireshark? Intra should be splitting the TLS ClientHello into two TCP segments, so I'm interested to see if that is working correctly and is visible in your PCAP.

(Please make sure not to publish any personally identifying information in the PCAP, such as your client IP address.)

[fortuna]

@PutinEvilRex does your DoH resolver work with other apps like https://github.com/SadeghHayeri/GreenTunnel ?

I tested and it seems that ClientHello splitting still works in Turkmenistan to bypass SNI-based blocking. It's strange that they would reassemble to fingerprint TLS, but not to block by SNI.

Yeah, pcaps would help. If you'd like, you can share with me and we can take a look. You can send it to me via chat on Keybase: https://keybase.io/fortuna.

Or paste an anonymized text output of tshark/tcpdump here.

[PutinEvilRex]

You can take a look.

[PutinEvilRex]

Thanks anyway. Thanks for your attention.

[fortuna]

Thanks for the file.

I see that the server keeps resending the SYN/ACK. That suggests to me that it never sees the client ACK:

I'm deleting the posts with the PCAP and IP addresses because those are sensitive information.

[fortuna]

@bemasc had mentioned that we get a TCP reset. Some examples:

[fortuna]

@bemasc also observed that the TTL for the reset (124) is different than that of the SYN/ACK (49):

[fortuna]

I noticed that the SYN/ACK retransmissions stop after the TCP RST, which makes me guess that the RST is also sent to the server. Ignoring the RST on the client side would not be enough.

[Ne0xor16]

How were you able to determine that the blocking is based on the TLS fingerprint?

I have checked it in Wireshark. Intra sends client hello message but server is not responding with Server Hello.

V2rayng wasn't working with this problem too. But I put Chrome chiper suite in v2rayng app, and it is working now. But I don't know how to do it with Intra.

А как ты поменял на v2rayng отпечаток?