search

Lochnair / xt_tls

Filter TLS traffic with IPtables
GNU General Public License v3.0
230 stars 46 forks source link

Can't block sites. #24

Closed odkrys closed 5 years ago

odkrys commented 5 years ago

Each browsers use different TLS forms. Only DoH connections are showed up in debug log and able to block. Is a bug?

Chrome Latest

Transmission Control Protocol, Src Port: 11001, Dst Port: 443, Seq: 1, Ack: 1, Len: 517
Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 512
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 508
            Version: TLS 1.2 (0x0303)
            Random: 0dbabf850a38577d6bb93f5fe37e4bf07f9016f9f8db9372...
            Session ID Length: 32
            Session ID: 54462bb6602c0eb7898fc9ee603bc8fcbfede11a9b59053f...
            Cipher Suites Length: 34
            Cipher Suites (17 suites)
            Compression Methods Length: 1
            Compression Methods (1 method)
            Extensions Length: 401
            Extension: Reserved (GREASE) (len=0)
                Type: Reserved (GREASE) (60138)
                Length: 0
                Data: <MISSING>
            Extension: renegotiation_info (len=1)
                Type: renegotiation_info (65281)
                Length: 1
                Renegotiation Info extension
            Extension: server_name (len=15)
                Type: server_name (0)
                Length: 15
                Server Name Indication extension
                    Server Name list length: 13
                    Server Name Type: host_name (0)
                    Server Name length: 10
                    Server Name: github.com
            Extension: extended_master_secret (len=0)
                Type: extended_master_secret (23)
                Length: 0
            Extension: SessionTicket TLS (len=0)
                Type: SessionTicket TLS (35)
                Length: 0
                Data (0 bytes)
            Extension: signature_algorithms (len=20)
                Type: signature_algorithms (13)
                Length: 20
                Signature Hash Algorithms Length: 18
                Signature Hash Algorithms (9 algorithms)
            Extension: status_request (len=5)
                Type: status_request (5)
                Length: 5
                Certificate Status Type: OCSP (1)
                Responder ID list Length: 0
                Request Extensions Length: 0
            Extension: signed_certificate_timestamp (len=0)
                Type: signed_certificate_timestamp (18)
                Length: 0
            Extension: application_layer_protocol_negotiation (len=14)
                Type: application_layer_protocol_negotiation (16)
                Length: 14
                ALPN Extension Length: 12
                ALPN Protocol
            Extension: channel_id (len=0)
                Type: channel_id (30032)
                Length: 0
                Data: <MISSING>
            Extension: ec_point_formats (len=2)
                Type: ec_point_formats (11)
                Length: 2
                EC point formats Length: 1
                Elliptic curves point formats (1)
            Extension: key_share (len=43)
                Type: key_share (51)
                Length: 43
                Key Share extension
            Extension: psk_key_exchange_modes (len=2)
                Type: psk_key_exchange_modes (45)
                Length: 2
                PSK Key Exchange Modes Length: 1
                PSK Key Exchange Mode: PSK with (EC)DHE key establishment (psk_dhe_ke) (1)
            Extension: supported_versions (len=11)
                Type: supported_versions (43)
                Length: 11
                Supported Versions length: 10
                Supported Version: Unknown (0x9a9a)
                Supported Version: TLS 1.3 (0x0304)
                Supported Version: TLS 1.2 (0x0303)
                Supported Version: TLS 1.1 (0x0302)
                Supported Version: TLS 1.0 (0x0301)
            Extension: supported_groups (len=10)
                Type: supported_groups (10)
                Length: 10
                Supported Groups List Length: 8
                Supported Groups (4 groups)
            Extension: Unknown type 27 (len=3)
                Type: Unknown (27)
                Length: 3
                Data: 020002
            Extension: Reserved (GREASE) (len=1)
                Type: Reserved (GREASE) (51914)
                Length: 1
                Data: 00
            Extension: padding (len=202)
                Type: padding (21)
                Length: 202
                Padding Data: 000000000000000000000000000000000000000000000000...

