search

cbeuw / Cloak

A censorship circumvention tool to evade detection by authoritarian state adversaries
GNU General Public License v3.0
3.32k stars 296 forks source link

CDN mode not working: transport TLS in correct format but not Cloak: cipher: message authentication failed #84

Open NuLL3rr0r opened 4 years ago

NuLL3rr0r commented 4 years ago

As it can be seen the domain fronting works with curl:

$ curl -s -H "Host: mamadou-verizon-c1.azureedge.net" https://ajax.aspnetcdn.com
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
    <head>
        <title>404 - Not Found</title>
    </head>
    <body>
        <h1>404 - Not Found</h1>
    </body>
</html>

But when I try it with Cloak, the Cloak log says:

WARN[0147] transport TLS in correct format but not Cloak: cipher: message authentication failed  UID= encryptionMethod=0 proxyMethod= remoteAddr="XXX.XXX.XXX.XXX:34095" sessionId=0

And the client says:

ERRO[0012] Failed to prepare connection to remote: failed to handshake: malformed HTTP response "\x00\x00\x1e\x04\x00\x00\x00\x00\x00\x00\x01\x00\x00\x10\x00\x00\x03\x00\x00\x00d\x00\x04\x00\x10\x00\x00\x00\x05\x00\x00@\x00\x00\x06\x00\x00@\x00\x00\x00\x04\b\x00\x00\x00\x00\x00\x00\x0f\x00\x01\x00\x00\b\a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01"

Of course, if I set it to direct instead of CDN it works.

My Shadowsocks config:

{
    "server":"XXX.XXX.XXX.XXX",
    "server_port":443,
    "local_address":"127.0.0.1",
    "local_port":1080,
    "user":"nobody",
    "password":"PASSWORD",
    "timeout":600,
    "method":"chacha20-ietf-poly1305",
    "mode":"tcp_and_udp",
    "reuse_port":true,
    "fast_open":true,
    "no-delay":true,
    "plugin":"/usr/local/bin/ck-client",
    "plugin_opts":"/etc/shadowsocks-libev/ckclient.json"
}

My cloak ckclient.json:

{
  "Transport": "CDN",
  "ProxyMethod": "shadowsocks",
  "EncryptionMethod": "plain",
  "UID": "ADMINUID",
  "PublicKey": "PUBLICKEY",
  "ServerName": "ajax.aspnetcdn.com",
  "NumConn": 4,
  "BrowserSig": "chrome",
  "StreamTimeout": 300
}

My ckserver.json on Azure VPS:

{
  "ProxyBook": {
    "shadowsocks": [
      "tcp",
      "127.0.0.1:8388"
    ],
    "openvpn": [
      "udp",
      "127.0.0.1:8389"
    ],
    "tor": [
      "tcp",
      "127.0.0.1:9001"
    ]
  },
  "BindAddr": [
    ":443",
    ":80"
  ],
  "BypassUID": [
    "ADMINUID"
  ],
  "RedirAddr": "ajax.aspnetcdn.com",
  "PrivateKey": "PRIVATEKEY",
  "AdminUID": "ADMINUI",
  "DatabasePath": "userinfo.db",
  "StreamTimeout": 300
}

Any ideas?

NuLL3rr0r commented 4 years ago

More debugging information with curl:

curl -v -H "Host: mamadou-verizon-c1.azureedge.net" https://ajax.aspnetcdn.com
*   Trying 152.199.19.160:443...
* TCP_NODELAY set
* Connected to ajax.aspnetcdn.com (152.199.19.160) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=*.vo.msecnd.net
*  start date: Mar 30 17:48:56 2018 GMT
*  expire date: Mar 30 17:48:56 2020 GMT
*  subjectAltName: host "ajax.aspnetcdn.com" matched cert's "*.aspnetcdn.com"
*  issuer: C=US; ST=Washington; L=Redmond; O=Microsoft Corporation; OU=Microsoft IT; CN=Microsoft IT TLS CA 2
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: mamadou-verizon-c1.azureedge.net
> User-Agent: curl/7.67.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Content-Type: text/html
< Date: Wed, 25 Dec 2019 04:22:50 GMT
< Server: ECAcc (lha/8DD0)
< Content-Length: 345
< 
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
    <head>
        <title>404 - Not Found</title>
    </head>
    <body>
        <h1>404 - Not Found</h1>
    </body>
</html>
* Connection #0 to host ajax.aspnetcdn.com left intact
cbruegg commented 3 years ago

I believe the problem is that Azure CDN maps HTTP to HTTP and HTTPS to HTTPS, i.e. when you access http://yourcdn.azureedge.net, it forwards to http://yourorigin.azureedge.net and when you access https://yourcdn.azureedge.net, it forwards to https://yourorigin.azureedge.net. With the former, Azure CDN doesn't expect a TLS connection, so it doesn't work. With the latter, Azure tries to establish a real TLS connection to the origin, which also cannot result in a working tunnel.

This actually even affects non-fronted setups. I haven't been able to set up the normal CDN mode of Cloak with Azure either.