search

SixGenInc / Noctilucent

Using TLS 1.3 to evade censors, bypass network defenses, and blend in with the noise
670 stars 5 forks source link

ESNI blocked in China #3

Open onoketa opened 4 years ago

onoketa commented 4 years ago

We found that ESNI has been blocked in China several days ago. Here is a detailed technical report: https://geneva.cs.umd.edu/posts/china-censors-esni/esni/

We have found several ways to circumvent this censorship.

I have a similar tool using ESNI and Websocket to bypass the firewall: github.com/iyouport-org/relaybaton

SixGenInc commented 4 years ago

I saw the news on China, that's unfortunate. Cloudflare is now blocking the unique feature of Noctilucent - sending an ESNI and SNI. I've updated the readme to point users to your tool. It looks great!

zyongqing commented 4 years ago

When sending ESNI with SNI, It failed with error message: tls: illegal parameter

[root@localhost]#  ./noctilucent-client-linux -TLSHost cloudflare.com -esni -ESNIServerName defcon28.hackthis.computer  -HostHeader defcon28.hackthis.computer -serverName cloudflare.com -preserveSNI
[+] Using resolver: https://doh.dns.sb/dns-query
[+] Successfully queried _esni TXT record for host: cloudflare.com
[=] TLS 1.3 with TLS_CHACHA20_POLY1305_SHA256
[=] ESNI host set to: defcon28.hackthis.computer
[=] SNI host set to: cloudflare.com
[+] Connecting to https://cloudflare.com:443
[E] handshake failed: local error: tls: illegal parameter
SixGenInc commented 4 years ago

See the update at the top of the readme. Cloudflare is now blocking ClientHellos with both a SNI and ESNI. You will have to remove the -preserveSNI flag to only send an ESNI and have it accepted by Cloudflare.

zyongqing commented 4 years ago

Got it. Thanks.

sdn-fl commented 3 years ago

Hello Could you please comment this error? `./noctilucent-client-macOS -TLSHost cloudflare.com -esni -ESNIServerName defcon28.hackthis.computer -HostHeader defcon28.hackthis.computer -serverName cloudflare.com [+] Using resolver: https://dns.rubyfish.cn/dns-query [E] Error getting the url [E] Error: Get "https://dns.rubyfish.cn/dns-query?name=_esni.cloudflare.com&type=TXT": x509: certificate signed by unknown authority [+] Using resolver: https://doh-jp.blahdns.com/dns-query [E] Error getting the url [E] Error: Get "https://doh-jp.blahdns.com/dns-query?name=_esni.cloudflare.com&type=TXT": x509: certificate signed by unknown authority [+] Using resolver: https://trr.dns.nextdns.io/dns-query [E] Error getting the url [E] Error: Get "https://trr.dns.nextdns.io/dns-query?name=_esni.cloudflare.com&type=TXT": x509: certificate signed by unknown authority [+] Using resolver: https://dns10.quad9.net/dns-query [E] Error getting the url [E] Error: Get "https://dns10.quad9.net/dns-query?name=_esni.cloudflare.com&type=TXT": x509: certificate signed by unknown authority [+] Using resolver: https://cloudflare-dns.com/dns-query [E] Error getting the url [E] Error: Get "https://cloudflare-dns.com/dns-query?name=_esni.cloudflare.com&type=TXT": x509: certificate signed by unknown authority [+] Using resolver: https://dns.google/dns-query [E] Error getting the url [E] Error: Get "https://dns.google/dns-query?name=_esni.cloudflare.com&type=TXT": x509: certificate signed by unknown authority [+] Using resolver: https://doh.securedns.eu/dns-query [E] Error getting the url [E] Error: Get "https://doh.securedns.eu/dns-query?name=_esni.cloudflare.com&type=TXT": x509: certificate signed by unknown authority [+] Using resolver: https://mozilla.cloudflare-dns.com/dns-query [E] Error getting the url [E] Error: Get "https://mozilla.cloudflare-dns.com/dns-query?name=_esni.cloudflare.com&type=TXT": x509: certificate signed by unknown authority [+] Using resolver: https://doh-de.blahdns.com/dns-query [E] Error getting the url [E] Error: Get "https://doh-de.blahdns.com/dns-query?name=_esni.cloudflare.com&type=TXT": x509: certificate signed by unknown authority [+] Using resolver: https://doh-fi.blahdns.com/dns-query [E] Error getting the url [E] Error: Get "https://doh-fi.blahdns.com/dns-query?name=_esni.cloudflare.com&type=TXT": x509: certificate signed by unknown authority [+] Using resolver: https://dns.dns-over-https.com/dns-query [E] Error getting the url [E] Error: Get "https://dns.dns-over-https.com/dns-query?name=_esni.cloudflare.com&type=TXT": x509: certificate signed by unknown authority [+] Using resolver: https://doh-2.seby.io/dns-query [E] Error getting the url [E] Error: Get "https://doh-2.seby.io/dns-query?name=_esni.cloudflare.com&type=TXT": x509: certificate signed by unknown authority [+] Using resolver: https://dns.twnic.tw/dns-query [E] Error getting the url [E] Error: Get "https://dns.twnic.tw/dns-query?name=_esni.cloudflare.com&type=TXT": x509: certificate signed by unknown authority [+] Using resolver: https://doh.dns.sb/dns-query [E] Error getting the url [E] Error: Get "https://doh.dns.sb/dns-query?name=_esni.cloudflare.com&type=TXT": x509: certificate signed by unknown authority [E] Failed to retrieve ESNI keys for host via DoH: no resolver could be reached [+] Successfully queried _esni TXT record for host: cloudflare.com [=] TLS 1.3 with TLS_CHACHA20_POLY1305_SHA256 [=] ESNI host set to: defcon28.hackthis.computer [=] SNI host has been unset [+] Connecting to https://cloudflare.com:443 [+] TLS handshake complete [+] Sending GET request: GET / HTTP/1.1 Host: defcon28.hackthis.computer User-Agent: ESNI_FRONT_TEST Accept: / Connection: close

[+] GET request sent [=] Reponse: HTTP/1.1 530 Date: Sat, 05 Dec 2020 15:10:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT CF-RAY: 5fceb1f70dd905dc-FRA Server: cloudflare

fde <!DOCTYPE html>

Origin DNS error | defcon28.hackthis.computer | Cloudflare
SixGenInc commented 3 years ago

@sdn-fl the test server was down. It is back up now and your command should return "Hello DEF CON!" In the future, feel free to run your own server to test against. The code to do so is available in the server directory and instructions for how to use it are in the README here: https://github.com/SixGenInc/Noctilucent#test-client

Selous05 commented 3 years ago

@SixGenInc Isn't there anyway of forcing and going around -preserveSNI parameter to enable noctilucent work with it?

SixGenInc commented 3 years ago

@Selous05 Cloudflare has made a change that rejects ClientHellos with both an SNI and ESNI TLS extension. There is no way around this unless another CDN allows both SNI and ESNI together. ESNI alone still provides some "masking", but the ability to use built in allowlists in firewalls (like the PA demos) is no longer possible due to the change by Cloudflare.