IE11

Transmission Control Protocol, Src Port: 11309, Dst Port: 443, Seq: 1, Ack: 1, Len: 189
Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 184
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 180
            Version: TLS 1.2 (0x0303)
            Random: 5be9bd7031521a32c321b6346798b8c374457e4250d250d7...
            Session ID Length: 0
            Cipher Suites Length: 38
            Cipher Suites (19 suites)
            Compression Methods Length: 1
            Compression Methods (1 method)
            Extensions Length: 101
            Extension: server_name (len=15)
                Type: server_name (0)
                Length: 15
                Server Name Indication extension
                    Server Name list length: 13
                    Server Name Type: host_name (0)
                    Server Name length: 10
                    Server Name: github.com
            Extension: status_request (len=5)
                Type: status_request (5)
                Length: 5
                Certificate Status Type: OCSP (1)
                Responder ID list Length: 0
                Request Extensions Length: 0
            Extension: supported_groups (len=8)
                Type: supported_groups (10)
                Length: 8
                Supported Groups List Length: 6
                Supported Groups (3 groups)
            Extension: ec_point_formats (len=2)
                Type: ec_point_formats (11)
                Length: 2
                EC point formats Length: 1
                Elliptic curves point formats (1)
            Extension: signature_algorithms (len=20)
                Type: signature_algorithms (13)
                Length: 20
                Signature Hash Algorithms Length: 18
                Signature Hash Algorithms (9 algorithms)
            Extension: SessionTicket TLS (len=0)
                Type: SessionTicket TLS (35)
                Length: 0
                Data (0 bytes)
            Extension: application_layer_protocol_negotiation (len=14)
                Type: application_layer_protocol_negotiation (16)
                Length: 14
                ALPN Extension Length: 12
                ALPN Protocol
            Extension: extended_master_secret (len=0)
                Type: extended_master_secret (23)
                Length: 0
            Extension: renegotiation_info (len=1)
                Type: renegotiation_info (65281)
                Length: 1
                Renegotiation Info extension

DoH

Transmission Control Protocol, Src Port: 45760, Dst Port: 443, Seq: 1, Ack: 1, Len: 191
Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 186
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 182
            Version: TLS 1.2 (0x0303)
            Random: 46109543da2cf932ae26c17d37ef432fdfee3795945a1711...
            Session ID Length: 0
            Cipher Suites Length: 32
            Cipher Suites (16 suites)
            Compression Methods Length: 1
            Compression Methods (1 method)
            Extensions Length: 109
            Extension: next_protocol_negotiation (len=0)
                Type: next_protocol_negotiation (13172)
                Length: 0
            Extension: server_name (len=23)
                Type: server_name (0)
                Length: 23
                Server Name Indication extension
                    Server Name list length: 21
                    Server Name Type: host_name (0)
                    Server Name length: 18
                    Server Name: dns.cloudflare.com
            Extension: status_request (len=5)
                Type: status_request (5)
                Length: 5
                Certificate Status Type: OCSP (1)
                Responder ID list Length: 0
                Request Extensions Length: 0
            Extension: supported_groups (len=10)
                Type: supported_groups (10)
                Length: 10
                Supported Groups List Length: 8
                Supported Groups (4 groups)
            Extension: ec_point_formats (len=2)
                Type: ec_point_formats (11)
                Length: 2
                EC point formats Length: 1
                Elliptic curves point formats (1)
            Extension: signature_algorithms (len=18)
                Type: signature_algorithms (13)
                Length: 18
                Signature Hash Algorithms Length: 16
                Signature Hash Algorithms (8 algorithms)
            Extension: renegotiation_info (len=1)
                Type: renegotiation_info (65281)
                Length: 1
                Renegotiation Info extension
            Extension: application_layer_protocol_negotiation (len=14)
                Type: application_layer_protocol_negotiation (16)
                Length: 14
                ALPN Extension Length: 12
                ALPN Protocol
            Extension: signed_certificate_timestamp (len=0)
                Type: signed_certificate_timestamp (18)
                Length: 0

Dmesg log

[xt_tls] Session ID length: 0
[xt_tls] Cipher len: 32
[xt_tls] Offset (1): 77
[xt_tls] Compression length: 1
[xt_tls] Offset (2): 80
[xt_tls] Extensions length: 109
[xt_tls] Extension ID: 13172
[xt_tls] Extension length: 0
[xt_tls] Extension ID: 0
[xt_tls] Extension length: 23
[xt_tls] Name type: 0
[xt_tls] Name length: 18
[xt_tls] Parsed domain: dns.cloudflare.com
[xt_tls] Domain matches: false, invert: false
odkrys commented 5 years ago

it works on mangle table but still can't block some sites on test (ex. facebook, github etc)